Why and How Cyber Criminals Attack Small Businesses

The challenge that small businesses face is daunting. In this day and age, there are bad actors around the globe that earn their living by compromising businesses, and those cybercriminals are just as good at their jobs as the small business owner is at selling and delivering their products and services.

When is the last time you heard about a bank robbery? Not in a movie, but a real old-fashioned bank robbery where criminals march into a bank with guns and demand the money?

Bank robberies are thing of the past. Why would a criminal risk physically robbing a bank with guns, knowing that when they try to get out they will be facing swat teams? Cybercriminals don’t need to be physically in your business, your town, your state, or even your country. While the payout is potentially huge, the risk of getting caught is also extremely high.

From the cybercriminal’s perspective, attacking your company over the Internet from somewhere far away is a lot less risky.

The harsh realities are:

• Small businesses are attacked far more than corporations
• Of small businesses that are successfully breached, about 60% to 70% will end up closing their doors.

Small Businesses Are Better Targets than Corporations

While the payout for breaching Google is potentially very high, the chance of being successful in breaching Google is very small and the chance of getting caught is about medium. Why?

Because big corporations, especially Big Tech, have security policies and employ hundreds of people to make sure the company is secure. They have tools and intrusion detection systems deployed, and they have a Security Operations Center (SOC) which is staffed 24/7 and monitors to detect signs of attack, and they respond accordingly.

Small businesses have nothing. They don’t have security policies, they don’t necessarily follow best practices, and they just don’t manage cyber security. Small businesses of this nature are cybercriminals’ bread and butter.

You can change that with Carlisle Technology Solutions Managed Security Service. To put it simply, we become your virtual cyber security team. More on that later, but first let’s talk about how criminals attack your business.

Why Cyber Criminals Attack

Though nuisance attacks still occur, the far majority of attacks are driven by professional cyber criminals. Their primary goal is money. If there is something of value in your company, that is what the attacker is after.

Steal Money

This is a no-brainer. If a cybercriminal can breach your company to access bank accounts and drain them, that is one reason they attack you. So just secure your online banking very well, and the problem is solved, right?

Well, no. As it turns out, there are plenty of ways a cybercriminal can get paid by breaching you which doesn’t require getting access to your actual bank account. We will talk about that as we continue, but first, there is an important point to be made.

Even if an attacker does get access to your bank account they likely will not access your bank account. Huh? Why not?

Because the act of accessing your bank account is risky. Even though you have the credentials, banks have sophisticated monitoring and can detect criminals logging in from a different location, etc. The chance of getting caught is a little high.

More importantly, though, is that accessing your account isn’t the end — the criminal doesn’t get paid unless they can move that money out of that account and into another. That is very risky.

As I said earlier, criminals a smart and they behave in a very risk-driven way, and they will almost always take the path with the least risk. Because of that, most criminals that obtain bank account credentials don’t use those credentials.

How Do They Get Paid?

They sell the account credentials on the dark web. On any given day, there are hundreds of thousands of bank account credentials sold on the dark web.

What is a Dark Web?

The dark web is a subset of the Internet which is highly encrypted and is designed to protect the anonymity of the person using the dark web site. In other words, it’s a special part of the Internet where illegal things can be sold because law enforcement can’t determine who the seller is, or who the buyer is.

If one were to sell account credentials on the normal Internet, it wouldn’t take long for the FBI to come knocking. Dark websites can and do get busted by law enforcement, but it takes a lot of work, a lot of time, and a lot of resources.

Getting back to how the criminal gets paid, instead of using the credentials to try to wire money out of that breached account, instead, they sell those credentials on the dark web.

Usually, account credentials are sold in batches of 20, 50, 100, etc. and the selling price is surprisingly low.

How Can the Credentials Sell for So Little?

Because the one buying the credentials will be the one trying to access and transfer money out, the buyer will be taking the most risk. Therefore, buyers won’t pay much for credential lists. The seller only ends up getting pennies on the dollar, in terms of the available balances on those sold credentials, but the seller has not assumed the risk of trying to cash out.

Also, the seller doesn’t sell a credential just once. The credentials are on a batch of 100, which sells for $100, but they don’t just sell it once.

