There may have been a mistaken belief amongst SMEs that they are NOT a principle target for cyber attack. This has been firmly refuted by security firm Symantec following their research of the trends which evolved during 2015 and which has just been published in their latest report.
UK, US and Indian SMEs in particular are being targeted, specifically with the goal of stealing money from businesses.
Hackers are using two types of Trojans (a common cyber threat method through which the victim is conned into launching malware believing it to be harmless) and social engineering (a confidence trick – essentially to get people to perform an action or divulge confidential information).
The newer, more sophisticated threats target, “employees responsible for accounts and fund transfers”.
Scammers will send emails from stolen or compromised accounts often related to finance and lure the employee to open them. The email contains a .zip attachment, which once clicked on, opens a Pandora’s Box for the cyber attackers to log key strokes, steal files, passwords, access the camera and microphone. The logging of key strokes is more sinister in that it tracks the keyboard use and pathway thereby tracking different websites etc. and passwords not even held on the computer as part of the data heist.
The email subject line might have a heading such as the following:
• Remittance Advice
• Payment Advise
• Quotation Required
• Transfer Copy
• TT Payment
• PAYMENT REMITTANCE
• Request for Quotation
Hackers use two publicly available remote access Trojans (RAT): Backdoor.Breut and Trojan.Nancrat. Nancrat being the one most commonly used in the UK.
And it doesn’t have to be a swift in/out attack. Hackers, once in, are happy to mooch around the computer to find out how to steal money. “In some cases, attackers have been known to even download manuals to figure out how to use certain financial software,” the Symantec report says.
The recommendation of course is not to open suspicious attachments and to exercise caution when using email. All too often, a too-speedy key stroke can lead to an accidental but high impact outcome for the firm. The solution is to get educated about cyber attacks and what they look like and treat email communications with cautious respect. That way, you get smart and your company and customers stay safe.