Hacked for the Holidays

Kick off your shoes, turn on the game, put your feet up. Crack a cold one, wait for family and friends to arrive (maybe via zoom given the circumstances) and bask in the few moments of reprieve from running your team, your business, your projects and tasks. Finally, nothing to worry about for a short time.

Except for one thing. No one’s at the office (virtually or physically). Your team started checking out the closer it got to the holiday. You thinned out the hours for your IT staff, thinking it’d be nice to give those hardworking geeks who save your business from disaster time and again a break. No one’s there. It’s the holidays. That’s nice!

Thing is… that’s nice for hackers, too. You’re not there. You can’t see when they remote-on the systems you thought were powered down. You’re not getting alerts that “Bob from Finance” logged in to his workstation while the Philadelphia Eagles were kicking off (“Bob”’s favorite team, mind you – he’d never miss a game). It’s not even on your mind.

“How could someone hack in and take down my organization in one day?” you might ask. The answer isn’t a happy song (or even a complex one, unfortunately). The fact of the matter is…

They’ve had access to your network for an average of 174 days.

They’ve been waiting. Watching. Taking notes on vulnerable or high-value team members and scraping easy passwords like “Password2020”. Plotting out schedules and behavioral patterns. Waiting for the time to strike. Days like today when not a creature is stirring at the office.

How could this happen? How could someone malicious gain access to your hardened, locked-down network and have free reign to download your sensitive data, break down digital security walls, install malware and ransomware and essentially crash your business to a grinding, expensive, crippling and possibly lethal halt?

Because Cheryl from inside sales decided to go online shopping… on company time, with her company email address. Last spring she innocently searched for the perfect handcrafted oil diffuser to give her best friend Susan from Shipping/Receiving. Searching high and low, she found the perfect one from a small artisan website she found on page 39 of a Google search. Eagerly registering for the site with her work email and a slight variation of her office computer’s password, Cheryl completed her transaction and closed the browser before her manager could see what she was doing. Cheryl was about to have a very bad day, and she wouldn’t know it for 174 days.

Back to our hacker. He just got Cheryl’s email and password. Conveniently, Cheryl’s email address domain pointed him right to her place of work… a $100mm size sales and distribution company. Our hacker just did a happy dance.

He proceeds to search the web for customers, vendors, anyone who might have a relationship with your company. He finds ACME Corp, a supplier of terrible roadrunner traps, that your company buys its raw materials from. He buys a domain similar to ACME Corp’s, and creates a fake email pretending to be ACME’s Accounting Controller (whose profile he found on ACME’s own website).

He then sends Cheryl an email, posing as ACME’s controller, asking her to verify her login to their purchasing portal because they just got a new system. Cheryls clicks the link in the email. Dammit Cheryl. Why’d you check out during company security training?

Within 20 minutes of her response to that malicious email (something called a phishing attack), our hacker finds a network IP associated with your company’s email addresses. He digs deeper using the same software that many digital security providers use for open-source intelligence, and finds a map of network endpoints. Cheryl is really bad at remembering passwords. That means a lot of them (or all of them) are the same.

Our hacker uses Cheryl’s terrible passwords to gain access. Over the next 174 days he’ll slowly work his way in, finding vulnerable accounts and complacent employees who easily respond to further phishing emails.

Fast forward 174 days and our hacker is staged to drop malware, killing any network defenses. He’s carefully downloaded your most critical financial and customer information and dropped a delayed Cryptolocker instance (a particularly nasty form of Ransomware) on several key computers from your executive and accounting offices. Now he waits. Until thanksgiving weekend.

When everyone is home eating turkey and mashed potatoes, he pulls the trigger. You get to the office on Monday, still in a food coma, and a big red screen pops up as soon as you load up your system. He’s demanding a $10,000,000 ransom in exchange for unlocking your now inaccessible and encrypted files. The same thing is happening in your accounting department. You spit out your coffee. Cheryl fires up her resume and gets ready for an unceremonious exit.

Your company is now one of the 68% of dead businesses who fail after a cyber attack. That $30,000 penetration test you were quoted on doesn’t seem so expensive any more. Your turkey is cooked, if you will.

Now you have to call someone like Secure Network Technologies to respond to the attack for you. A pen-test and the right training could have prevented this.

This can happen to anyone, and it happens specifically when everyone is out of the office. Scheduling regular penetration tests, team security training and other cybersecurity services can prevent irreversible financial, reputation and data loss damage before it happens. Sign up to receive your no-cost Cybersecurity Emergency Response guide. Schedule your consultation today and rest assured you’ll have the right eyes on your network – so you can enjoy the holidays.

By: Secure Network Technologies