As we move into the Christmas period — tis the season to be online shopping — cybercriminals will be looking to raid your sack using a spate of their latest hacking techniques.
So don’t give hackers a chance to go ‘ho, ho, ho’. Get clued up on the latest hacking strategies cybercriminals will be using to target unsuspecting victims this Christmas.
Hackers target information they can use for financial gain including personal information, usernames, passwords, and business partners. A successful data breach can lead to unauthorised access and misuse of your business accounts, or your network can be hijacked and held to ransom.
You could also be putting the privacy of your customers at risk. Hackers can use sensitive data for identity theft, where attackers assume the identity of a real person to commit fraud, make unauthorised transactions, or target financial accounts, credit cards, or online payment systems.
According to one cybersecurity website, almost 5.4 trillion records have been breached in 2023. It’s Christmas all year round for some hackers. Stop them in their tracks by learning about the latest hacking techniques hackers are using to exploit businesses.
Email Phishing
Phishing remains an old-age favourite of bad actors. According to cybersecurity statistics, 3.4 billion phishing emails are sent every day and ransomware extortion occurs every 11 seconds.
Most businesses and their employees are more savvy to the workings of phishing attempts. To be honest, most phishing emails are so bad, that they are pretty easy to spot immediately.
Spoof phishing is considerably harder to identify, but with well-trained and diligent staff, businesses shouldn’t really be falling for spoof phishing attempts either. If you haven’t already provided your employees with cybersecurity awareness training, make it a priority.
Here are some cybersecurity awareness training tips to get you started.
If there was ever a time to train your staff on cybercrime awareness it’s now. Because a certain AI tool is helping threat actors who do not speak English as their first language to draft email messages that are more convincing.
ChatGPT is the new Darling for Hackers
A recent press release with tentacles in SlashNext, a leader in SaaS-based Integrated Cloud Messaging Security, reveals that phishing emails have increased by 1,265% over the past year — since the launch of ChatGPT.
Whilst ChatGPT has become a legitimate tool for businesses, it is believed that hackers are taking advantage of the AI chatbot to draft scripts for phishing emails and codes.
Given a large percentage of phishing attempts typically had poor spelling and grammar (at least the ones I’ve received), which was a dead giveaway, ChatGPT could be a game changer for amateur hackers—and SlashNext statistics back that up.
In the press release, SlashNext’s CEO, Patrick Harr said:
”While there has been some debate about the true influence of generative AI on cybercriminal activity, we know from our research that threat actors are leveraging tools like ChatGPT to help write sophisticated, targeted Business Email Compromises and other phishing messages, and an increase in the volume of these threats of over 1,000% corresponding with the time frame in which ChatGPT was launched is not a coincidence. Our aim is not to overstate or exaggerate the threats stemming from generative AI, but to help our customers and the cybersecurity community at large understand the true dangers and respond appropriately.”
The capacity for hackers to up their game means that business owners, c-suite executives, account managers and employees across the board also need to up yours as well (errrm, figuratively speaking).
Does social engineering mean anything to you? It should!
Social Engineering
Sophisticated hackers have taken phishing to another level. Spearphishing and whaling are much more prominent nowadays — and can be harder to detect. We recommend engaging in zero-trust policies. Click the link for advice from our experts.
Professional hackers that perform whaling techniques put a lot of effort into making the attack highly customised. They research their target thoroughly and gather as much intelligence about the company as possible. Analysing your social media page to learn more about a target’s personal life will almost certainly be a rich source of information.
Social engineering is a form of manipulation which plays on human psychology. The ultimate goal is to trick individuals into divulging confidential information, performing actions, or compromising security. Instead of relying on technical vulnerabilities, social engineering exploits the trusting nature of individuals to gain unauthorised access to sensitive information.
Spearphishing and whaling involve targeting deceptive emails, messages, or websites that appear to be from a trustworthy source. The goal is to trick individuals into revealing sensitive information to financial details, tricking them into entering passwords on spoof accounts or sending instructions to pay a fake invoice.
One of the most famous social engineering scams is the whaling attack on FACC Aerospace. A hacker posing as the CEO sent an email to someone in accounts instructing them to transfer 42 million euros to a hacker-controlled account.
Yes, social engineering can be this simple if you do not have preventative protocols in place.
However, for this level of social engineering to work, threat actors would still need to gain access to their target devices. This can only be achieved through a phishing attempt. This takes you back to the first rule of cyber fight club. Train your staff to be cybercrime aware.
This first step in the social engineering playbook is called baiting. It involves offering something enticing, such as a free download or a commercial opportunity. For example, a hacker might invite you to a Zoom meeting and send you a spoof link which distributes malware onto your computer.
And over the last year, a new generation of social engineering emerged. Saas Phishing.
SaaS Phishing
SaaS phishing, (Software-as-a-Service phishing), is a hacking technique that targets business users operating cloud-based software services. You may remember one of the earliest attack vectors for SaaS phishing was hackers dropping malware into Microsoft Teams.
