Hackers say phishing technique is best for theft

James Garcia (left) and Jon Ford work on penetration testing at cybersecurity services company MainNerve LLC.

Human error is a hacker’s best friend.

According to a new report from data protection company Bitglass, both white hat and black hat hackers say phishing is the best way to snatch sensitive data, because “human error and ignorance will always be exploitable.”

The report, “Data Games: Security Blind Spots According to Experts,” shows 59 percent of hackers rank phishing as the No. 1 data exfiltration strategy. Malware comes in second (26.4 percent) and physical theft is third (6.2 percent).

For insights into security threats, Bitglass surveyed 129 self-identified white hat and black hat hackers attending the Black Hat USA  2017 national cybersecurity conference.

White hat hackers are computer security experts who break into protected systems or networks to identify vulnerabilities so they can be fixed before malicious (or “black hat”) hackers find them.

Penetration testing — a form of white hat hacking — is central to Springs-based MainNerve’s business, and Chief Security Officer James Garcia said phishing is its “No. 1 vector” into clients’ networks.

“We’re almost always successful on a phishing test,” he said. “It’s so successful because it’s generally easier to bypass firewalls and to get into the internal network by email. … Email is the No. 1 vehicle for transferring data, and it’s really trivial to bypass spam filters.

“Why go through a locked door when you can crawl through an open window? That’s generally what email is.”

Successful phishing goes hand in hand with social engineering — the art of manipulating people into breaking normal security procedures or giving up confidential information.

“Social engineering transcends the technical and sociological; it puts a human face on there,” Garcia said. “It’s an art … some people are naturally good at it; they have a natural inclination to try to fool people into doing things they otherwise would not do.”

MainNerve does penetration (or “pen”) testing for companies all over the world, from one-person businesses to firms with tens of thousands of employees, and the weaknesses are the same: They’re human, and they’re not expecting trouble.

“If someone knocks on your front door and tries to sell you something, you shut down — ‘I don’t want to do this.’ But email appeals,” Garcia said.

Hackers know this, and they take advantage. They also do their research.

Emails are disguised to look like they come from trusted associates or colleagues. The topics and instructions are believable, and the links lead to sites that look genuine.

“Sometimes it’s as easy as just spending a couple of hours looking at an organization before we know exactly who we’re going to target. … First thing, we get on the website and locate all their finance people and accounting people — that’s where money is,” Garcia said. “In [one] case, we crafted a portal that they have to manage their donations, and we sent it off to the right people.

“There are tools openly available … to clone websites. You can make an exact clone of a familiar website — like your Outlook web access portal — and they’ll go and type in it.”

Garcia said the Outlook portal is the one MainNerve most frequently clones for penetration testing, and targets will log in multiple times. 

Usually, capturing a person’s credentials yields access to more than just one system.

“What we find unfortunately is password reuse — they might use one password across multiple systems,” Garcia said. “From a penetration testing standpoint we [include] that in our assessment, whereas an attacker would actually use that to try to get into everything.”

So what happens when your business’ worst enemy looks like Ben from accounting, and when the most treacherous site looks like your in-box?

Garcia has a ready example.

“In a large-scale test that we did for a railroad, we found the [chief information officer]’s credentials; they logged in and we found they were authorized through a [virtual private network] with the same credentials,” he said. “We took over the entire network and we dumped about 3,800 passwords from the network. It just took that one person.”

Terry Bradley, chief technology officer at PLEX Solutions LLC, has examples, too.

“The most popular thing hackers are doing when they break in is extortion,” he said. “Extortion in the cyber age is mostly done through Bitcoin, so I take control of your computer and encrypt your hard drive and all your files and if you ever want them back, you have to pay me in Bitcoin.”

Bitcoin, an anonymous digital currency that is notoriously difficult to trace, means the risk of being caught is low.

“This is happening at a huge rate and will continue to increase until someone can figure out a way to combat it,” Bradley said. “There are tons of these [Bitcoin] kits [for sale on the Darknet] and you can download them for a few hundred dollars and make thousands of dollars by breaking into computers and holding them hostage.”

PLEX Solutions focuses on vulnerability assessments and penetration testing. Bradley describes it as “a bad guy who’s not going to kill you — it’s the emotional experience of being hacked, without all the damage.”

Bradley said companies should prioritize penetration testing for phishing and social engineering, as well as application security.

Apart from pen testing, Garcia’s advice  is: “Always keep your ear to the ground, and never take anything for granted when it comes to cybersecurity.

“Cybersecurity is not for the other guys,” he said.

“It’s not ‘We’re not big enough,’ or ‘We’re too big.’ You’re not immune to attack.”