Transcription
Case Study:Hacking the HackersDemonstrating how cyber criminals easily target andbreach small businesses.www.csid.com
12SUMMARYMATERIALS WE USEDWith 30% of spear-phishing attacks targeted atbusinesses with fewer than 250 employees, small andmedium-sized businesses are a major target for cybercriminals looking to steal identities and credit cardinformation with high spending limits. Despite thisgrowing threat, most small businesses (SMBs) are nottaking proactive measures to protect against cybercriminals. In fact, for every 10 SMBs, at least 3 are nottaking any measures to protect their business againstsecurity threats, leaving private data exposed to cybercriminal activity. With the median fraud loss for a smallto medium-sized business coming in at about 200,000, many SMBs that are breached have noother option but to close up shop. And disturbingly,only 12% of SMBs actually have a breachpreparedness plan in place.To demonstrate just how effortlessly cyber criminalsare targeting and exploiting SMBs, CSID reinforcedthe need for data breach mitigation by executing anexperiment. The idea? Develop a mock business,build its presence online and watch as it becomes atarget for real cyber criminals to hack.Jomoco business URL Jomoco website server Jomoco business credit card Jomoco business email accounts foremployees Rachel and Richard Personal email accounts for employeesRachel and Richard Personal Xbox Live account with 15 credit(tied to a personal credit card) for employeeRachel Personal Facebook account for employeeRichardTo see how quickly Jomoco would be breached, CSIDset up online accounts associated with the companyand its employees without taking extra steps toensure security. Furthermore, CSID ensured thatJomoco’s fictional employees made commonmistakes when it came to protecting their professionaland personal data online. The real cyber criminalstook it from there.And thus, Jomoco was born, a fictitious coconut watercompany with two fabricated employees, Rachel andRichard. CSID established the virtual presence ofJomoco in a similar way a start-up would: buy a URL,set up a web server and create employee businessemail addresses. The team developed additionalpersonal profiles for the Jomoco’s two employees –an Xbox Live account for Rachel, a Facebook accountfor Richard, and personal emails for both – to mimicthe cyber footprints that might exist for real smallbusiness owners.Confidential and Proprietary The idea? Develop a mockbusiness, build its presenceonline and watch as itbecomes a target for realcyber criminals to hack. CSIDJomoco Case Study [ 2 ]
123WHAT HAPPENEDIn just 30 minutes, employees’ personal accountswere locked out. Within an hour, the Jomoco serverwas down, the website defaced and the businesscredit card fraudulently used. How did this happen?Let’s follow the path real cyber criminals took toexploit Jomoco and its employees.Within one hour of Jomoco’s cyber footprint emergingonline, the cyber presence of the company and itsemployees was completely compromised.First, the hackers accessed Rachel’s personal emailaddress by easily cracking her poor password.Since the fictional Rachel made the mistake ofreusing passwords across multiple accounts –something 61% of consumers do in real life – cybercriminals were also able to hack into her Xbox Liveaccount and lock her out using the samecredentials. In doing so, they stole both her Xboxgaming identity and the 15 Xbox Live creditattached to it, information and currency that hasnothing to do with Jomoco.It was easy for hackers to access Rachel’s businessemail account using the credentials they hadalready tried. There, they found a fabricated emailto Richard sharing Jomoco’s web server details likeIP address and login credentials. Using thisinformation, hackers defaced the Jomoco websiteand locked out the business email accounts andweb server, seemingly for fun. Since Richard reusedpasswords across his personal and professionalonline accounts as well, the hackers were now alsoable to access his personal email account andFacebook, where they changed the passwords toboth accounts and took them over.