Lawyers must ensure they have secure passwords – otherwise fraudsters could wreak havoc.
Think of the damage a cyber criminal could do if he or she gained access to your law firm. There’s the mergers and acquisition data that partners hold, as well as the payment details of high net worth individuals and corporates – either one of which would be bad enough. Then there’s the reputational damage and possible fine, if just the personal details of your clients become known. But consider too the damage a fraudster could wreak if they had the log on details for your corporate email account.
Over the last few months at Kroll we have seen more and more cases where advisers’ work emails have been compromised. Armed with the genuine email account of an advisor, the fraudsters pose questions and give instructions to make transfers or pay invoices of several hundreds of thousands of pounds. Would your accounts department double-check that it really was you before following your instructions? Not many would and even if they did, you might never see the emails. Cleverly, the fraudsters also set up rules on the compromised account so that any emails from defined individuals are sent straight to the deleted items folder. This is becoming more and more common.
Think too of the damage someone posing as you could do to your colleagues. They could ask questions about sensitive issues that would be trustingly replied to, assuming that the information was staying within the firm.
The head of investigations at a card payment company told me recently that this year the crooks who hack for card data have noticeably moved from targeting small online retailers with less than 20,000 transactions a year to medium-sized retailers with less than 1,000,000 transactions a year.
This is significant because of the differences in the way they are getting data. The small retailer was typically being targeted with what is known as a brute force attack on their database, which had often not been updated with the latest software update patch.
The medium-sized retailers are being targeted in a very different way. Sometimes individual members of staff are being profiled and sent a spoofed email that looks like it’s from a person they know and trust (a technique known as spear phishing). Once the attackers have tricked that person and have their genuine credentials, they typically then stay inside the network for months, slowly gathering information about the network and what is valuable within it, before they take what they want.
Kroll is also seeing increased sophistication of cyber criminals. They are smart and they take their time. The world of the cyber criminal has long been a global underground market of people selling different skills, different parts to the puzzle. There are, for example, some who design and sell malware, others who adapt it for a particular job, money launderers and the ones who send the emails. In this world, the crooks are learning to look for weak links in the chain.
What this means for all companies, especially companies like Kroll and law firms that are entrusted with particularly confidential data and have a trusted advisor status with their clients, is a need to radically rethink and re-engineer cyber security. And, to realise that the profiles and emails that the fraudsters will target are the ones that would be most useful to them – trusted and senior figures within the firm.
Going back to the recent cases of compromised email accounts, these are a mild form of intrusion compared to the full-scale hack. But how did the bad guys guess the password? In most cases it’s really not that difficult. For a start they will have looked on social networking sites, where they will probably find the names of spouses, pets and children. These form the main part of most people’s passwords or their questions for password resets, and that’s before even considering a well-known published list of the world’s most common passwords by a man who calls himself John the Ripper. You can even download his password-cracking tool for free. If criminals can’t guess your password, they can always just send you an email with a link, which if you click on it, launches malware that allows them to take control of your machine. That malware is also available for free on the internet.
Extortion for sensitive data is also a growing trend. Kroll acted for one law firm that was in the difficult position of deciding whether to tell a client that the details of his discussions with them about which of his children were getting what from his estate, were now at risk of being revealed to them.
So how big a threat is this? A fascinating insight into the size and scale of cybercrime was provided in May this year by the indictment of Liberty Reserve, a Costa Rican bank, by the US government. The indictment alleged that the online digital currency service and money transfer system of the website had been designed to attract and maintain a customer base of criminals, as unlike other banks or legitimate online payment processors they did not require users to validate their identity information.
The conversion in to and out of cash was done by ‘pre-approved exchangers’ concentrated in Malaysia, Russia, Nigeria and Vietnam. These merchants were said to be ‘overwhelmingly criminal’ in nature. They included, for example, traffickers of stolen credit card data, personal identity information and computer hackers for hire.
Some accounts were named with self evidently criminal names such as Russia Hackers. The US district attorney wrote ‘because virtually all of Liberty Reserve’s business derived from suspected criminal activity, the scope of the defendants’ unlawful conduct is staggering. Estimated to have had more than one million users worldwide, Liberty Reserve processed more than 12 million financial transactions annually, with a combined value of more than $1.4bn’. In the lifetime of its operation, from 2006 to May 2013, Liberty Reserve is believed to have laundered more than $6bn.
The moral of the tale? At the very least, change your passwords to over 12 characters - and make it the first line of a song, not the full name of your spouse.
Ben Hamilton is managing director at Kroll Advisory Systems
No comments yet