Hacking Humans to Reach Company Assets

The cyber-key for stealing corporate data and assets may be through vulnerable employees.

Cyber attacks have changed in recent years. Gone are the days when relatively benign bedroom hackers entered organizations to show off their skills. Attackers now are often sophisticated criminals who target employees who have access to the organization’s jewels. Instead of using blunt force, these savvy criminals use age-old human fallibility to con unwitting employees into handing over the keys to the vault.

Jessica Barker
Jessica Barker will deliver the keynote address, How to Hack a Human , at the ARM TechCon conference in Santa Clara October 24 – 26.

Professional criminals like the crime opportunities they’ve found on the internet. It’s far less dangerous than slinging guns. “Cybersecurity is getting worse. Criminal gangs have discovered they can carry out crime more effectively over the internet, and there’s less chance of getting caught,” Jessica Barker, founder of the cybersecurity website  Cyber.uk, told Design News . “Organized outfits are disguising themselves as businesses with offices and HR departments. Some of their employees don’t even know they’re working for a criminal enterprise. Many use traditional con-artist techniques to con their customers out of large sums of money.”

Barker noted that hacking individual employees is often the easiest way into a company. “One of the cheapest and most effective ways to target an organization is to target its people. Attackers use psychological tricks that have been used throughout mankind,” said Barker. “Using the internet, con tricks can be carried out on a large scale. The criminals do reconnaissance to find out about targets over email. Then they effectively take advantage of key human traits.”

A Dangerous Note from the CEO

The criminals enter the company’s email bloodstream and begin to take action. “One common attack comes as an email impersonating a CEO or supplier. The email looks like it came from your boss or a regular supplier, but it’s actually targeted to a specific professional in the organization,” said Barker. “The email might say, ‘We’ve acquire a new organization. We need to pay them. We need the company’s bank details, and we need to keep this quiet so it won’t affect our stock price.’ The email will go on to say, ‘We only trust you, and you need to do this immediately.’ The email comes from a criminal, using triggers like flattery, saying, ‘You’re the most trusted individual in the organization.’ The criminals play on authority and create the panic of time pressure.”

Even long-term attacks can be launched by using this tactic of a CEO message. “A company in Malaysia received some kits purporting to come from the CEO,” said Barker. “The users were told the kit needed to be installed. It took months before the company found out it didn’t come from the CEO at all.”

Instead of increased technology, some of the new hackers are deploying the classic con moves, playing against personal foibles. “They are taking advantage of those base aspects of human nature and how we’re taught to behave,” said Barker. “We have to make sure we have better awareness. For cybersecurity to be engaging, you have to have an impact

Add new comment

By submitting this form, you accept the Mollom privacy policy.