May 28, 2010
Sally, the accounting manager of a medium-sized business, regularly checked her Facebook account while at work. One day she received an e-mail. The e-mail said that a long-lost friend, Bob, had added her as a friend in Facebook.
There was a link in the email for Sally to follow to confirm the friend’s request. Sally clicked the link. Over the next week, cyber-thieves withdrew nearly $1 million from her employer’s bank account.
Welcome to the newest nastiest twist in cybercrime.
You see, the e-mail wasn’t from Bob and the link didn’t go back to Facebook.
Bob is on Facebook just like Sally is. That’s how the cyber-thieves found them and discovered that they might know each other. That’s also where they learned that Sally worked in the accounting department.
After that it was a simple matter to set the trap by sending Sally, a friend’s request from Bob.
“How great.” thought Sally. “An email from Bob. Let me just follow this link and we can be friends again.”
A link followed, and a Trojan Horse installed.
The unrecoverable damage: $1 million stolen.
Sally is a pseudonym for the victim. The story is an actual client-case of Dr. Stan Stahl, an information security expert at Citadel Information Group in Los Angeles. His credentials are lengthy and he is president of the Los Angeles chapter of the Information Systems Security Association (ISSA-LA), a nonprofit, international organization of information security professionals and practitioners.
Dr. Stahl says the bank will not return the $1 million to Sally’s company.
No Protection for Business Bank Accounts
Regulation E of the Federal Deposit Insurance Corporation (FDIC), stipulates consumers are protected by cyber crime involving their banks. The FDIC regulation protects consumers, if they report such discrepancies in their bank accounts within 60 days.
However, businesses are not insured.
So, Dr. Stahl knows crimes involving hackers who attack social networks, including Facebook and Twitter, are a major threat to business.
When did social-network attacks become an epidemic?
Breach Security in Carlsbad, CA, reports Internet security-crime jumped 30 percent in the first six months of 2009. Breach reports 19 percent of the attacks involved social networks. Ironically, social networks were not even mentioned in Breach’s 2008 report.
“Making matters worse, many of these attacks succeed by taking advantage of missing patches and using obscure technology like ‘0-day exploits’ that get past traditional antivirus and antispyware defenses,” says Dr. Stahl.
What is a 0-day exploit? Hackers are so cunning they are able to use security vulnerabilities to their advantage immediately – the same day before protection measures can be implemented.
Dr. Stahl advocates five security precautions:
- Prohibit use of social network sites from the office. These sites can be blocked at the corporate firewall. This can become particularly challenging if employees work remotely as it may not be feasible to block access to social networks from home computers. Making matters worse, Trojan horses are like communicable diseases and Sally’s work-at-home computer can be infected from her son’s. That’s why the next four recommendations are so important.
- In addition to antivirus / antispyware defenses, add advanced defenses like intrusion detection and prevention designed to block internet-based attacks like the link in Sally’s email and 0-day exploits.
- You can block known internet-based attacks by comparing links against a database of known bad links like http://stopbadware.org/home/reportsearch.
- Keep your systems patched. This means not just Windows patching but all your applications, those you know about — like Office and Adobe Reader — and those you might not even know about — like Flash and Java. This also includes your Macintosh computers as they are every-bit as vulnerability-prone as Windows PCs.
- Finally, don’t expect to rely on technology alone. Users are often the weakest link so it’s very important to train them to detect the subtle signs of an attack so they can keep from becoming victims. They also need to be given guidance on what information is safe to put on a social networking site.
“There is no one thing you can do to keep from being victimized from a social network attack,” says Dr. Stahl. “Even doing all five of these isn’t a guarantee, just like a flu shot doesn’t guarantee you won’t get the flu. But if you are diligent you can significantly affect the odds and this should be your objective.”
(Note: I know Dr. Stahl very well as we’re both members of Consultants West, www.consultantswest.com, a roundtable of veteran consultants and authors.)
From the Coach’s Corner, are you Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.
Mobile banking is popular in Europe, but Dr. Stahl has long warned that it’s dangerous, consider: Our Mobile-Banking Warnings about Security Prove Prophetic.
To learn more about Internet security:
Dr. Stahl’s Web site: www.citadel-information.com.
Here’s his security blog.
For more on ISSA-LA, visit: www.issa-la.org.
“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.”
– Kevin Mitnick
Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.