“Jomoco is the only coconut water company that usesjuice from young Bolivian coconuts cryogenically frozenfor over 100 years.”This exercise demonstrated how easily and quicklycyber criminals can infiltrate the cyber identities ofSMBs and the employees associated with them.Rachel’s and Richard’s password reuse acrossmultiple online accounts – a common mistakerepresentative of the poor password security habitsmany employees use in real life – was the key toJomoco’s downfall. After cyber criminals hackedonly one set of credentials, a chain reaction hadbegun, enabling access to additional onlineaccounts and valuable, private information. Racheland Richard also shared sensitive information withone another over email. Sharing secure details,such as login information, Social Security numbersand financial information is extremely insecure andcan expose sensitive information to cyber criminalsif an email account is breached.Furthermore, the company credit card wasfraudulently used for real purchases. On a positivenote, the bank hosting the company credit cardfroze the account almost immediately after the firstfraudulent purchases were made. Using monitoringsolutions, the bank identified the fraudulent creditcard activity and shut down the account beforeadditional purchases could be made.Confidential and Proprietary CSIDJomoco Case Study [ 3 ]
Hackers locked Rachel out of her Xbox Live account by changing her password. Since shereused her password on multiple sites, they were able to access her gmail account by tryingthe same credentials. They also stole her 15 Xbox Live credit and her gaming identity.This is a fabricated email between Jomoco employees sharing server credentials. Cybercriminals used this information to shut down the Jomoco server and deface the website.Confidential and Proprietary CSIDJomoco Case Study [ 4 ]
Jomoco’s website, Jomoco.rocks, was defaced by a hacker. Just as a graffiti artist has asignature “tag,” so does a hacker. This image is a “tag” or symbol of the hacker r00x.Jomoco’s credit card number was shared in an Internet Relay Chat (IRC) room. A cybercriminal used the credit card to make fraudulent purchases, but the card was flagged bythe bank hosting the card through its monitoring services.Confidential and Proprietary CSIDJomoco Case Study [ 5 ]
To recap, here’s a chronological timeframe of everything that happened.Confidential and Proprietary CSIDJomoco Case Study [ 6 ]
12CONCLUSIONIn less than an hour, Jomoco’s fledgling coconutwater business was brought to a halt by enterprisinghackers. This quickness and ease of the breachunderscores how critical it is for SMBs to make cybersecurity a priority. Understanding and educatingemployees about the security risks associated withestablishing and running a small and medium sizedbusiness is the first step in mitigating risk. Here areadditional ways SMBs can prevent cyber criminalsfrom exploiting their business:MONITOR EMPLOYEE AND CUSTOMERCREDENTIALS AND YOUR BUSINESSCREDIT SCOREDEVELOP SECURITY POLICIES EARLYAND EDUCATE EMPLOYEESCREATE A BREACH PREPAREDNESS PLANTake advantage of software solutions that can helpmonitor the security of your business. A monitoringservice can keep track of your SMB’s overall healthand mitigate the risk of breach. Monitor employee andcustomer credentials and business credit score todetect fraudulent activity early.Have a breach preparedness plan in place. Practicetransparent communication with the public andaffected parties. Hiding details about a breach breedsdistrust with customers, which can affect yourbusiness reputation. While a damage control plan maynot reduce the cost of repairing the breach, it cankeep customer relationships in tact and diminishreputation damage.Ensure employees understand the importance ofworkplace cybersecurity. Create and enforcepassword, BYOD and social media policies from dayone. Encrypt valuable data from employees,customers and partners, like email addresses,passwords and credit card numbers. Require thatemployees use a VPN when on wireless Internet andregularly update devices. The more well educated theworkforce is on the importance of security, the morelikely they will be to employ better online habits atwork and at home.ABOUT CSIDCSID is the leading provider of global identityprotection and fraud detection technologies andsolutions for businesses, their employees, andconsumers. With CSID’s advanced enterprise-levelsolutions, businesses can take a proactive approachto protecting the identities of their consumers allaround the world. CSID’s comprehensive identityprotection products advance from credit monitoring toinclude a full suite of identity monitoring services;insurance and full-service restoration; and proactivebreach mitigation and resolution.www.csid.comConfidential and Proprietary CSIDJomoco Case Study [ 7 ]
address by easily cracking her poor password. Since the fictional Rachel made the mistake of reusing passwords across multiple accounts – something 61% of consumers do in real life – cyber criminals were also able to hack into her Xbox Live account and lock her out using th
