01/12/2014

By Darren White, EMEA Director, Agari


Despite the wealth of media coverage generated around high-profile attacks on the likes of Target and eBay in the past year, too many businesses continue to fail to protect their customers from online criminal abuse.

Indeed, hackers are amplifying their use of email to spread data-theft malware. With such attacks designed specifically to trick users into handing over their information or downloading malware onto their machines, it is unnerving to think about what these nameless, faceless hackers are doing with the data they make off with.

When an attack is announced, people tend to worry about identity theft and their bank accounts being illegally accessed. Cue, passwords being changed and bank statements thoroughly checked. However, with some breaches — particularly larger ones — cyber criminals will have gained terabytes of data, all of which they probably won’t use right away. The information they received is probably just one step in their plan, and there is a possibility that we’ll see the effects of this year’s attack, months, and possibly years, from now.

In addition to the ‘valuable’ data stolen, such as credit card details, cybercriminals also end up with what is called ‘by-product’ data. This includes data that may not have any value to them, including surnames, maiden names, date of births, addresses etc. However, this information will be useful to other criminals who want to target specific people through spear phishing and social engineering attacks. It then becomes a bit like stealing a car and selling it for parts. Stolen data is essentially manipulated to access even more confidential data.
Worryingly, subsequent attacks designed with this data at their core are invariably much more visually and technically refined and therefore more successful in duping the user being targeted. They hit their targets because the email received looks legitimate and has apparently come from a trusted source. It’s important to remember that well-funded cybercriminals have the resources, time and energy to create these email replicas and phony websites.

From a business perspective, given email remains a simple and direct way of reaching and staying in touch with customers, deploying solutions that defend customers from cyber attacks of this nature has become more important than ever. Indeed, losing email as a trusted communication channel with consumers can have reverberations throughout the business, especially from a marketing and sales generation perspective.

That said, while we may only seem to hear about big name data breaches, our personal online behaviour also needs to be reassessed. Consumers must be vigilant with their data and continue to be on the lookout for emails, attachments or unofficial pop-up ads that look suspicious. Spear phishing is simply a 21st Century equivalent of traditional, non-technological tricks, such as pick-pocketing, therefore the smarter and more street-wise the user is, the less likely they are to fall victim.