The Pretenders when Hackers Target Firms Posing As CEOs, CXOs
In 2017, online digital publications announced the latest threat to consumer safety: hackers using vulnerabilities inside WhatsApp to spread malicious code via files sent using the app. In March 2019, a security researcher announced that a bug in Facebook Messenger gave hackers an open door through the user’s web browser. The bug has since been patched, but the vulnerabilities continue.
These days, the targets are much larger. Hackers are now using applications like WhatsApp and Messenger to launch phishing campaigns to target corporations across the globe.
With more businesses using messaging and file-sharing apps to conduct international conference calls, such a move by hackers is a natural next step in cyber warfare. In spite of this, many companies have yet to realize this growing threat to their IT security. This is not surprising given that many businesses are accustomed to thinking of their vulnerabilities through more known methods: typically attacks on servers, phishing emails, and human engineering.
What methods are attackers using?
Hackers have taken their methods and applied them in new territory. A recent report reveals that 71 percent of all fraudulent transactions in the second quarter of 2018 came from mobile banking apps or more broadly used apps and platforms like Facebook Messenger and WhatsApp. By exploiting vulnerabilities in phone and message apps, hackers are expanding their reach.
Even with tighter security controls around company servers and networks, hackers have figured out ways to step up their use of apps as a means to gain entry. In one recent case, a message was sent via a company’s WhatsApp account, purportedly from the company CEO. The message:“I need to inform you of a confidential acquisition regarding a payment that I need you to secure on my behalf. I am on the line with my lawyer now, can I give you a call shortly?”
However, the CEO was not making the request. It was the work of hackers, who had used a weakness in WhatsApp technology to send the message. Fortunately, the request was never fulfilled. The staff member who received the message reported the suspicious request to the IT department, who was able to determine the request was fraudulent.
In addition, the company had protocols in place that would have thwarted any money from making it into the hands of hackers. Their procedure for approving financial transactions involved three steps requiring sign-off from designated people and phone verification.
Unfortunately, not all companies can avoid falling victim to hackers, even with stringent authorization protocols in place. Bitcoin exchange Binance was victim of a large-scale security breach in May 2019 in which hackers diverted $40 million in bitcoin. Using several methods of attack, hackers obtained user information, including two-factor authentication codes, which allowed them account access.
From there, the thieves were able to withdraw 7,000 bitcoin from the company’s internet-connected wallet.
That the hackers obtained the two-factor authorization codes made this particular theft difficult to avoid. Yet the company’s losses could have been worse, except for the fact that the amount of cryptocurrency in their online account was just 2 percent of their total cryptocurrency holdings. Binance announced a few days after the breach that the company would be making up that 2 percent with company funds. For some companies who cannot recover as quickly, a loss of 2 percent of holdings could be a major setback.
What to look for
Breaches of social media apps tend to follow similar methodology as breaches that occur on company networks and email systems.
Companies and employees should be on the lookout for the following activity or behavior:
Requests made via any social media app purporting to come from senior leadership. Is the name spelled correctly? Does the user name match the one the senior manager uses? Are the requests going to the appropriate person? Has the request been verified by phone with senior management that the request came from?
Unfamiliar/unrecognized phone numbers. Much like email requests that use the person’s name, but comes attached to a completely different email account, social media requests coming from an unrecognized phone number should be treated with suspicion.
Unusual behavior. Most CEOs or C-suite executives would not use a social media app to make financial transaction requests. Nor would they use social media to ask for confidential bank account passwords or login credentials. Who can verify your CEO’s whereabouts and request activity? For requests that are not financial in nature, is the language typical of the person reaching out, or is there something not quite right about the request?
Here are a few things to keep in mind when using social media as part of your business:
Never make financial requests over social media – and make it company policy to not honor such requests.
Educate all staff. From senior leadership to administrative personnel, all employees should understand that social media requests for money or sensitive account information will not be used, nor will they be honored
Have a process for vetting all online requests. Have all monetary requests vetted through C-level management as well as examined by IT.
Regularly update passwords. Reset all passwords on social media apps and alert IT to any suspicious activity – even that which isn’t a monetary request.
Establish and actively use a three-step process for financial requests. Before releasing any funds, know who is authorized to approve such requests. Also, have in place a process that requires voice verification, including selected passwords that are changed regularly, as well as sign-off from key personnel. With every financial request, make sure to follow the procedure without exception.
As companies adopt more social media tools to conduct business, cyber thieves and social engineering attempts will continue to grow in frequency and severity. Companies must be alert to the potential risks associated with using social media apps, including knowing how their own practices are opening the door to exploitation.
Companies should establish strong verification processes and should have written social media policies in place. Likewise, companies need to educate employees on the policies, and on how to handle requests that seem out of the ordinary. Hackers will continue to find new ways to breach company systems. Staying one step ahead of the risks means examining your business activities from every angle to help reduce exposure and loss.
(John Coletti is Chief Underwriting Officer, Cyber & Technology- North America, AXA XL)