How do hackers access corporate networks? Phishing attacks

Cyberattacks as the main threat affecting businesses

Criminal attacks on companies are an indispensable element of modern business. However, in the era of massive digitization of business processes, cyberattacks have become one of the most popular instruments in the hands of malicious actors striving to gain access to corporate assets, mostly money. The most lucrative targets for cybercriminals are small businesses that do not have a strong cybersecurity infrastructure in place. The scope of digital infrastructure used by businesses has evolved dramatically for the last few years and that is why malicious actors have a large room for manoeuvre. Cybercriminals actively target companies operating in the field of telecommunications, financial services, and energy with 56%, 55%, and 54% of the companies operating in these sectors have experienced a cyberattack within a year respectively. 

Cyberattacks cause both financial and reputational losses for companies. According to Hiscox, the median cost of a cyberattack for micro-companies employing less than 10 employees starts from $8,000. However, for 5% of these companies, the volume of experienced losses may reach up to $300,000 so that these entities are likely to cease their functioning. At the same time, the average cost of a cyberattack to small businesses may reach $200,000. For corporations, the figures are much greater and may reach a few dozens USD. Generally, according to Accenture, within the period of 2019-2023, the global business may lose up to $5.2 trn due to cybercrimes and the annual losses are likely to continue increasing. Thus, businesses should prioritize the development and implementation of innovative cybersecurity solutions to avoid huge financial and reputational damage due to cybercrimes and the analysis of methods used by hackers to access corporate networks is the first step towards finding proper solutions. 

How can hackers access your corporate networks?

Corporate networks of almost every business are vulnerable to penetrations. Hackers use different techniques to access corporate networks but, in most cases, skilled black hat specialists can crack corporate systems by spending minimum time. According to the security investigation carried out by the security firm Positive Technologies, 71% of companies have at least 1 obvious weakness that can easily enable hackers to access networks. 

One of the most popular methods used by hackers to access corporate networks is brute force attacks aimed at cracking weak passwords. Although access to a single account does not guarantee access to the whole network, it is the first and the most important steps for hackers towards reaching their malicious goals. By further exploiting system vulnerabilities through the hacked account hackers can steal both information and money from the corporate systems. 

Companies also often neglect the importance of regularly security software updates. As a result, hackers can exploit known vulnerabilities. For example, web applications may contain known vulnerabilities and hackers can simply use public exploits to compromise systems. A popular tool in the hand of hackers used to access corporate networks is the Evil Twin. Hackers create Wi-Fi networks similar to the original ones and when employees access these fake networks and submit their data, hackers reach their ultimate goal. In a similar way, hackers can create fake websites so that to force users to unintentionally transfer their credentials to malicious actors. 

Malware attacks have always been an indispensable weapon in the hands of hackers. Corporate devices may be infected through the USB tools connected to them or employees may simply download non-verified files sent from unknown addresses or found online. Via malware attacks, hackers can record usernames, passwords, keystrokes and steal other valuable information. There are different types of malware including spyware, ransomware, trojan horses, and viruses. 

It is important to note that a large share of successful cyberattacks occurs due to the exploitation by hackers of social engineering techniques in the form of creating phishing messages. In the era of digital transformation and the growing popularity of social media communication, phishing attacks have become one of the most widespread and, at the same time, one of the most effective tools in the hands of hackers to compromise victims’ systems. That is why a detailed analysis of phishing attacks is required to teach companies how to avoid these cybersecurity risks.

Phishing attacks: mechanism

Phishing may be referred to as the malicious technique that is used by hackers to trick users to do “wrong things”, for example, open bad websites, download malware, or click a bad link. Although phishing attacks may be performed through social media, text messages, or by phone, in most cases, phishing attacks are performed by sending email messages to victims. Often employees receive dozens of email messages per day and, thus, there is a high risk that they can open the malicious one without even noticing any suspicious indicators. Hackers may utilize the phishing attacks technique just as an element of a massive campaign aimed at stealing passwords or make easy money, however, these malicious activities may be also performed as the initial step towards implementing a serious targeted attack aimed at stealing much valuable assets such as corporate secrets. 

