David Ostertag, Verizon. Photo by Howard Solomon
Business executive fraud scams that hit the media usually involve senior officials tricked through social engineering into sending large amounts of money to a criminal posing as a legitimate contact.
However, social engineering can also be used to get anything - even bidding information.
That's what happened to an unnamed Canadian firm as recounted by David Ostertag, global investigations manager for Verizon Enterprise Solutions' investigative response unit, which looked into the incident:
"The data the bad guy was going after was the bottom line of a real estate deal," he told reporters Thursday at Verizon's Toronto office. The target was the official who knew the company's strategy. The goal was to create a phishing email to get information.
Using social media like Facebook and LinkedIn, and in some cases calling company staffers by impersonating an employee, the attacker learned the firm's structure and it's lingo to craft the email to the executive.
Ostertag didn't detail what was in that email the official fell for, saying only the Canadian company paid significantly more than it would have had the firm's negotiating strategy not been known.
Shown later what had happened, Ostertag quoted the official saying, "Knowing now that my company lost several million dollars on this real estate deal, I would still open that email. It's that good."
So, Ostertag concluded, despite all the awareness training organizations do "some of these are really so good, they (attackers) have done their homework so well you could do all the training you want and the recipient going to open it."
Still, he maintained that there are many basic security steps CISOs and infosec pros should - but aren't - follow. These include:
-Email content filtering. Half of phishing exploits include an attachment that has a malicious executable, he pointed out;
-Multifactor authentication for logging into applications and systems to stop credential theft. "It's something that's simple but appears to be difficult" for some, he said;
-Centralized logging and monitoring of network and log data. "Very basic, very simple, but a lot of the organizations we go in we don't see it ..."If you don't have the logs how do you know what's going on?"
-Ensuring default passwords on systems are changed. "That's not high tech."
Attackers "want to spend the least amount of resources to get the greatest benefit - it's a financial thing. If you can use their playbook against them to make it financially more costly to them they're going to go somewhere else. So if you put good basic security in place chances are you're going to stop them."
Sign up for CIO Asia eNewsletters.