12 methods that hackers use to attack, steal, and destroy business data (Part 1)
Modern business is all about constantly updating technology, digitally transforming any outdated systems, and automating everything in sight. While there are a great many approaches in both hardware and software varying based on industry, budget, style, and opportunity, what all this business tech really comes down to is computer data. Your inventory, customer records, active projects, paperwork, contracts, and almost everything else that isn’t a building, piece of furniture, or a physical computer is now entirely digital data. You file, process, and edit it. You store it in databases and back it up to cloud servers. You host it on the web and you make it available through mobile apps and, most of all, you do your best to protect it from hackers.
Hackers will use every available avenue of attack
Sometimes the reason hackers want your data is obvious, as in the cases of stolen credit card numbers, and sometimes it’s entirely elusive like when they decide to destroy your data for no perceptible reason. However, one thing is for sure. Hackers have wanted to access, steal, and destroy business data since the first digital transformation and they don’t care who it hurts. Your job as a responsible and growing business is to protect your data from every possible angle of attack. The hard part is, of course, that there are so many ways that hackers have devised to form their attacks.
To help every digitised and currently transforming business keep their data, backups, automation software, and customer information locked down, we’ve put together a nearly comprehensive list of all the ways hackers may try to invade your business network and steal or destroy your data.
1) Malware worms
The first and most important thing to understand about getting hacked is that sometimes it quite literally has zero rhyme or reason as to why you were targeted or what about your business data gets targeted by an attack.
Some hackers are pointlessly destructive and malicious and along these lines, there are thousands, if not millions of free-roaming malware and virus programs just floating around the internet looking for vulnerabilities and opportunities to strike. This style of infection is known as a “Worm” because it blindly wiggles through the ‘net reproducing, spreading, and infecting without a care for who it attacks. Some are file eaters, some are ransomware, some are spyware, and the variations go on. The one thing all worm malware has in common is that they aim for everything that can be reached and are not directly controlled by a hacker. While it is possible for worms to set up a program on your network that sends information back to a hacker, the targeting itself was not directed.
Defending against worms
How do you protect yourself from worms? Unfortunately, worms are only a style which means that there are many variations in spreading method, infection method, and what happens after you are infected. The best protection is a comprehensive one, especially when dealing with your employee online conduct, but we’ll go more into that later.
2) Fake websites
We’ve all accidentally wound up on a fake website at least once and, fortunately, not all of them are wickedly infected with malware, but many of them are. A fake website is most often reached when you accidentally mistype a URL, though sometimes they also make their way into legitimate search engine results on platforms. They are created by people trying to take advantage of slightly misdirected traffic either for their own questionable business purposes (like selling counterfeit designer handbags) or, of course, to trick people into visiting a site that infects them with malware.
If you have ever downloaded something off the internet from a specific URL meant to start the download automatically, a common feature these days for installation, patch, and update pages, then you understand how fake websites get malware onto your computer. Rather than having a special download page, they will set up the landing page to initiate a download that is intended to complete and then automatically installs itself on your computer, then possibly spread to the rest of your business network.
Defending against fake websites
There are a number of ways to avoid infection from fake websites and we’ll talk about the top two. The first is to use bookmarks instead of the keyboard to visit websites required or related to your business, this way you never typo into a trap. The second method is to use antivirus software and browser settings to prevent any and all automatic downloads. Require your browser to ask about downloads and consider creating a website download whitelist to prevent unknown sites from starting downloads.
3) Infectious pop-up ads
Another way that hackers use internet browsing and website visits to infect both business and private computers is through pop-up ads. These advertisements, sometimes even contained in simple banner ads, include malicious code that will try to either corrupt your browser or automatically download itself onto your computer. Even if you have an ad-blocker, some hackers have found a way around these prohibitions and create pop-ups that redirect the new window to a URL with an auto-download much in the style of a fake infectious website.
The problem with advertisement infection is that most people won’t see it coming because it’s not as commonly known. While it’s true that clicking on an ad makes it much easier for a hacker to redirect and infect, you don’t always have to click. In fact, because there are mouse-over protocols for many modern web ads, sometimes simply skimming your mouse over a banner while trying to get to your content is enough to trigger an infectious attack.
Defending against pop-ups
Avoiding pop-up infection starts with a combination ad-blocker and a blocker specifically made to prevent your browser from opening pop-ups. Once again, the whitelist approach is your best friend, allowing only a few known websites used reliably for your business that require pop-up enablement permission to open pop-ups. For the rest of the internet, you don’t need their pop-ups for anything and shouldn’t take the risk.