Before committing phishing attacks, hackers collect a lot of information about the target company and its employees to make messages more persuasive and trustworthy so that to leave employees no choice but to follow the required malicious algorithm. The technique when hackers send phishing messages to targets after thoroughly collecting information about them is called spear phishing. 

The opposite to spear-phishing is standard phishing that provides for sending messages to a large number of employees with a hope that at least somebody of them will trust in the legitimacy of the message and will follow the provided commands. For example, a hacker can launch a massive phishing campaign posing himself as the company’s cybersecurity specialists and asking employees to provide their passwords to accounts, keywords, etc. However, a significant shortcoming of a standard phishing campaign for hackers is the high possibility that real IT specialists of the targeted company may notice the wrongdoing. 

Hackers may also try to catch a “big fish” and to this end launch the whale phishing campaign. This malicious technique is focused on targeting CEOs, board members, and other top executives. These top officials are not full-time employees and often use personal email and social media accounts that are not protected by corporate security tools also for professional purposes. The implementation of whale phishing attacks requires hackers to spend more time compared to other phishing tactiques but the potential gains may be much higher. 

Phishing attacks are a very powerful instrument in the hackers’ arsenal since they allow malicious actors to bypass corporate technical security mechanism and exploiting the least protected corporate security barrier – the human component. By gaining employees’ trust hackers easily get control of their machines while remaining undetected by the company’s security specialists. As a result, hackers gain remote access to the internal network to steal employees’ and clients’ data, carry out website defacing, and cause source code leaks. Thereby, the victim may lose both financial assets and reputation and will need to contribute huge resources to restore its normal functioning. 

According to Verizon, in 2020, 36% of data breaches were attributable to phishing attacks while in 2019, this indicator equalled 25%, thus we see an 11% increase. It is also important to note that some malicious actor groups simply launch massive phishing campaigns without even choosing their victims. They simply hope that a few employees from different organizations will become tricked by their emails. According to Ironscales, in their phishing attempts, hackers use the names of well-known brands including PayPal, Microsoft, Facebook, eBay, and Amazon. The intensification of phishing attacks often takes place during a crisis or other urgent situations since hackers actively exploit humans’ emotional turbulence. To better understand why phishing attacks are one of the biggest digital threats existing in the modern world it is important to look at the recent examples of these attacks and their outcomes. 

Phishing attacks: recent examples

Sony Pictures

In November 2014, Sony Pictures Entertainment experienced a phishing attack. Hackers were sending fake Apple ID verification emails containing the link “ioscareteam.net” upon following which users were forced to enter their Apple ID information into fake forms. Hackers needed this information to figure out employees’ login credentials to the Sony network. Hackers were collecting documents, private keys to the company’s servers, and financial records. The attack was initiated by a group of hackers from North Korea that were backed by the country’s government. As a result, hackers succeeded in stealing almost 100 Terabytes of corporate data thereby causing damage to the company worth $100 mln. 

Attack on the Ukrainian Power Grid

In 2015, the operators of the Ukrainian Power Grid fell victim to a complex cyberattack. Hackers were using spear-phishing emails to access their systems while credentials were stolen via the BlackEnergy3 malware. Through the manual manipulations of the industrial control systems, hackers could cause a power outage. It was the first time in global history that hackers could so radically influence the functioning of a national power grid. The phishing emails sent by hackers contained malicious Office documents attachments. After opening such emails employees could notice the popup asking them to enable macros. By allowing the macro functionality, employees were unintentionally enabling the installation of malware to the computer. This cyberattack made power grid operators worldwide change their attitude towards cybersecurity. 

IDN Homograph attack on Apple

In 2017, a new type of phishing attacks was launched against the tech giant Apple. The IDN homograph attack takes place when malicious actors use Unicode characters that are very similar to Latin characters to register a domain. Hackers use the lookalike domains for committing phishing attacks by making users think that they access legitimate sites. The Tencent Security researcher identified that Apple was doing good with Unicode letters but had an issue with the letter dum (ꝱ). Although this letter has a lower apostrophe, Safari did not render it and, thus, hackers were actively exploiting this issue. Upon being notified of the threat, Apple issued security updates but the users who did not install them were at risk. Phishers could impersonate such domains as WordPress, Adobe, Dropbox, Reddit, LinkedIn, and others containing the letter “d”. Apple strongly recommended its users immediately install updates. The other example is the apple.com domain. Hackers used the Cyrillic letter “е” instead of the Latin letter “e”. The company could prevent this attack only by buying all IDNs.    

