LAS VEGAS–Your credit union may have invested heavily in data security, yet thanks to your employees and even your own professional networking, breaching that data remains as easy as ever.
Just ask Jim Stickley, who can offer real-world example after example of how simple phishing scams can fool CU employees from senior management to the IT department.
Stickley, the security expert who heads Stickley on Security and who is often hired to hack into credit unions and other institutions using a number of often simple (yet ingenious) strategies, said the reasons for the onslaught of cyber-attacks on credit unions are simple. And often those strategies are based on using a credit union’s own security training against it.
“Everybody is doing hacking: organized crime, foreign governments. There are huge opportunities for money, and the risks are really, really, really low,” said Stickley in remarks themed “Fraud: The New F Word” at NACUSO’s annual meeting.
Stickley, who founded Trace Security before leaving the organization to dedicate himself to education around cybersecurity, said that he has “robbed” more than 1,000 financial institutions at their request.
Credit unions and CUSOs that are quick to point to the strength of their firewalls are correct, said Stickley—those firewalls are excellent at keeping outsiders outside. The problem is the cybercrime is taking place due to insiders opening the door and letting scammers do their damage from the inside.
“If you look at every single breach today–Anthem, Home Depot, Target–I guarantee you every one started with an email, and that started the ball rolling to get the breach to happen. Email is the bane of your existence. Email is extremely dangerous to you, your organization and all your members.”
So why email?
“Attacking a network via the Internet is hard,” said Stickley. “And employees have access to everything. If I can gain access to an employee’s desktop or credentials, breaking in becomes much easier.”
Although there has been considerable employee training around the issue of not falling victim to phishing campaigns, Stickley said that not only is “phishing success on the rise,” he also gave demonstrations of exactly how he has successfully phished CU employees on multiple occasions.
“A 2015 study showed that of 150,000 malicious emails sent, 50% of users opened the email and clicked on the phishing link within the first hour,” said Stickley. “On average, the first click happened within one minute and 22 seconds. That means you have one minute and 22 seconds to get the word out to everyone in your organization to not click on the link. If you’re the IT guy, you’re screwed.”
The Risk From LinkedIn
Contributing to the success of email phishing scams, said Stickley, is one of the most popular solutions among credit union executives: the professional network LinkedIn.
“LinkedIn is the greatest hacking tool every created for people like me,” said Stickley. “I’m not against it, but you need to be aware how easy it is for it to be used against you. It’s very easy to find out all of your employees’ job titles, what they do for you, and how long they have worked for you. So first thing I’m going to do is look for the new people. I would recommend you tell new employees to wait six months until they list your organization’s name in their update on LinkedIn.”
Stickley gave a demonstration of how easy it is to obtain email addresses by just sending emails with various combinations of names and domain names until one email doesn’t bounce-back. That’s when he knows he has the correct format.
Once he has that information, he often turns to a tried-but-(repeatedy) proven strategy: the bogus Hallmark e-greeting card. “I’ve used this scam for 10 years, and it still works really, really well, like 80% to 85% of the time,” Stickley said.
In that scam a recipient is sent an email that reads, “Someone special has sent you a Hallmark E-Card” in the subject line. Instead of sending it from a person’s name, he sends it from a “secret admirer, because as it turns out, everyone wants a secret admirer.”
Recipients of the Hallmark e-card scam get a message that their video player is out of date, a commonly received alert message, and they click on the link.
In no time, said Stickley, he has a remote shell on their computer and “now their computer is my computer and it’s a launch point for all of my other attacks.”
“People say ‘I would never have clicked on the link or downloaded anything.’ I say great, but you’re already too late. Adobe Flash player is a prime target. It is riddled with vulnerabilities.”
What Can Be Done?
So what can a credit union or manager do?
“Start with the assumption that every email is malicious,” said Stickley. “Assume it’s bad until proven otherwise. I know it sounds paranoid, but that’s the world we’re in right now. It’s so easy to spoof email. To me, links are always dangerous. If someone sends you a link, try to go to the website itself without using the link.”
Stickley said he has become a firm believer in the value of employee education, as well as limiting network—including Internet—access via their work computer.