Because of this, the buyer might not be the first one to buy the list, and the buyer might find the account already empty, or that the account has been re-secured.

What is the buyer supposed to do? Call the police and tell them “someone ripped me off…. sold me a list of account credentials but none of those accounts worked!”

Getting back to the point, “stealing money” is just one thing an attacker is looking to do when they attack your business, and though they may not actually steal money out of your account, they will sell your account credentials to someone who will.

Ransom

Even if the attacker can’t get your bank credentials, they can still gain financially by compromising your business. If the attacker can compromise your business’s ability to do business, or make you think they have, they will try to extract ransom from you.

Ransomware is something we have all heard of by now. This is a special kind of malicious software which encrypts your files and holds the decryption key for ransom. The ransom amount varies, but the type of business, the size of the business, and how much revenue the business makes will be considered.

Typical ransoms start at $500 and go up. Usually, the lower ransom is for individuals and their personal files. If ransomware grips your entire company, the ransom will be high.

Extortion

Sometimes, ransom turns into extortion. Imagine a scenario where ransomware has netted files which, if those files were made public, might cause serious problems for the victim. The attacker might “up the ante” when the victim hasn’t paid the ransom by threatening to release the files publicly — or directly to law enforcement.

Ransom/Extorsion Can Happen Without a Breach

It is worth pointing out that attackers will attempt ransom or extortion even when they haven’t actually compromised your company or gained control of systems or files. How?

If the attacker can make you think they have control over your company or its data, the attacker will demand a ransom to not actually bring your company down.

I recently was called when a business received an alarming email, sent from someone how had gained access to the company’s receptionist email account. The business had received a ransom letter demanding $1,500 and threatening they would “bring the company to its knees”.

But wait, there is more…. the attacker also claimed they had gained control of the camera on the victim’s computer and had videos of the victim viewing pornography and pleasuring themself.

Within about ten minutes, by viewing the email headers of that email, I had determined the attacker did not gain access to the company’s systems internally. What they had done is exploit that the company had an unsecured email domain, which made them targets for email spoofing attacks. And this is exactly what they did. They spoofed the ransom email.

General Business Disruption Can Be Monetized

There are a number of ways an attacker can disrupt your company’s ability to do business, which an attacker might do in order to force a ransom payment, including but not limited to:

• Deface your website
• Jam up your phones (DoS, “Denial of Service”)
• Jam up your website so customers can’t use it (DoS)
• Damage your online reputation with fake reviews, etc.
• Get your business suspended from Google Business
• Tarnish your company reputation: spam your customers, attack your customers with malicious emails spoofed from you)
• Impact your business’s SEO

The list could go on and on. The point is, there are many ways an attacker can disrupt your business, and some of those ways don’t require they compromise your business.

If your company has vulnerabilities, attackers will find them and exploit them. You might think that your SEO firm would be doing things to prevent your SEO from being attacked, or help you recover after an SEO attack, but there is a very good chance they just don’t.

Data Has Value

An attacker may attack your company not in seeking bank account credentials or extracting ransom, but because they want data. Data always has value.

Customer Data

Imagine the value your customer data has in criminal markets. Identity theft is a real thing, and there are many reasons one’s identity might be stolen. Most businesses collect and store personally identifiable information (PII) on their customers, which if it fell into malicious hands could result in serious problems for your customers.

An attacker may attack your business seeking just that — your customer data. They may hold it ransom, or not. If they don’t hold it ransom, they simply go straight to selling the data. They don’t contact you, you don’t know it has happened, and you may never know.

Until a number of your customers are victims of identity theft, and they compare notes and determine the only thing they have in common is being customers of your business. Or, law enforcement traces it back to your business.

Virtually every jurisdiction has privacy laws which put some responsibility on the business owner. At a minimum, you may be required by law to disclose when a breach has happened, or if there is good reason to believe a breach has happened.

This is a business killer. There just is no good way of telling your customers “we are sorry, but we didn’t have good security and we didn’t practice data handling in accordance with best practices (or laws) and because of that you need to watch your credit carefully and be on heightened awareness of identity theft”.

Oh, but here, we will pay for credit monitoring or identity theft monitoring for a year.

