Companies of sizes and in every sector should prepare for attacks similar to the one that prompted Google Inc. to consider pulling its operations out of China.
The search engine giant had 20 employees targeted in a sophisticated attack originating from China. The staff received Adobe PDF files with an exploit that allowed attackers to gain access to Google’s network.
It’s not the first case of such corporate espionage seen out of China and it won’t be the last, experts say.
Related Story: GhostNet probers want Ottawa to thwart cyber spying
The number of these kinds of attacks has risen significantly in the past couple of years, says Paul Wood, senior analyst with Symantec Corp.’s Hosted Services. Though still a drop in the ocean when compared with other types of malicious attacks, these so-called spear-phishing attempts can have big impact.
“Often the e-mails are crafted in a way that make them seem genuine,” Wood says. “So they really are hard to spot.”
Cyber-criminals are fine-tuning their attacks to make them more effective and targeted as security software is successfully blocking traditional mass attacks, such as spam. Hackers have become sneaky about the way they infect computers – gleaning personal information from social networks to use in social engineering; injecting malicious code into legitimate and credible Web sites; and hi-jacking personal instant messaging (IM) accounts.
“They are really attacks intended to penetrate the defences of an organization and gain some intellectual property,” Wood says.
In Google’s case, the company’s breach didn’t result in a release of the sensitive data the hackers were looking for – content in the Gmail accounts of human rights activists. But in a demonstration of the sophistication of hackers, that same content was likely extracted through another avenue.
“We have discovered that the accounts of dozens of U.S., China, and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties,” Google’s official blog states. “These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.”
At least 20 other large companies were also attacked in the same manner, Google says.
Companies need not be Google-sized to be the target of such attacks, notes David Senf, a director of infrastructure solutions group at IDC Canada. Smaller organizations are often more vulnerable because of weaker security practices.
“What’s scary is your average, mid-market company with a fair bit of data that needs to be protected, doesn’t take these threats seriously,” he says.
Hackers have access to powerful botnets that can scan for vulnerabilities constantly, and then those computers are chosen as targets. Once the window of opportunity is cracked open, hackers rush to pry it the rest of the way with social engineering techniques.
Even a simple Twitter post can lead to an attack, Wood says. Hackers are known to search for users talking about their “first day of work” at a company. That is an opportune time for cybercrooks to write a fake e-mail pretending to be someone else that works at that company and request information.
“If you haven’t even been through the security induction program, it could be game over before you’ve even started,” he says.
Likewise, cyber-criminals are adapting their content to current events in hope of eliciting a better response. Sadly, the Web is already chalk full of scammers looking to take advantage of the disastrous earthquake that struck Haiti. Cyber-thieves pose as charities and pocket the money or credit card numbers for themselves.
Stick to the basics of computer security to protect your business, Senf suggests. Pay close attention to the Web applications side, where the majority of vulnerabilities arise. Know how to stop typical attacks such as SQL injections.
Training employees on good security practices could help them avoid falling prey to social engineering tactics, he says.
Other security predictions
- Virtualization and security will be a big topic of confusion for IT departments, Senf says. Ensuring that one infected virtual machine won’t infect other virtual machines on the same physical box might turn out to be virtually impossible.
- Security concerns about cloud computing will wane, Senf says. The concept has been floating around long enough that more firms will adopt it and start worrying about other cloud concerns. “There’s still going to be security concerns they should be looking at,” he adds.
- Mobile security concerns will be dialed up in 2010, Senf says. More phones are being deployed in enterprises all the time and there are more mobile threats as a result.
- Instant messaging will become the new venue of choice for spammers, Wood predicts. In 2008, just one in 200 links sent over IM led to malware. In 2009, that ratio rose to one in 78 and it could go as high as one in 12 this year.
Follow Brian Jackson on Twitter.