You are here:
  1. Home
  2. News
  3. Blog
  4. Cyber attack: how would 007 do it?

Cyber attack: how would 007 do it?

31 March 2016

Stuart Poole-Robb discusses a new threat to law firms' IT systems and provides some top tips to prevent attacks from occurring. 


Law firms are more alert than ever to the dangers of cybercrime and are increasingly protecting their IT systems. But even firms that have done their utmost to secure their IT systems against cyber-attack are vulnerable to a new threat. 

Organised criminal groups (OCGs) habitually use social engineering - the process of carrying out detailed research on key staff members via social networks such as LinkedIn, Facebook and Twitter - in order to commit frauds and scams. Typically, this takes the form of a 'spear phishing attack', where a spoof email purporting to come from a boss, or some other trusted senior individual, is sent to a staff member, requesting passwords, or even large cash transfers for operational purposes.

Human weakness

But as far-fetched as it may seem, there is now also a disturbing new trend in which online social engineering is combined with more traditional 'spying' methods. One way of bypassing even the most secure IT defences is to infiltrate building contractors, such as cleaners, or simply bribe the individuals working for them. Once physically inside an office, it is relatively easy for the OCGs to look over employees' shoulders to see passwords, or to go through bins to search for other privileged information. In the case of contractors working in the evenings, hacking into the system can be even easier as many staff routinely leave their computers logged in when they leave at the end of the day. For this reason, it is important that contractors and suppliers are vetted regularly and their identifications habitually checked. When was the last time, for example, that you checked the badge of the photocopier engineer?

Even when they leave the office, unwary staff can be vulnerable. In order to augment their online research and anything they have managed to glean from infiltrating corporate offices, some OCGs are now approaching staff directly. Sometimes this takes the form of the direct approach of offering staff a bribe. More commonly, the OCG prefers to avoid announcing its presence and uses a confederate to strike up an acquaintance with a targeted staff member in their favourite coffee shop or pub. This ruse works by gradually gaining the confidence of the subject over a period of weeks, before subtly trying to draw out privileged information from the unsuspecting employee.

Honey traps

On other occasions, criminals use the age-old practice of 'honey traps' - attractive members of either sex - to befriend a staff member. Often, the initial approach is made through an innocent-looking message via LinkedIn or Facebook suggesting a coffee or a lunch to discuss mutual professional interests. Sometimes, a lucrative job offer is dangled in front of the employee as a carrot to encourage them to make the meeting in person.

Once hooked, there are a number of possible outcomes from such a meeting - none of them good news for the organisation that is being targeted. One result could be that the honey trap succeeds in gaining the unsuspecting staff member's confidence to a point where he or she unwittingly reveals confidential information.

In some cases, however, the honey trap may decide to develop a closer relationship with the target employee to a point where, in the case of married staff, the subject can be blackmailed into revealing sensitive information. Disgruntled or former employees, can also be approached in this way with a view to bribing them into assisting the OCG to break into the target organisation's IT defences.

Be careful what you share

Social engineering can be used to lay the foundation for this type of approach by building up a detailed profile of the target employee over a period of time before contact is initiated. People routinely reveal far more about themselves than they realise when using social networking services. Even an innocent photograph posted on LinkedIn, together with a straightforward CV and list of interests and hobbies, is pure gold to someone wishing to make a casual approach to a targeted staff member. The photograph enables the criminals to recognise the targeted employee in public, and the personal information can be used to initiate a casual conversation which quickly appears to reveal mutual interests.

Similarly, Facebook entries, which are typically used to relate social events and keep up with acquaintances, can easily be used for criminal purposes. For example, knowledge of where someone likes to eat or a planned visit to a pub or concert with friends can provide the OCG with an opportunity to use a gang member or one of their confederates to strike up an acquaintance.

The level of success of this kind of online targeted research coupled with physical intrusion being achieved by OCGs can be gauged from the fact that KCS' own research reveals that 80 per cent of successful cyber intrusions can be traced to a member of staff. This is sometimes the result of a disgruntled employee seeking profit or revenge; but frequently, the OCG has used a combination of social engineering and physical intrusion methodologies to manipulate the employee or simply gain access to their log-in details.

Bigger fish

It is vital to stress that these are not issues confined to large firms alone. Information is currency on the dark web and anything that can be used as leverage, will be. Even if a small or medium-sized firm itself is not the end-target, it is almost always a conduit to bigger firms, via email communication, information transfer, or formalised relationships. It is short-sighted for a smaller firm to claim no involvement, or no need to take precautions, as they are often the weakest links in the chain. If firms do not act on this threat, they're essentially giving hackers carte blanche.

What to do

Firms should, therefore, warn staff of the potential dangers of revealing too much information about themselves on social networking sites and also the correct way to adjust their LinkedIn, Twitter and Facebook accounts to restrict who can view them. They must also be warned of the dangers of divulging any type of company information to strangers and casual acquaintances. All employees should fully understand that a security leak can potentially cost their company huge sums of money, immense reputational damage and, in the case of a serious attack, can even result in the company going bust.

Read our advice and practice note on protecting against scams

Read our advice on cybersecurity

Find out how to adjust your privacy settings on Facebook, Twitter and LinkedIn

Tags: cyber security | IT

About the author

Stuart Poole-Robb is the chief executive of the KCS Group Europe. Stuart began his career intelligence and security when he served in the Royal Air Force, mainly in Middle East locations, before moving to the Special Investigation Branch. He is the author of many papers and books on security, intelligence operations and worldwide threats, including Risky Business

  • Share this page:
Authors

Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Adeola | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | an anonymous sole practitioner | Andrew Kidd | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bhavisha Mistry | Bob Nightingale | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Carolyn Pepper | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Duncan Wood | Emily Miller | Emily Powell | Emma Maule | Floyd Porter | Gary Richards | Gary Rycroft | Graham Murphy | Gustavo Bussmann | Hayley Stewart | Hilda-Georgina Kwafo-Akoto | Ignasi Guardans | James Castro Edwards | Jane Cassell | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Jonathon Bray | Julian Hall | Julie Ashdown | Julie Nicholds | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Hood | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Leah Glover and Julie Ashdown | Leanne Yendell | LHS Solicitors | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Matt Oliver | Matthew Still | Max Rossiter | Melissa Hardee | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nikki Alderson | Oz Alashe | Patrick Wolfe | Paul Rogerson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Prof Sylvie Delacroix | Rachel Brushfield | Rafie Faruq | Ranjit Uppal | Ravi Naik | Richard Collier | Richard Coulthard | Richard Heinrich | Richard Messingham | Richard Miller | Richard Roberts | Rob Cope | Robert Bourns | Robin Charrot | Rosa Coleman | Rosy Rourke | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Shirin Marker | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Ellen | Tony Roe Solicitors | Tracey Calvert | Umar Kankiya | Vanessa Friend | Vicki Butler | Vidisha Joshi | William Li