Yeah, you want to avoid that if you possibly can, because this is not something most businesses can come back from. Especially if one or more customers have suffered actual damages stemming from the breach, and are now filing lawsuits against your business.

Employee Data

Attackers would like to also get your employee data to. Criminals love things like social security numbers, and enough information about employees to be able to compromise those employees. Or, they just want to create more exposure for your company, by making you disclose to your employees “Sorry, but your data is on the dark web because of us”.

Proprietary Data

Attackers really want to get to your trade secrets and intellectual property. Obviously, intellectual property (IP) has significant value. Where is your IP stored? How do you control access? How do you protect the data? Do you audit accesses?

IP is the lifeblood of your company and has great value, and therefore deserves to be access controlled, audited, and protected like it is gold.

Well, the same can be said about customer and employee data too. The bottom line is this: does your company conform to best practices for data handling?

Supply Chain Attacks

Another reason your company would be attacked is if the attacker is seeking to breach other companies by compromising yours. Right now, as I write this, there are about 300,000 WordPress sites vulnerable because they all use plugins by one company, and that company was breached and malicious code inserted into their source code…. which then went out to all sites using the plugin(s) as an update.

You may recall the SolarWinds attack. It’s the same thing — compromising a company to poison its product, because that product gets pushed out to many other companies and the poisoned product compromises those companies.

You just do not want to be the company that is breached, which then breaches all of your customers.

Again, you just couldn’t come back from that because the reputational harm would be severe, and legal liabilities enormous.

Even if your company is not of the nature of software product, your company can still be used as an attack vector into another company. For example, if an attacker obtains your customer list, at a minimum the attacker knows all the companies which they can potentially pose as someone from your company.

For example, an attacker might send a malicious word document to your customers and write the email so as to make them believe it was sent from your company, which almost guarantees the recipient will open the attachment.

And if your company’s email domain is not secured, the attacker can literally send the email and make it appear as if it came from your company. Here is a write-up on email spoofing:

https://blog.carlisleprojectpro.com/fake-emails-small-businesses/

How Cyber Criminals Attack Your Business

We have discussed in detail the “why”, and now it is time to discuss the “how”. Just to summarize the “why”, it is simply because criminals will always exist and they will always commit crimes that have the least chance of getting caught.

Before we get into the details of “how”, there are two types of attacks: random, and targeted.

Random vs Targeted Attacks

A random attack is an attack that comes from an attacker that was probing for things in general and their probing found your company. Perhaps the attacker was scanning the global DNS system to find unsecured email domains, and your company has an unsecured email domain, and now you are being attacked in that manner.

If you have to be attacked and can pick random or targeted, I would say the random attack is the one to choose. Because the attacker will try a few things, and if they are unsuccessful they move on. The majority of random attacks are scripted anyways, and your company ends up in the list of “things we couldn’t penetrate easily”.

In a targeted attack, an attacker identifies your business specifically and has some motivation in breaching your company. This is the type of attack that is the scariest, because you have caught the eye of a professional cybercriminal, and they launch a professional attack.

It is worth noting that a random attack can convert into a targeted attack. Your company may have been identified by a random script, but then the attacker looks at your company and determines it to be potentially valuable in launching a targeted attack.

What does a professional, targeted attack look like?

A professional targeted attack will follow a framework of:

• Discovery
• Vulnerability Identification(s)
• Active Attack
• Extraction

I know what you are thinking, “this sounds like a Navy Seal operation, seriously?”

Well, yes. A professional attacker is not going to proceed in a haphazard manner, because that would potentially end very badly.

For example, it would not do the criminal any good if they are able to get into the company (virtually) by exploiting a vulnerability and locating valuable data, and not have a plan on what to do with that data or be able to monetize it.

And for the sake of completeness, in my view, the “extraction” phase includes erasing evidence of activity, such as logs etc.

Discovery

An attacker will first spend some time getting the “lay of the land”. They will map out all of the “things” your company uses to function and try to gather as much detail as they can. What network devices are in use, and what brands, makes/models, etc.

Armed with discovery information, the attacker then works to find specific vulnerabilities. Knowing the brands, makes/models, etc. helps the attacker determine vulnerabilities much more quickly than by blind probing.

