How security incidents begin...
When most people think of IT security they think of either the bad guys, sitting in hoodies in the basement "breaking through the firewall" or the good guys chasing them in a helicopter.
The reality is much less cinematically pleasing. In the real world there are the bad guys whose category is broken into several subcategories based on their skill set. There are the guys who write the code and often times don't use it themselves, but instead, like their egitimate counterparts provide their services on the Saas model. Those who consume these services are often called script kiddies. Their technical level is lower than those of the original creators but they use brute force and perseverance. Because there are a lot more of them, tracking them down is more of a challenge.
One common attack they perpetrate is called ATO (Account Take Over) or BEC (Business Email Compromise). These attacks mostly rely on the premise that people often reuse their credentials (username or email and password). These types of attacks are called replay attacks, because effectively the attackers are replaying your passwords. How do they get them? There are 3 main ways.
1. You can get phished. This is the one that gets all the publicity because there are so many different ways to phish someone. Phish is a play on the word fish, in this type of attack the "hacker" sets out some kind of bait. It could be an email, SMS or any other media. The bait could be to scare you about urgent, important or maybe desirable. For example they may send you an email about a problem with your order on amazon and that you need to login urgently if you still want your order. Of course this nonsense but if you try to login, you have given the attacker your credentials. Unfortunately these attacks are highly effective and our industry has quoted statistics that as many as 97% of all breaches start with a phishing attack.
2. Install malware. Malware comes in many forms but today's interesting malware falls under the category of APTs (advanced persistent threats). These are threats that setup persistence mechanisms so that even if they are "cleaned up" they can regenerate themselves. These APTs usually include a credential stealing component. In effect, this is one of the persistence mechanisms. The idea is that even if they are discovered maybe the user will reuse this credential elsewhere or maybe even back onto the same system to compromise it again and learn about the security response in the process.
3. Compromised or bogus sites are another source that cyber criminals like to use. A compromised site is a real site that has been hacked, most commonly because the owner failed to follow good operational security basics like unique passwords and patching their site. An attacker may than install a plugin or otherwise create a backdoor into the site and skim everything from credentials to financial information. If the site doesn't deal with either the attacker may try to leverage that access to compromise a sister site or create fake content. Bogus sites don't need to compromise a site, often times they prey on typos, like google.com may be replaces with googIe.com. Many people are careless enough with links and checking their browser URLs so these types of attacks are still common.
The reality is much less cinematically pleasing. In the real world there are the bad guys whose category is broken into several subcategories based on their skill set. There are the guys who write the code and often times don't use it themselves, but instead, like their egitimate counterparts provide their services on the Saas model. Those who consume these services are often called script kiddies. Their technical level is lower than those of the original creators but they use brute force and perseverance. Because there are a lot more of them, tracking them down is more of a challenge.
One common attack they perpetrate is called ATO (Account Take Over) or BEC (Business Email Compromise). These attacks mostly rely on the premise that people often reuse their credentials (username or email and password). These types of attacks are called replay attacks, because effectively the attackers are replaying your passwords. How do they get them? There are 3 main ways.
1. You can get phished. This is the one that gets all the publicity because there are so many different ways to phish someone. Phish is a play on the word fish, in this type of attack the "hacker" sets out some kind of bait. It could be an email, SMS or any other media. The bait could be to scare you about urgent, important or maybe desirable. For example they may send you an email about a problem with your order on amazon and that you need to login urgently if you still want your order. Of course this nonsense but if you try to login, you have given the attacker your credentials. Unfortunately these attacks are highly effective and our industry has quoted statistics that as many as 97% of all breaches start with a phishing attack.
2. Install malware. Malware comes in many forms but today's interesting malware falls under the category of APTs (advanced persistent threats). These are threats that setup persistence mechanisms so that even if they are "cleaned up" they can regenerate themselves. These APTs usually include a credential stealing component. In effect, this is one of the persistence mechanisms. The idea is that even if they are discovered maybe the user will reuse this credential elsewhere or maybe even back onto the same system to compromise it again and learn about the security response in the process.
3. Compromised or bogus sites are another source that cyber criminals like to use. A compromised site is a real site that has been hacked, most commonly because the owner failed to follow good operational security basics like unique passwords and patching their site. An attacker may than install a plugin or otherwise create a backdoor into the site and skim everything from credentials to financial information. If the site doesn't deal with either the attacker may try to leverage that access to compromise a sister site or create fake content. Bogus sites don't need to compromise a site, often times they prey on typos, like google.com may be replaces with googIe.com. Many people are careless enough with links and checking their browser URLs so these types of attacks are still common.
