Anatomy of a Hack: A Business Case Study

How Cyber Criminals Shut Down a “Decoy” Business Within an Hour

You may not know it, but you are at war. Your adversaries are highly intelligent, devious and tenacious.

And they’re winning.

This war is conducted in cyberspace against hackers who can be situated anywhere in the world. It’s serious: attacks on companies with less than 100 employees—which account for 60% of targeted attacks—increased 30% in 2014. And 2015 is shaping up to expand the roster of SMB victims even more.

To demonstrate just how easily—and quickly—small businesses can be compromised, the Austin-based identity protection security firm, CSID, decided to run an experiment. It created a decoy company, built an online presence for it—and watched as cyber criminals took it down in less than an hour.

Setting up “the victim”

CSID first created Jomoco, an imaginary coconut water company with two fictional owners, Rachel and Richard. Just as any small or medium-sized business would, CSID established a virtual presence: it bought a URL, set up a Web server and created business email addresses for Rachel and Richard. To make art imitate life even more closely, CSID gave Rachel a personal Xbox Live account, Richard a personal Facebook account and created personal emails for both of them.

CSID also engineered it so that Jomoco’s fictional owners made common mistakes. For their passwords, they used common words found in the dictionary. They didn’t mix uppercase and lowercase letters with numerals or special characters. They reused passwords across multiple business and personal accounts, and shared sensitive company information with each other via both personal and business email messages. These happen to be shortcuts many small businesses employ when setting up their companies and accounts.

The hack

In less than 30 minutes after Jomoco went live, hackers were easily able to access Rachel’s personal email address by cracking her poor password (programs that crack passwords can be found online for free). Since the fictional Rachel made the mistake of reusing passwords across multiple accounts—which 61% of consumers do in real life—cyber criminals were also able to hack into her Xbox Live account. They changed her password and locked her out, stealing both her Xbox gaming identity and $15 Xbox Live credits attached to it. Then, using the same credentials, the hackers infiltrated Rachel’s business email account.

By skimming through messages sent to and from that account, they found an email to Richard sharing Jomoco’s Web server details like IP address and login credentials. Using this information, hackers defaced the Jomoco website and locked out the business email accounts and Web server. Since Richard reused passwords across his personal and professional online accounts as well, the hackers were now also able to access his personal email account and Facebook, where they changed the passwords to both accounts and took them over.

SecurityBlogPost

All this took less than an hour.

The hackers also found the company credit card details in an email, and used it to make real-world purchases. Happily for Jomoco, the bank that had issued the company credit card had sophisticated enough monitoring mechanisms in place to identify the credit card activity as fraudulent. It shut down the account before additional purchases could be made.

But by then, it was too late for Jomoco. The company was already effectively out of business, its website destroyed, its owners locked out of both the website and their email accounts, and their only credit card canceled.

What this means for you

While it is common for small businesses to think that hackers are only interested in stealing data from big names like Target, Home Depot and eBay, that is not the case. This misconception can cause businesses to fail to invest sufficiently in security measures or improperly enforce security policies.

In the case of Jomoco, most of the problems arose because staff did not follow very basic security practices. But breaches can also occur for technical reasons: failing to apply security patches or software updates, or misconfiguring applications or operating systems.

How can CenturyLink help your business be more secure?