Welcome to this training session from Data Law. My name is Robert Edwards. I'm a consultant with Law Hound. Previously, I was a counterintelligence and I T security specialist with Her Majesty's government before moving on to lecture on do provide legal training, cybercrime, maybe hacking. But most hacking isn't undertaken with criminal intent. There are good reasons for that statement. Hacking takes time and effort, and criminals want a fast return. Hacking also requires a great deal of technical skill, which most criminals are either too lazy or intellectually unable to acquire. There are simpler methods to generate a profit. Cybercrime is a word that's used quite a lot in headlines, but rarely is there an explanation of what all the terms mean. You may know that fishing is used to obtain information, but how does it work? What do you need to look out for? To protect yourself? Fishing with a pH involves trying to fool someone into providing information that could be used for profit or to introduce an exploit into their computer, including mobile phones. When you think of a computer which could be used at a later date, don't think Nigerian ministers trying to transfer millions of dollars into your bank account. Think about your day to day regular emails, some of which you may even welcome because they look useful. Let's run a scenario to help explain how fishers operate in your email. You spot something from Marks and Spencer offering a free bottle of wine. You open the email, which reports back to fishing Central, but do you respond positively to emails offering something for nothing? Information which will be useful in the future? The email has photographs of bottles of wine with decent labels surrounded by a few Bunches of grapes. It also invites you to click on a link to the website for more information Marks and Spencer, plus free bottle of wine. Plus, find out more equals simple decision. You click the link. Another report is fired off to base camp. This one probably reads something like fish on the hook. Lo and behold, there's the MNS website, all decked out for whatever season it is on. Slap bang in the centre of the screen at the bottom, where you can't miss it, especially if you're now thinking of wine is the offer below the panel. It says you need to visit a store, but you need to click on another link to enter your details. To access the voucher, you'll need to claim your bottle of wine. It seems like a reasonable, logical process on the sign in screen asks for your M and s account, user name and password for M and S customers. This doesn't present a problem, but for people who don't have an account with Emma deaths, it's frustrating. But the fish is behind. This don't really care about people who don't have a Marks and Spencer account. They want the log in details of the people who do, because it's highly likely that they use the same log in information for their store accounts and the M and S banking accounts to demonstrate how someone could be so easily fooled. Here's the Rial Marks and Spencer Christmas home page, and once again here's the spoofed MNS Christmas home page, and here they are next to each other. You can spot the obvious difference between the panel offering the free bottle of wine, but there's also a difference in the Web address in the U. R L Ball here, I've used on em percent, which isn't a valid U R L character, but I could have chosen Marks and Spencer's dot com because almost everyone refers to Marks and Spencer. Those marks and Spencer is. While you may think that this is a lot of trouble to go to for some account details with a supermarket slash department store with revenue concerns, fish is often play a much longer game. Now here, you can either print out the voucher or use a mobile phone to take an image of a Q R code that will make itself unique to you after you authorize access to your contacts. Why would you want to do that? Because I will send a message for you from you. It will benefit some of your contacts on. They will be grateful. Hi, Contact first name. I don't know whether you shop at M and s, but if you do this, QR code will get you a free bottle of wine if you visit a store link to Q R code and at the end, your name. If your contacts list is full of personal contacts, that's bad. If you have business contacts, that's really bad. The Q R code will not only direct you to the page to download the fake voucher, but will also collect all of your contact information. How? Because the QR code activates a worm. It may also start up a key logger designed to identify and become active only when Sinan screens are accessed. This QR code is one I generated and it will should you want to try it out, take you to the authentic M and s website with the fishes que all code, you infect your contacts, they In fact there's on very soon. There are hundreds of thousands of people carrying the same key logger. Nothing bad happens for a while because the Fishers wait until they reach critical mass before accessing all of these bank accounts and begin to move money out of them. The success of this process depends not on technical capability but on a knowledge of human behavior. Marks and Spencer is a trusted organization. So an email from M and S doesn't fire off the threat warning in our brains. We believe that MNS is offering us something for nothing which pulls on our human tendency towards personal benefit. The website looks like the marks and Spencer website on the other links open up pages in the site. So now the only link I'm interested in is the one that's offering me free wine. The offer to message all of my contacts provides an opportunity to make others think well of me. Of course, I want that to happen. The sequence of events can be broken down into four steps. One. Establish trust to influence behavior. Three appeal to self interest and four enable third party approbation. You'll quickly realize that this bears a close resemblance to a sales process. When the collection of data is considered to be large enough, the Fishers will either begin to use it or try