Spooky Ways to Ruin a Cybercriminal’s Day

It’s challenging to ruin a cybercriminal’s day because they only need one thing to work to gain access, while organizations must protect every potential attack surface. However, there are ways for everyone to contribute to a threat actor having a bad day. 

We’ll discuss some major areas that work to malicious actors’ advantages (which can overlap with each other too), and ways to strengthen your organization and employees’ defenses.

Leaked Credentials

There are over 10 billion unique username password combinations on the dark web (once duplicates and combo lists have been removed). Stolen credentials continue to be the main initial access point for many data breaches and cyberattacks. 

Therefore, preventing leaked credentials is the biggest way to ruin a threat actor’s plans. In general, subscribing to online services and creating accounts increases your personal attack surface. 

Here are a few risk areas, and corresponding tools to better secure your organization:

Passwords

Many organizations make the mistake of assuming that leaked credentials aren’t a risk to them because they use multi-factor authentication (MFA), but this couldn’t be further from the truth. Security works best when layered, and if passwords associated with corporate emails are for sale on the dark web, there is a good chance those employees reused their passwords on other accounts. Failing to recognize when a breach has exposed corporate credentials leaves MFA as a single point of failure at your organization. 

It can be tempting to save passwords to your browser, for example, when Google Chrome prompts you to store a password after creating a new online account. However, this is not a safe place, as threat actors can gain access to these credentials by buying an infected device on the Russian or Genesis Markets.

A password manager encrypts passwords in one place, and can generate secure unique passwords without the need to store passwords in the browser. This can enable employees to use unique, complex passwords for each login-in. 

Single Factor Access for Logins 

Threat actors search for single factor access, so if they have login credentials, they could easily access an employee’s account, even eventually reaching confidential company systems and information. 

But MFA can be vulnerable as well. Be aware of “MFA fatigue,” as malicious actors can use this to their advantage. 

In the recent Uber breach, the threat actor repeatedly sent push notifications to an employee to confirm a remote login to their account. After the employee did not respond, the malicious actor messaged through WhatsApp, pretending to be a fellow employee in the IT department, and expressed urgency about the remote login. The employee then ultimately confirmed the remote login. 

MFA/2FA establish several more steps to logging in to an account, which work to deter threat actors and ensure that only the account holder logs in. 

Want to learn more about Flare’s original research into leaked credentials? Take a look at our report, Clear Insights from a Deep Analysis of Dark Web Leaked Credentials.

Social Engineering and Social Media

Publicly and virtually displaying your life online can have real life consequences. 

The amount of information that threat actors (or anyone!) can gather through open source intelligence (OSINT) from companies and/or social media on individuals that actively participate in posting is quite large. Some people post so much that even without much digging, viewers/followers could figure out their address, family members, car, birthday, and more, which can be used to either impersonate and scam relatives or even steal their identity (with some more additional work).

Social media provides many great benefits in connecting with people, so it can be difficult or impossible to not use, so being aware of what information is out there and how they can contribute to social engineering is a great first step. 

These following areas pose risks, but there are best practices and tools to secure them:

Spear Phishing

Phishing emails, a popular cyberattack method, is here to stay and continues to evolve. Threat actors send convincing emails so that victims send passwords, download malware, or accidentally conduct fraudulent transactions. 

These have become much more advanced than the traditional phishing email, which casts a wide net to try to fool one person. Spear phishing refers to the targeted version of phishing, in which malicious actors focus on a smaller number of potential victims and tailor their messaging to try to better deceive them. With social engineering, threat actors can create convincing situations for their victims to take the action they want. 

Learn more about spear phishing defense tactics with our Spear Phishing Defense: A Complete 2022 Guide.

Some common spear phishing tactics include:

• Asking to send money for secret acquisition
• Sentiment of urgency and/or secrecy
• A note saying they are not available on typical communication methods (ex. Slack), or instructions to use a different communication method

LinkedIn

In addition, LinkedIn can be a risk factor. Employees who update their current position and company on LinkedIn often end up as targets of spear phishing, as threat actors can easily research who in the company they could potentially impersonate. New employees are especially susceptible to spear phishing attacks, as they may not be as aware of established patterns around company culture and communication. 

Especially with remote work and geographically distributed teams, there’s been a change in norms which has also provided some gaps that threat actors can take advantage of.

For example, there recently was a student who shared that they were scammed over a job offer for a remote role. 

1. The malicious actors initially sent an email to their school email, which is a common method for recruiters to reach out. 
2. The interviewing process was over Skype chat, and after sending the job offer, they instructed the student to connect their credit card to the company’s account to purchase their equipment. 
3. The student felt uneasy and asked friends and family for their thoughts. A friend suggested to message the company’s employee on LinkedIn, who then confirmed the student was being scammed.
4. Fortunately, the student was able to immediately cancel shipping the equipment they purchased, froze their credit card, and reported the identity theft incident to the FTC.

Threat actors take advantage of peoples’ emotions and vulnerabilities, for example in this situation, of somebody who is a student searching for a job. 

Below is a phishing email sent to a Flare team member, designed to look like it’s from Flare’s CEO which includes some of the common tactics mentioned above.

For people who are not the direct targets of the spear phishing attempt, these emails may seem obviously suspicious. However, in the day-to-day (of working), it could be easy to fall into the threat actor’s trap. 

Some ways to prevent or verify the spear phishing attempt:

• Managers can warn their team, especially new hires, to be wary of any suspicious emails, and explicitly note that they can and should question any odd communication. 

• Every employee can have their phone number in the HR platform or messaging platform profile (ex. Slack) so that their coworkers can check any suspicious emails that mention a phone number.
• New employee onboarding can include an engaging cybersecurity training which involves the new hire receiving phishing attempt simulations.
• If anybody in the organization receives a phishing email, they could report it, and share with others to be aware. 

Of course, it’s most ideal to prevent phishing attempts, but they can happen, so there should be a set process that can respond immediately in the case that it occurs.

Fortunately there is technology that helps validate if an email is from a threat actor. This combined with a sense of awareness about common spear phishing tactics, employees and organizations adds another layer of security. 

How to Strengthen Your Employees’ Cybersecurity Mindset

As a CISO/security manager, here are some points to include in a rigorous cybersecurity training program for your employees:

• Open links and files that you’re expecting to receive. If an unexpected link or file could be legitimate, double check with the sender, ideally through another platform. For example, if you receive an email, confirm with the sender via Slack or LinkedIn InMail.
• Only install tools that are absolutely necessary for your work. If the application of an online software is free, then understand that you are the product.
• Be aware of the tradeoff associated with social media of advantages like convenience. By accepting to give more information about yourself to the public, there can be more targeted ads or possibilities of threat actors being able to better target you. Make sure you are aware of this.
• There is technology designed to prevent threat actors from reaching your organization’s employees. For example, technology scans emails that arrive to your inbox and send them to the spam folder or notify the employee that it looks questionable. To make sure this is working properly, update browsers and applications automatically or as soon as you’re prompted. 

With these spooky tactics, thwart malicious actors who are trying to attack your organization. Preventing cyber attacks is a collaborative effort with everyone in the organization securing their accounts and work.

Flare monitors the dark web, clear web, and instant messaging platforms for information that could’ve been accidentally leaked through spear phishing attacks. Book a demo to learn how to better protect against cyber threats.