In Iowa, you’re either a Hawkeye fan or aCyclone fan. With no pro baseball, basketball or football teams, we take our college sports very seriously.
As we see cyber-attacks increasing, we are also seeing more and more SMBs targeted by cybercriminals. The PWC Global State of Information Security 2015 report saw a 48% increase in security incidents in 2014 compared to 2013, which is the tip of the iceberg, as they also state that around 71% of cyber security attacks go undetected. While larger companies are still being heavily targeted by hackers, SMBs are gaining ground and the figures for SMBs are seen as being highly underplayed.
The average financial losses for a small company - that is one with revenue less than $100 million - is on average $0.41 million per incident. This is a very large figure for a small company to handle.
Cybercriminals are viewing SMBs as easy targets. As larger companies start to harden their security, the hacker is looking for easy prey and the SMB is it. According to Security Firms FireEye and Verizon, 77% of cybercrime is targeted at the small to medium sized organization.
On the wave of this attack on the SMB, a threat known as ‘Hawkeye’ has appeared on the cyber security scene.
So we know that the Hawkeyes are the best football team in Iowa, but it is also a type of software known as a keylogger. Keyloggers can also be used as a type of malware that once installed on a computer, log the keystrokes you make, when you for example, log into a bank account or in this case, an email account. Hawkeye (the software) is a freely available piece of software that you can get for software development and support purposes and costs $35.
This keylogging software, Hawkeye, has been used in a stealth attack against SMBs. The hack wasn’t a quick, in and out attack, where information was stolen and sold on through the cybercriminal black market; no, this hack was played using a long game.
The attack was perpetrated by two Nigerians, whose aliases were Uche and Okiki. Uche and Okiki would send out emails to accounts that were open to receiving external communications. Their emails didn’t have malicious attachments and so no warning bells rang when they were received, instead they were able to take their time to strike up a relationship with the responder. Only then did they send out the Hawkeye malware, which by then was deemed to be safe, coming from a known source.
Once installed Hawkeye was then used to target bigger and more lucrative fish. The Nigerian cybercriminals used a method known as ‘Change of Supplier Fraud’. Change of Supplier Fraud is exactly as it sounds - the details, in this case, payment details, are changed. Uche and Okiki were able to impersonate their originating victim by compromising their email account and using Hawkeye to steal the webmail login credentials. They were then able to send out seemingly legitimate emails to suppliers and partner companies, informing them that the account details where payments were to be sent had changed – changed to the hackers account in fact.
The Hawkeye attack used social engineering techniques to ensure their attack was successful. They would often send out their emails near public holidays to catch people at very busy periods and while distracted, to give a greater chance of getting past people’s natural cautiousness.
This isn’t the first time this sort of attack has happened. In a similar attack, two keyloggers known as Predator Pain and Limitless, again easily available software, were used to carry out Change of Supplier Fraud. In those attacks, which were again targeted at SMBs rather than at large companies, we have seen total losses standing at around $75 million.
In many ways, this cyber threat reminds me of the old scams you’d see in Hollywood films, where the scam artist was a great con man who used the
These types of scams and attacks are not going away. We’ve seen that they are increasing in number and the cybercriminal is extending their target portfolio to include small to medium sized organizations. We need to be vigilant about email communications, but as we’ve seen, cybercriminals are very clever and manipulate our natural behavior to get their own way. This is something that can be very difficult to train an employee to spot, so we need to take further precautions. One of the best ways to prevent the impact of keyloggers is to ensure software such as browsers are always up to date and any patches are correctly installed. Similarly keeping anti-spyware and anti-malware programs installed and up to date is an important aspect of protecting yourself from these types of attacks. In a Hawkeye type attack, it isn’t only your finances that may be at stake, but your reputation with your extended customer base and ultimately your business.
A full analysis of the scam can be found here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-piercing-hawkeye.pdf
