Enterprises consider advanced persistent threats (APTs) to be high-priority threats because of the damaging impact they brought to past victims. APTs or targeted attacks refer to highly-sophisticated, long-term computer system intrusions aimed towards compromising enterprise infrastructure and stealing business-critical assets. The adverse effects these assaults can bring to companies include intellectual property theft, business reputation damage, espionage, and sabotage. This kind of cyber offense can only be executed by the world’s best cybercriminals.
source: http://www.flickr.com/
One of the most notable trends seen in uncovered APT campaigns is the use of social engineering. Security expert Paul Ferguson ascertains that most APT attacks make use of social ploys to enter target networks because employee weakness is the greatest vulnerability in any given IT environment. As such, it’s best to educate employees about APTs—their impact on compromised corporations and the usual criminal techniques used to execute them. To help you jumpstart your employee awareness program, here are 8 common APT tactics used by criminals to trick employees into compromising corporate data:
#1 The Old Free USB on the Street Trick
If you see a random USB outside the premises of your office, would you pick it up? Most probably, you will. Who doesn’t want a free flash drive, right? But did you know that the notorious malware Stuxnet spread across industrial computer systems because an innocent Siemens employee stashed a USB he found on the street, and plugged it into his office computer? The flash drive in question contained malware that infected millions of machines around the world.
#2 Phony Phone Calls
Criminals may also contact specific individuals in target companies to persuade them to disclose information relevant to their planned attacks. These fake callers will usually pose as someone familiar to you, or as an agent from a credible company. For example, attackers may call you via your business phone and say that they are credit card insurance agents offering a promo to clients like you. They will trick you into giving them your credit card credentials and other private information that you will otherwise not reveal, had you known that they are malicious callers.
#3 Impersonation
Threat actors can also dress up as utility guys or messengers. This way, they can easily enter target offices to execute malicious deeds that can aid attacks.
#4 Fake Chat Messages
Company workers can also receive chat messages from bogus people posing as someone they know. In such cases, the criminal will try to solicit confidential inside stories from you. Some may even pose as IT administrators fixing security in your network. They will ask for your net password and hack your computer. These chat messages may also contain data-stealing malware, like DORKBOT.
#5 Request from the Boss
Someone can send you an order to perform a malicious task, saying that it came from the higher-ups in your office. More often than not, this command is tagged as urgent and should be finished as soon as possible.
#6 Spear Phishing
An attacker may send you an email that will appear to come from a legitimate website, like PayPal or Dropbox, requesting you to visit the link inside the email. Once you click this site, it will either have data-stealing malware, or ask you to input private info, like bank account credentials and credit card login passwords.
#7 Dumpster Diving
Threat actors will take in as much data as they can, even those that came from the trash bin. Thus, there are known criminals who dig in employee garbage to search for information that they can use for their crimes.
#8 Shoulder Surfing
Cyber offenders can also look over people’s shoulders while they are using their computers to get any kind of info they can get. This technique can also be performed by using binoculars from a distant building.
However advanced a company’s network security is, there will always be employees who don’t know a thing about targeted attacks and criminal tactics used to expose corporations; so no enterprise can really be safe from APTs. Employ effective worker security training programs to prevent APT perils from storming your business. And also, get a reliable phone system like RingCentral to report it as soon as possible.