“This is controversial, but not every employee needs Internet access or server access. Limiting who can receive email or browse on the Internet makes sense. They will object, but they already have one of these (phone) devices. Let them use that and not your network.”
But even the best-trained employees can fall victim to phishing scams, often due to the very security training they have received. Criminals have gotten smarter and evolved, said Stickley, and have become proficient at using social engineering. A key piece of information is identifying the “IT guy” in an organization, he said. Criminals use that person’s name to send emails so it looks like its coming from a trusted source, the “god of security,” said Stickley.
As an example, Stickley showed a bogus email he created that appeared to be from an organization’s IT specialist that said a patch needed to be downloaded. The email included an 800 number and a “security ID number,” all of which only added to the appearance they were legitimate.
“This email includes no links and no attachments, which they have been trained to look out for,” said Stickley.
Getting Employee to Give Up Control
When the employee calls that 800 number it rings into Stickley’s phone. He asks the caller to provide the security ID number (which provides a false sense of security to the CU employee, because he is able to use that person’s name), and once they do he directs them to log into a GoToMeeting session (which he and other scammers can set up for free for 30 days). Using GoToMeeting, Stickley gets the employee to give up control of their keyboard and mouse, which he uses to download a link from what looks like a legitimate Microsoft site (but it’s spoofed) in order to install malware.
“Now there is a complete compromise of her desktop. I have bypassed security on the desktop. This works really, really, really well. I haven’t been caught on this one yet. And the employee often transfers the call to another employee. “
To improve security, Stickley warned:
- Never trust an email. “If you ever get an email from a coworker and they are asking you to do something and install it, call that employee and ask if they sent it. If you have been through a breach, a breach sucks. It takes many man-hours and months to resolve.”
- Never allow remote control of your desktop.
- Never install software or allow others to install software on your desktop without approval.
- Never pass calls to co-workers.
- Never assume a call passed from a co-worker is trusted.
A Juicy Target
An especially juicy target, said Stickley, are the very people charged with protecting the credit union: staff in the IT department. Why?
“You want to target the admins,” he said. “They have all the access” and often stay in admin mode throughout the day.
The easiest way to target IT staff is through vendor relationships, especially those that are new (which he said are easy to find by looking at any company’s website and then its press releases).
To start an attack, he begins with email claiming to be from the vendor that uses real language that sounds legitimate, including this kicker, “Together we can make a difference and reduce cyber attacks against financial institutions.”
Once he has access through an IT department employee, he installs a “root-kit” that includes a number of tools. In one case he was able to take over ATMs at a credit union and get the to spit out cash at a specific time.
Stickley, who cautioned several times that “Adobe Flash is not your friend,” said every organization will eventually be breached. That’s why every credit union should plan for it now, he said, by beginning with an Incident Response Team. The basic framework for team members: Legal (often team lead), CSO, IT department, law enforcement, member care, and vendors that should include forensics, PR, and breach remediation.
Stages of ‘Breach Lifecycle‘
The stages of the “Breach Lifecycle,” according to Stickley, are:
- Discover the breach. “Obviously, this is most important step in the lifecycle. The longer the breach goes undetected the more damage that can occur.”
- Deploy the internal response team. “You want to know is it criminal activity or is it not? Sometimes member data is sent mistakenly. And it may not be a criminal breach at all. Determine the type of data that is lost. Sometimes the criminals steal the wrong stuff.”
- Contact law enforcement and vendors. Initiate Notification Process.
“Comprised members need to be made aware,” he said. “A public announcement should be made. Work with a PR company and legal to ensure proper messaging. This should take place at almost the exact same time as member notifications. In most cases, comprehensive details are not necessary. The only good news is people don’t react to breaches like they used to. It’s become old news. Make sure employees are well versed and prepared for what they can and cannot say. In many cases outsourcing the inquiries will be the best approach. Documenting services and vendors that will be required in the plan can reduce stress, costs, and time in the event of a breach.”
ABOUT THE AUTHOR: Frank Diekmann, is Co-Founder/Cooperator-In-Chief of CUToday.info. He has been called Mr. Credit Union because no one has the pulse of what is taking place in the world of financial services more than Frank. We are always delighted to have him cover our event.
