Capital One Breach May Spawn Phishing Attacks

The high-profile CapitalOne breach, in which data from more than 100 million credit applications was stolen, may stimulate a variety of phishing campaigns by attackers seeking to exploit customers worried about the security of their accounts.

Such a move would likely involve email or telephone outreach designed to trick people into revealing passwords and other personal or business information that can be used to gain access to accounts and other resources.

Phishing has emerged as a major tool in the cybercriminal underworld, and times of fear and anxiety serve to amplify the risk. In a recent example separate from the CapitalOne attack, the cyber criminal used a simple file from a bogus business transaction to unleash a rootkit that spread through a variety of technology companies like wildfire. In this case, the victim already controlled the email of the purported source, and directly encouraged the recipient to open the attachment when the victim reached out to validate the source who was a known business associate of the victim.

This whole event became the subject of an AVANT Spotlight briefing; an hour-long panel discussion with representatives from Masergy, Quest, RapidScale, and Trustwave, as well as AVANT President Drew Lydecker and Chief Cloud Officer Ron Hayman.

“In this particular case, the bad guy was already in the victim’s network,” said Steven Baer, Chief Technologist of the Global Solutions Program at TrustWave. “That’s how he was able to intercept the victim’s message to the apparent sender and encourage the victim to open it. The bad guy was prepared for that. He might have bought credentials on the dark web or might have used a brute force attack. These guys run these operations like a business.”

An attack can be focused on a wide variety of objectives; usually money or exploitable data. “Companies often look at it in terms of whether they are a specific target,” said Dylan Bouterse, Director of Solutions Engineering at RapidScale. “But the attackers are scripting these attacks for use en masse. They might send out a thousand and get only five percent, but that’s still enough to make it worthwhile to them.”

In recent years, ransomware has reared its ugly head, requiring victims to pay a large fee to regain access to their own data.

“If you pay the ransom, word quickly gets around the dark web that you’ve capitulated, and then often the attacks will increase in volume since the ‘bad guys’ now know that you will pay,” said Ray Watson, VP of Innovation at Masergy. “You also need to make 100% sure that your system is really ‘clean’ of everything – in some cases even the decryptor tool itself may carry malicious payloads.”

The best alternative, on the other hand, is to have a fully operative backup and recovery strategy in order to avoid paying the ransom at all. “Disaster Recovery-as-a-Service has saved the day for more than one company,” observed AVANT’s Drew Lydecker.

Preparedness-after-the-fact looms large for every effective security strategy. “You can’t detect everything that comes through,” said AVANT’s Ron Hayman. “In this particular case, it was a link within that attachment that launched the rootkit.”

Information Technology makes our business lives easier in many ways, and engineers from virtually every vendor are constantly looking for ways to enhance user-friendliness and overall simplicity from an application point-of-view. But this value often carries a price as well.

“The more you make things easier, the more threat vectors you are enabling,” said Adam Burke of Quest Technology Management, a security MSSP in the AVANT vendor portfolio.

In the event that your company is hit, here’s what to do:

  1. Remove the machine from the network
  2. Change passwords from an uninfected machine
  3. Engage mail hosting company for assistance with remediation and blocking inbound and outbound emails
  4. Have the infected machine cleaned or wiped
  5. Be cautious of any cloud files or systems to which the infected machine had access

And, most importantly, contact your Trusted Advisor for additional help. In fact, contact that Trusted Advisor in advance of an incident to make sure you are adequately prepared.

“The biggest mistake is only doing one thing,” added Bouterse. “You need a holistic approach. Your Trusted Advisor will help you understand your current risk level, evaluate your security budget, and help you get the best security bang for your buck.”