Phishing attack on Pentagon

In July 2015, one of the most powerful institutions in the world, Pentagon, experienced the spear-phishing attack that was likely carried out by Russians. The email system used by the Pentagon’s Joint Chiefs of Staff was hacked by intruders forcing the organization to turn it offline and cleanse it. However, Pentagon did not lose control of the system and, thus, data leakage did not take place. This cyberattack affected around 4,000 personnel. 

Phishing attack on Norway’s public sector

In 2017, Norway’s army, Ministry of foreign affairs, and other institutions experienced the spear-phishing attack that was likely carried out the Russian hackers. The APT29 group initiated the spear-phishing campaign that targeted 9 different email accounts. The cyberattack was likely carried out due to Norway’s position in relationships to the Russian aggression in Ukraine. The Norway officials expressed their protest to the Russian ambassador. The precise amount of the stolen data was not revealed but the main victim of this cyberattack was the main opposition party of this country – Labour Party – since the information belonging to a few of its members were stolen.

Thus, cybercriminals utilize phishing attacks to target companies and organizations representing both the private sector and the government. Even the institutions that are treated as the most secured entities in the world may be vulnerable to this type of cybercrimes since even the most innovative security technologies cannot fully mitigate the risks associated with the exploitation of human factor by hackers.

How to prevent phishing attacks

Although companies cannot ensure their ultimate protection against phishing attacks, there are a number of rules by following which they can dramatically mitigate the risks. The important point is that anti-phishing measures do not require colossal financial and material resources but their effectiveness may be very high. To protect themselves against phishing attacks companies should:

• Educate employees on the most typical indicators of a phishing attack such as email messages sent by various internal specialists containing urgent requests to provide personal information or credentials. Always tell employees that they should double-check everything before sending these data and the most reliable method is related to contact the message sender either face to face or by phone and clarify everything;
• Always check whether the latest versions of security system updates are in place. Hackers often exploit companies’ failure to timely install security updates;
• Use web filters that block malicious websites. As a result, even by clicking on the link attached in the phishing message employees will not enable the compromise of corporate networks;
• Encrypt sensitive and valuable information so that hacker will not be able to easily decrypt it or will spend a lot of time to this end during which the victim companies will be able to take at least some preventive measures;
• Always update your corporate security policy. Hackers always develop new techniques and methods to compromise your data via carrying out phishing campaigns. That is why upon getting to know about a particular phishing attack strategy the company needs to describe it in its security policy. As a result, its employees will not easily fall victim;
• Consider the possibility to introduce two-factor authentication for all accounts to which employees have access. As a result, even by getting all required log in details by phishing campaigns, hackers will not be able to access corporate networks;
• Install special phishing filters that can recognize a large share of phishing attempts. Although they do not fully eliminate the risk that a phishing message will reach its recipient, the number of potential phishing attacks may be dramatically reduced;
• Communicate with professional security vendors that are better aware of phishing campaign tactiques. It is important to understand that the skills and knowledge of internal security staff may be limited and, thus, the more information a company knows about phishing attacks via different sources, the higher its chances to defeat cyber criminals.

Overall, companies need to realize that phishing attacks have become a new reality in the modern digitized business. There are no companies that are fully resistant to phishing attacks. That is why only by always being focused on creating additional barriers preventing hackers from reaching their objectives, companies can protect corporate data and assets. Currently, anti-phishing training is included in the list of services offered by most leading cybersecurity vendors. The cooperation with the company Hacken may allow companies to get valuable insights into how to defend themselves against the attacks involving social engineering techniques. Our security experts know what hackers do and, thus, understand how to destroy their dreams. So, phishing attacks are evil but this evil can be defeated.