We’ve come a long way from Nigerian chain letters.
Those with a memory for the unintentionally hilarious can well remember those gems. They typically involved a wealthy individual who needed help moving millions around, and was willing to pay out huge sums of money in return for any assistance. As social engineering it was crude in the extreme, preying on the weaknesses of individuals lured by the prospect of a quick buck (or millions of bucks). The language was almost always clunky and the context ridiculous, which made anyone falling for the scam ripe for derision. But of course, there were surely people who took the bait, which is why the practice lasted for quite a while.
Today we have FIN4, and it’s a very different world out there.
This Monday, security firm FireEye dropped a critical announcement: A group of highly sophisticated cybercriminals have spent the past year hijacking email correspondence between senior executives at publicly held healthcare-related organizations. The strategy used e-mails with language aimed at compliance officers, legal counsel, operational chiefs, etc. In many cases these professionals opened the e-mails and clicked on links or attachments purporting to be from legitimate clients, which in turn directed them to a fake login page that required a sign-on. And from there on it became a joyride for the bad guys, who could steal information or even insert their own.
Sure, it’s easy to shrug at these escapades—in the past year there’s been a litany of massive data breaches at brand-name enterprises, from retailers and restaurants to financial services institutions. Millions of credit card numbers have been stolen and reams of confidential information compromised. It’s essentially so common that we’ve become numb to it.
Still, each new form of intrusion brings its own level of complexity, and the latest is no exception.
From what we know so far, FIN4—the name given to the attackers by the security firm—doesn’t resemble other recent worrisome infections, such as the Advanced Persistent Threats (APTs), which are alleged to be launched by rogue nations. These invasions don’t use malware, the systemic problem now plaguing networks around the world, which means even up-to-date defense strategies can be powerless to stop them. They instead seem to be launched and micro-managed by a small group of individuals who are intimately familiar with the inner workings of the industries and corporations they attack.
The perpetrators don’t just use flawless English, they seem very comfortable with the industry parlance used by the businesses they target. They know their way around compliance mandates, seem familiar with recent industry occurrences and maneuver easily around sensitive areas. Researchers analyzing patterns believe the attacks likely originate in Western European nations, or possibly even inside the United States.
Again, these are mostly attacks against different corners of the healthcare industry—medical device makers, pharmaceuticals, healthcare planning providers and so on. But of course, the common target is money, either through direct theft or more insidious forms of stock manipulation. That brings it back to us in the banking world.
More to the point, no one can possibly think that this new form of crime will stay within the confines of one industry, and that’s a depressing thought. Cybercrime has been around a long time, of course, but typically it seems like an external threat—villains from elsewhere worming their way into the infrastructure to pilfer what they can.
This is a little different. Many of us have been targeted by some kind of social engineering scam courtesy of the personal inbox and the home phone, or even the good old-fashioned letter. However, this breed of assault comes in via the corporate server, speaking our language (in every sense) and persuades us to give them access to the network. By any definition, that’s a new kind of invasion that mandates a new kind of defense.