4) Phishing scams (Not just emails anymore)
While the strange term ‘Phishing‘ comes from an old phone hack term, what it sounds like is exactly what you would expect from a hacking method. Specifically, phishing is the act of targeting a single employee, private individual, or group with a specially crafted message meant to elicit a certain response. The most traditional type of phishing is a targeted email pretending to be a friend, boss, coworker, or employee with a believable message, a nearly-identical email address (like the fake website), and a good reason to click on an included email attachment. The attachment, naturally, is infected and will immediately begin downloading a self-installing piece of harmful malware. These days, the infection is often accompanied by a text document that appears to line up with the email message, thus covering the hacking activity with a further piece of fiction.
However, phishing has come a long way since the start of the email tradition and has adapted to new communication and file sharing technologies. Online business chat, for instance, also often allows customers to upload files for employees to look at while providing support and hackers pretending to be customers have effectively infected businesses through this method.
Another approach, fondly termed “vishing” for Voice+Phishing, occurs when hackers call your employees on the phone and use direct social engineering, usually again posing as customers, to convince the target to visit an infected website or to open the attachment on a paired phishing email. Along these same lines, some hackers have even been known to show up in person or work with partners who show up in person to pull the same “Now open my email to you” scam.
Defending against phishing
To protect from phishing, you need a fairly comprehensive cybersecurity infrastructure paired with employee training and, ideally, phishing drills. There is software that can detect spoofed email addresses for times in which the hacker pretends to be a member of the company and virus-scanners that will take a look at email attachments. However, the best approach is simply to work with a third-party cloud-based file sharing program that allows your employees to never download a file onto a local computer, simply access a file that has been uploaded to a super-secure remote file server.
Whaling is an evolution of phishing that almost no one sees coming and involves a pair of targets, not just the employee who gets the hackers’ message. The first of the two targets for a whaling attack is a company executive or high-level manager who has a significant amount of clout in the company should they decide to send a personal email to an individual employee. This targeting of a “big fish” explains the Whaling term.
After the hacker chooses their target, they study their business profile, social media history, and any personal websites or blogs if these are available. They learn who the exec is, how they speak, who they are friends within the company, and what kind of requests would seem reasonable to come from this person. Then they craft their special phishing email.
With their new fake persona and a spoofed personal email address of the targeted exec, the hacker chooses a lower-level employee to send an email to. The email can ask for anything the hacker deems potentially profitable and reasonable to come from their new fake identity. Sometimes they ask an employee in the financial department to wire funds for “a new client” or project, thus creating a direct profit. Other times, they ask for password confirmation or the ability to make a new password sent to their new email account, or they might get an employee to send them a stack of personal records for an industrial-sized identity heist. One company even had their whaling attack take the form of a fake subpoena. Whaling hackers have also been known to target other execs with exec-to-exec personal requests for information or access.
Defending against whaling
To protect from whaling, make sure unusual, risky, or high-level requests are confirmed with at least two forms of communication. Double-check over the phone, in person, or through the internal business chat program to ensure that a single whaling (or phishing) message cannot cause a data breach and a lot of embarrassment.
6) Fault injection
Having covered the social engineering aspect of hacking, let’s move on to some of the more technical approaches that you will need to consider when designing both your internal and customer-facing web interfaces, infrastructure, and software. Fault injection is a great example of what can happen if there’s a way to access your source code through an online form. If, for instance, users inject their own usernames into your accounts database when they make an account, this gives hackers the opportunity to use unusual characters that form programming language commands that can wreck your database and possibly much of your business server.
Let’s say, for instance, that a hacker decides to use ” ‘); DROP TABLE users; ” as their username when they create an account and your website does not prevent them from using special characters or spaces. If you are using MySQL or a similar program and the name of your user table happens to be “users”, you could lose your entire customer database in an instant and quickly have to scramble for your backups. Of course, there are also much more malicious lines of code that can be used with the same method.
Defending against fault injection
As you may have guessed from the example, the best way to protect yourself from fault injection is to make sure that users cannot enter programming control commands directly into your database. There are two ways to do this. The first is to limit unusual characters that could be interpreted as commands. The second, if you want or need to give your users more data entry freedom, is to create a buffer-space between the user hitting “submit” and an actual entry being made. In this buffer space, you can scan the new entry for problems and accept or reject the entry based on that assessment.
Believe it or not, this is only the first half of our full dozen ways that hackers can access and steal or destroy your business data. Join us next time for part two where we’ll cover everything from passwords to third-party websites.