to find a buyer spearfishing. Although Spearfishing uses similar methods, this is a much more focused attack with a specific organization or individual. As the target. Spear fishers use social, media and business websites to learn as much as possible about the intended target. If the target is a business, they may conduct research into customers and suppliers so that they can construct a story sufficiently plausible to fool the target into releasing sensitive information. For example, a law firm may have a meet the team page that carries personal profiles of key personnel matching someone up with their social media output. Facebook instagram etcetera can enable the criminals to create profiles of several members of an organization or even a particular department. The criminal uses three information collected to establish himself as a bona fide a person who is authorized to be given answers to specific questions. If an organization uses external I t support the I T service provider is likely to feature their most prominent clients on its own website on Nobody really takes on on I t support supplier from outside their own area. So it's a very limited pool that you have to look at. If you're looking for a law firms I t supplier, So call to them from the law firm's new office manager, introducing himself and declaring a need to ensure that all contact points are up to date is designed to identify the ballad contacts that the law firm has already provided. This takes us back to the information gleaned from the Meet the team page of the website. Once the criminal has extracted this information from the I T support supplier, another core will be made to the law firm purporting to be from the I T supporting and asking to speak to the I T manager who is according to his latest Facebook update, two days into a weeks holiday in Romania. It will be stressed, but the matter is urgent and likely to involve a potential system security breach. This scenario is intended to push the call recipient off balance and they will be led through a series of instructions and questions with the ultimate aim of gaining access to data or the means to extract money. The goals of the attack vary on may include obtaining access to confidential personal information. Extracting funds from bank accounts, accessing commercially valuable information to use it under accessing commercially valuable information to sell it. Alternative outcomes of spearfishing are malicious code embedded in email attachments or links to spoofed websites which deliver the code as you visit. Spearfishing is also used to equip criminals with enough information to successfully carry out Friday afternoon fraud operations in which funds are transferred to external bank accounts for what appear to be legitimate purposes. Remote monitoring Onda other intrusive software cybercriminals may take a straightforward route and install ransomware on a business network. Ransomware isn't usually very complicated just a little software package that encrypts your data. You pay up in Bitcoin because it can't be tracked and your data is released back to you. The seam of gold For criminals targeting a law often is to be able to introduce remote monitoring software into the working environment. Even legitimate software designed to analyze productivity can provide real time screen recording keystroke recording. ANDI enable remote management of user privacy settings. If you use such a thing in your practice, it's relatively easy for someone else to piggyback onto it. You'll appreciate the risk. This presents Tual often, given the high expectations of your clients for privacy. Introducing software of this nature doesn't even require a system to be hacked. A successful exploit is often the result of human curiosity. A USB stick surreptitiously dropped in a reception area. We'll have about an 80% chance of being inserted into a port to determine the owner if you think that's unlikely, A study in 2016 by Google resulted in 48% of 297 USB drives left in parking areas being picked up and inserted into a computer. How did Google No the U. S. B sticks contain software that reported home when activated. A U. S B drive found in a reception area will be considered much less of a risk on the finder will be keen to determine who the owner is. The quickest way to do that is to examine the contents. These drives can be armed with a self extracting an executable program that begins running a soon as the drive is inserted into a computer. The one thing common to all of these is that they rely on understanding of human behavior. If we need people to act in a different way, as we clearly do, then we need to ensure that we have protocols in place to guide them through as many conceivable scenarios as we can think off. Having an I T policy isn't enough. Policy documents are not fun to read on. Most people will do exactly what you do when faced with an onscreen box for you to check his having agreed with the terms and conditions of the business, you want to buy something from what do you do? When was the last time you took the time to read the tease and sees we're all predictable. We need not only toe have well written policies, which are usually there to provide us with a mechanism when something goes wrong, but we need to educate and periodically reinforced the message we must. You must educate the people in your practice to be less trusting, to be more skeptical to question when something looks a little bit off. If someone in your accounts department receives an email from the managing partner to transfer funds from client account to another bank account, they must check with the managing partner using a telephone. That should be a standard protocol. The email may be a necessary tool to convey the bank details, but voice confirmation is another necessary tool to prevent your firm from falling victim to cyber crime that concludes this session, covering some of the mechanics of phishing and spear fishing. Look out for other cybercrime subjects from data law
Webinar
Notes
1956 Users
16 Courses
66 Reviews
