4 day bank holiday weekends : you’ve got to love them for being the best time to and exploit any UK business.
The spring sun was warm in my face as I stood in the Eastern Terrace of Headingley with my family watching a game of rugby when my phone started to vibrate. The middle of the afternoon on day 4 of the Easter break – when a suppliers company was targeted in a phishing attack which fortunately for them, came on a day when they were all in the office.
They are only a small company (less than 20 employees) but as they trade mainly online they did have a cyber response plan which may have saved them from going under. Within minutes of detecting the threat, they managed to SMS and email all their existing and previous customers and inform them of the attack. The message they put out was completely transparent – they had done something wrong and now all their previous customers were being directly phished. The communication was short, honest and demonstrated competence in dealing with the issue. What could have been the complete loss of reputation has been saved by a well formed Cyber Incident Response.
So how was the phishing attack created and how has the reputational damage been limited when there has been a perceived loss of personal data?
It all started with the decommissioning of an old server that used to be part of a bigger solution. Although the supplier had a process to ensure that old equipment was appropriately destroyed, in this scenario the decommissioning was performed by a 3rd party on equipment that was not owned by the supplier themselves.
Being a PCI-DSS compliant company, they didn’t actually have any personal data stored on upon it – but it was used as their a SMS gateway. The only information it ever processed was mobile phone numbers. A number by itself isn’t personal data – but when used in conjunction with the booking company, you have an identifier for a customer who you know trusts the sender and makes high value online bookings with disposable income.
Phishing is all about the numbers. It’s down to the expected number of bites you get per number of messages sent. Each bite will also have an expectation on the revenue, which is particularly interesting in this case. The majority of phishing attacks expect very few bites per 1000 messages, but are send out to many million email addresses (as email is “free”). They usually expect only a small amount of revenue per bite, with the shear volume making the enterprise profitable and an acceptable risk to the perpetrators. The one performed this weekend was sent out to a relative small number of targets by costly SMS – with the expectation of high bite rate and high revenue per bite. It was aimed to gain access to UK credit cards – which once the fraud was detected, the funds would have been recalled.
With the high overheads of this attack and an ambitious bite rate, the best case scenario would have been a few thousand pounds for 48 hours, which would have needed to laundered into physical assets before the credit card companies became wise and the transfers withdrawn. In isolation this phishing attack might have only provided a couple of hundred pounds of reward.
As a Certified Secure Software Lifecycle Professional (CSSLP) it an opinion that the root cause of this phishing attack has been down to the management of sub suppliers. It may have been an acceptable risk that since that the server did not contain any personal information, it might have been appropriate that a level of trust may have been made about how a company performed its decommissioning.
The time and effort the organisation had put into their cyber incident response plan has probably saved their company from going bust. They’ll need to look at their suppliers again in a different light and reappraise their organisational risk appetite. What might have been acceptable last Thursday might have just become intolerable – as any perceived second breach right now could ruin them. They might have survived the last 72 hours – but they’ll still have to burn the midnight oil for the weeks to come bolstering their defences.
The actions of a Lone Wolf
In the preceding week I have attended the virtual InfoSecWorld conference, heard the...