In a SaaS phishing attack, cybercriminals attempt to trick individuals into providing sensitive information, such as login credentials, by impersonating legitimate SaaS providers or services.
SaaS phishing attacks often start with phishing emails that mimic the branding and communication style of popular SaaS providers.
These emails will contain messages that prompt an action from the target — and usually an action that needs to be taken urgently such as a security alert, account verification request, or notifications about file sharing.
The end goal is to prompt users to click on a malicious link that takes them to a fake account where you proceed to pop in your login credentials. The fake website may closely resemble the legitimate login pages of SaaS platforms, making it difficult for users to discern the deception.
Once users enter their login credentials on the fake website, the attackers harvest this information. The stolen credentials can then be used for unauthorised access to sensitive data stored in the compromised SaaS accounts.
However, for hackers to be successful in stage two of a SaaS attack, they would need to bypass multi-factor identification (MFA). And this is why MFA is a critical step in access protocols.
Developer Account Hacking
In a similar fashion to SaaS phishing, developers are being increasingly targeted by hackers. And because developers typically have unlimited access to IT environments, failing to follow cybersecurity protocols can be potentially damaging.
Developers have to be extra vigilant and you would expect most of them are. If you work with an in-house developer, you obviously have more control and trust over their activity.
The gravest danger lies with businesses that work with external developers. There are two issues. You want reassurance they have not been compromised by hackers, a secondly, that they are not a cybercriminal posing as a developer.
There are also instances in which attackers may impersonate platform administrators, support personnel, or colleagues to trick developers into revealing sensitive information or providing account access. And vice versa. Hackers can impersonate a developer.
If you are working with third-party developers, we strongly recommend installing a proactive and comprehensive approach to cybersecurity. Don’t rely on the developer. Businesses have to take responsibility for reducing the risk of developer account hacking. Speak with our experts for solutions.
QRphishing or Quishing
Of all the latest hacking techniques, QRphishing is the one that sends a shiver down my spine. The use of malicious QR codes is a challenge that could potentially damage millions of small businesses. It’s actually quite alarming how many cafes, bars and restaurants insist on the use of QR codes to access a menu. These menus are left strewn on tables and can easily be replaced by nefarious actors.
Malicious QR codes — or quishing as it is also known — can be used to trigger an exploit that takes advantage of vulnerabilities in the user’s device. This could lead to the installation of malware with a remote control of the device or spyware like keylogger that can detect keystrokes on a keyboard.
Hackers create malicious QR codes designed to resemble legitimate ones, making it challenging for users to distinguish between them. The malicious codes can be distributed through various channels, including printed materials such as posters, brochures or product packaging.
Hackers have also started using digital channels such as emails, social media, messaging apps, or websites to distribute malicious QR codes.
Once users scan the malicious QR code, they are redirected to a phishing website that mimics a legitimate site, such as a login page for a popular service. The goal is to trick users into entering their credentials or other sensitive information.
Alternatively, the QR code may trigger the download of malware onto the user’s device. Once hackers have control of a device, the attacker will revert to social engineering tactics to harvest more information they can use to exploit the victim.
If a hacker has remote control over your smartphone, it gives them the opportunity to get around MFA. So QR codes can be highly problematic for business owners and C-suite executives. There are solutions to avoid and mitigate data breaches of course. Contact our experts for advice and solutions.
IoT hacks
The Internet of Things (IoT) is one of the latest hacking techniques that should be a major concern for business owners, especially if you allow your team members to access your computer network using personal devices.
IoT hacks are one of the latest hacking strategies that is growing in prominence. According to cybersecurity journalist Gaurav Sharma, cyber-attacks on IoT devices saw an uptick of 41% in the first two months of 2023.
This could be highly problematic for companies that have work-from-home employees. Whilst you can monitor home Wi-Fi networks and secure endpoints, securing every IoT device that can be used as a gateway is typically overlooked.
One of the main issues with IoT devices is that people install them into their homes and use them with default usernames and passwords. It’s quite natural for you to think, why would anybody want to hack a fridge or home lighting system?
Well, they don’t, but they can use these apps as a gateway to get on to a device. And default passwords are easy for hackers to exploit using brute force attacks — automated tools that systematically guess usernames and passwords.
Insecure communication channels, such as unencrypted data transmissions between IoT devices and servers, can be exploited. Hackers may intercept communication in a man-in-the-middle attack which can lead to data manipulation or unauthorised access to business accounts.
Trusted IT Support in London
Don’t spoil your Christmas and New Year celebrations by falling foul of the latest hacking techniques. Our cybersecurity experts can devise cost-effective solutions that work for your business including advanced technologies — but mostly just common sense advice.
We can also deliver cybersecurity awareness training for you staff, so if your team is not up to speed with the latest hacking techniques, get in touch with our IT support specialists in London today. We’re happy to travel in and around London, Glasgow and across the southeast of England to visit your business premises.