ITBusiness.ca

Google attack — a security wake up call for all companies

Companies of sizes and in every sector should prepare for attacks similar to the one that prompted Google Inc. to consider pulling its operations out of China.

The search engine giant had 20 employees targeted in a sophisticated attack originating from China. The staff received Adobe PDF files with an exploit that allowed attackers to gain access to Google’s network.

It’s not the first case of such corporate espionage seen out of China and it won’t be the last, experts say.

Related Story: GhostNet probers want Ottawa to thwart cyber spying

The number of these kinds of attacks has risen significantly in the past couple of years, says Paul Wood, senior analyst with Symantec Corp.’s Hosted Services. Though still a drop in the ocean when compared with other types of malicious attacks, these so-called spear-phishing attempts can have big impact.

“Often the e-mails are crafted in a way that make them seem genuine,” Wood says. “So they really are hard to spot.”

Cyber-criminals are fine-tuning their attacks to make them more effective and targeted as security software is successfully blocking traditional mass attacks, such as spam. Hackers have become sneaky about the way they infect computers – gleaning personal information from social networks to use in social engineering; injecting malicious code into legitimate and credible Web sites; and hi-jacking personal instant messaging (IM) accounts.

“They are really attacks intended to penetrate the defences of an organization and gain some intellectual property,” Wood says.

In Google’s case, the company’s breach didn’t result in a release of the sensitive data the hackers were looking for – content in the Gmail accounts of human rights activists. But in a demonstration of the sophistication of hackers, that same content was likely extracted through another avenue.

“We have discovered that the accounts of dozens of U.S., China, and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties,” Google’s official blog states. “These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.”

At least 20 other large companies were also attacked in the same manner, Google says.

Companies need not be Google-sized to be the target of such attacks, notes David Senf, a director of infrastructure solutions group at IDC Canada. Smaller organizations are often more vulnerable because of weaker security practices.

“What’s scary is your average, mid-market company with a fair bit of data that needs to be protected, doesn’t take these threats seriously,” he says.

Hackers have access to powerful botnets that can scan for vulnerabilities constantly, and then those computers are chosen as targets. Once the window of opportunity is cracked open, hackers rush to pry it the rest of the way with social engineering techniques.

Even a simple Twitter post can lead to an attack, Wood says. Hackers are known to search for users talking about their “first day of work” at a company. That is an opportune time for cybercrooks to write a fake e-mail pretending to be someone else that works at that company and request information.

“If you haven’t even been through the security induction program, it could be game over before you’ve even started,” he says.

Likewise, cyber-criminals are adapting their content to current events in hope of eliciting a better response. Sadly, the Web is already chalk full of scammers looking to take advantage of the disastrous earthquake that struck Haiti. Cyber-thieves pose as charities and pocket the money or credit card numbers for themselves.

Stick to the basics of computer security to protect your business, Senf suggests. Pay close attention to the Web applications side, where the majority of vulnerabilities arise. Know how to stop typical attacks such as SQL injections.

Training employees on good security practices could help them avoid falling prey to social engineering tactics, he says.

Other security predictions

Follow Brian Jackson on Twitter.

Exit mobile version