a month ago
6 min read

The Story of a Cyber Attack : How It happens...

VPNs, threat vectors, state actors, l33t h4x0rs, antivirus, firewalls, sandboxes & VLANS. Not just some winning Scrabble turns but everyday language to cyber professionals and the bad guys they face down. But you’ve got better things to be doing than learning our language, you do what you do best and we’ll take care of the cyber security side of things.

This is what we do. We do it so you don’t have to. And to be fair, we like it – there’s a real sense of satisfaction when working with a client you know to be really insecure and making changes that have a real impact on the cyber-safety of that business. Because businesses don’t just exist on paper, they’re real people, real stories, jobs, aspirations and dreams at the heart of our economy & communities.

If your idea of cyber criminals & hackers come from watching John Travolta & Hugh Jackman in Swordfish, then I’m afraid it’s quite different to that, the stereotypical hacker rattling a keyboard isn’t your problem. It’s a highly organized criminal industry with skilled staff & technical tools at their disposal.

There’s some nasty criminals involved – as well as terrorists and unfriendly nation states – and did you know that according to a leading insurer, there’s 65,000 serious hacking attempts every day against UK SMEs with 4,500 of them being successful? That’s really bad news and something CyberSecuritiesUK in Merseyside is trying to reduce by being part of the Cyber Essentials Certification programme for SMEs throughout the UK.

But I thought it’d be really interesting to tell the story of just how these cybercrime incidents occur. Don’t worry, we’re not talking about real incidents, the people, places & businesses are fictitious. But the methods & consequences are all too real, I’ve seen it happen time & time again. So, without further ado, for the first in our series of case studies, let’s be off to a factory on the outskirts of Merseyside…

 

~~~~ Admin Offices at Jay Odo Ltd ~~~~

“Morning Maggs!”

“I hope you brought coffee” grumped Maggie, “It’s the quarter end and I’ve got the VAT return to do along with all this export stuff…”

She scowled at the overflowing pile of paper, post-its and precariously balanced clutter as if wishing would make it fade away.

“…and his nibs has just gone on holiday, leaving me to it!”

Natalie, the factory's harassed IT technician raised an eyebrow “What? Muller’s gone off? I needed him to sign off a purchase for email scanning, it’s ridicu…”

She tailed off as she realized Maggie was more interested in the four pack of steaming coffees as Neil announced his return from a cheeky Starbucks run.

“Go on then, pass me the sugar too”

 

A safety boot nudged open the workshop door, revealing a stressed out man, approaching retirement and holding a battered laptop “Hey Nat – can you work your magic on this bloody thing again please?”

“Sure thing Jakey” she jumped up & followed him out smiling “…perhaps stop letting it fall off the compacter bench so often eh?”

As Natalie grabbed her high-viz & flashdrive of software, she mulled over something she’d seen on an email from Eric Muller, the holidaying FD. Not the most approachable of bosses, he still held the purse strings close and she really did need to speak to him about beefing up some of their systems.

His insistence on using free anti-virus on the hotch-potch of elderly, creaking & misused computers gave her a headache just thinking about it –  she briefly smirked thinking the description applied to most of her colleagues too.

 

~~~~Several days earlier ~~ A normal office in a normal suburb of Brussels~~~~

With tousled hair, battered rucksack and earpods, Lucas looked every inch the computer science graduate. And to be fair, that was only three years ago but so much had changed since then.

Nodding to Misha, the insanely tall & thin team leader as he keyed his way through the security pad he headed for his desk.

“Lucas, carry on with your whaling today, I want to start seeing results, then I need you to speak to Jan in Lagos about getting your code wrapped, you need to start getting more results, you’re nearly in the big time now…”

“Sure thing Misha.” The tall Nigerian tasked with keeping their little team in line headed off. Intrusion specialists, coders, social engineers and more, none of them really thought of themselves as criminals, after all, it’s just coding. And it paid well. So long as you didn’t think too closely about the men in the shadows behind Misha.

Truth be told, Lucas enjoyed the challenge and certainly enjoyed the lifestyle his exploits gave him so grinned wolfishly as he pulled up a list of email addresses trawled from trade directories. One of his own scripts had been working on it overnight, establishing their hosting & routes. Today was going to be targeting some Office365 accounts, the dummy login page was already waiting on the bullet-proof hosting in Liberia. Bit of a slow link but completely anonymous.

First email. Muller? Lucas checked the spelling and copy pasted his standard, time served Microsoft error message. A complete fake of course but he’d crafted it carefully. Just one of 98 similar emails he was to send that day.

  

~~~~ Back to the present day at Jay Odo Ltd ~~~~

“There ya go, all fixed” Natalie winked at the production manager “Make it harder next time eh?”

She’d have been less happy if she knew just what had been happening back in the offices.

“The cheeky bugger!” Maggie fumed “As if I haven’t got enough to do!” She glared at the Outlook notification. He was supposed to be on bloody holiday, why couldn’t he just let them get on with things?

She turned to Neil “You’ll have to index these purchase invoices for me. I need to get the VAT done but I’ve just had a right stroppy email from Eric about an export payment. They must’ve been chewing his ear about it. I wouldn’t have even taken my phone myself but you know what he’s like…”

“No probs Maggs, I’ll do them for you in a minute, let me just finish this. What’s he getting so worked up about?”

“A payment of 25 and a bit Grand, needs to go today for the job in Turkey. Bet he’s been sat on the beach checking his emails just so he can give me extra work…”

Maggie kept up her good-natured grumbling as she reached for her mouse with one hand and emergency kit-kat the other.

 

~~~

So just what happened here? Our hacker Lucas sent an email to Eric Muller, our not-very-IT-literate FD. The email looked just like an Outlook error message requesting that Eric logs in to fix a fault. Eric of course didn’t spot it was a scam, clicked the link and ended up on Lucas’ dummy server based in Liberia where he promptly entered his Outlook email credentials.

From that point it was only a matter of time. Lucas was able to read the routine emails so knew who the money people were in the organization. He was also able to learn Eric’s email style and probably saw that he was a bit unapproachable so when Lucas sent an email from Eric’s account to Maggie demanding immediate action, she saw no reason not to make the transfer.

 

Result: A £25,273 unauthorised payment which severely damaged the business and curtailed the usual Christmas Party at the usual cheap hotel in Kirkby.

 

So just what errors were committed here?

Jay Odo Ltd seem to have a fairly switched-on IT technician in the shape of Natalie but she’s not been given a discretionary budget to apply the security she clearly wants. Using non-commercial AV products on an IT estate of old, unpatched machines is a major non-compliance for very good reason – as it makes hostile intrusions much easier for the bad guys and likely to be much more damaging when they do get in.

But the real culprit here was Eric, our IT-phobic FD who didn’t spot the phishing attempt aimed at compromising his email, nor provided the budget for scanning tools that stood a chance of intercepting it in the first place.

Did you know? Phishing high value CEO & FD targets is known as whaling.

 Cyber awareness training would really pay off at Jay Odo Ltd. Perhaps we should help them put that in place alongside Cyber Essentials Certification and email monitoring – then they can sleep soundly and concentrate on whatever it is that Jakey actually makes on the shop floor.

Don’t forget that good policies go hand in hand with technical controls though. If Jay Odo Ltd had a policy that payments over £5000 needed a second approval, might the disaster been averted?

Cyber Threats abound. But there's plenty of tools to help you protect your business, it's all about understanding the threats and asking your IT provider to make some simple changes. The UK Government-backed Cyber Essentials Certification makes a great starting point - and helps your business win contracts too!