Often, an attacker can find on the Internet a nice list of every vulnerability known as of today for a specific device or piece of software, and they pay particular attention to the vulnerabilities which have not yet been addressed with patches. And even if patches address the patch, it may be that your company has not yet updated that piece of hardware or software.

If the attacker cannot get detailed discovery, the vulnerability probing and identification processes take much longer.

Vulnerability Probing/Identification

At this point, the attacker has narrowed the focus to specific products in use and will probe for the specific vulnerabilities known to that product. Or, lacking detailed discovery, the attacker uses tools to probe. Tools might include the “Kali” Linux distribution, or other tools developed for this purpose, or homegrown scripts.

Out of this phase, the attacker will have a list of identified vulnerabilities that have been confirmed, and from this, they can plan their actual attack.

Attack Plan & Execute

A list of devices and vulnerabilities does not necessarily translate into how to exploit in a way that is financially gainful for the cyber-criminal.

In this phase, the attacker devises the way a set of exploits will lead to monetization. What systems will be breached, using what exploits, and how it leads to achieving the goals of the breach.

Extraction

In this phase, the attacker extracts the objective of the breach and covers their tracks.

Either the attacker will transfer the data to something they control and can retrieve, or they do that and also leave behind a backdoor. Because there is likely going to be a need to go back in, and the attacker has to presume that at some point the company will have closed off the vulnerabilities that lead to the initial breach.

In some cases, the attacker leaves behind a complete set of tools that continue to probe the internals of that company, and send further findings to the attacker — while also further compromising systems within the company.

Now let’s get back to discussing the specific ways attackers…. attack.

Attack Types

In the “why” discussion, we talked about a few ways cybercriminals attack. Just from my memory, we talked about spoofed emails, credential harvesting, ransomware, and probably others. I am going to structure this discussion by defining the high-level things which attackers target:

• Attack your company’s critical infrastructure: Networks, servers, email, databases, storage, etc. which drive your company’s applications and business processes.
• Attack applications: Software your company uses to carry out business.
• Attack your people & processes
• Attack your supply chain

Critical Infrastructure

Infrastructure attacks are attacks that attempt to breach your company through network devices, servers, and services which underpin your company.

At the network layer, would be breaking into network devices, firewalls, wireless access points, and Internet of Things (IoT) devices. If an attacker can gain access to the physical network, or a wireless network, or bypass firewalls and other security, the attacker can then carry out attacks at the other layers.

Applications

Application attacks are specific attacks on applications the target company is using, which can be exploited to gain access to systems.

For example, one that recently happened was a vulnerability in a logging library (Log4J) that is commonly used in java server application components. By exploiting this vulnerability, attackers could gain remote code execution ability.

That means the attackers could run any command they wanted on the target system, including giving themselves a command shell from which they could do what they pleased.

However, this specific attack wasn’t on an application directly but was targeted at a development library that is commonly used in software development.

This really drives home the point, that the attack surface for a business is virtually unlimited.

What’s an “Attack Surface”?

Sorry about that, an attack surface is the “virtual” surface that includes all ways your business can be attacked. Think of a castle which has a gate and draw bridge. For practical purposes, the castle walls are impenetrable, but the gate is penetrable. The gate is the attack surface.

In general, one should try to minimize their attack surface. Getting back to the castle analogy, knowing the gate is possibly penetrable, you wouldn’t put a gate on all four walls, would you? Well, you might, but not without considering that the gates are possibly penetrable, and weighing the benefits of those 4 gates against the risk of penetration of those gates.

Likewise, in a business cyber security context, you must consider how the attack surface of your business changes when you adopt a technology.

And as the Log4J logging library demonstrates, your business’s attack surface isn’t 100% within your own control.

In other words, even if you manage to have zero vulnerabilities in all the technology bits you control, you still can be vulnerable because of the “things” your company uses.

People & Process

Attacks on your company’s people and processes include trying to trick you or your employees (called phishing) or attacking their passwords. Yes, phishing and password brute force hacking is an attack on people & processes. Let me explain why.

Passwords

Everyone knows, in 2022, that passwords need to be long, complex, use a wide character set, be unique, and not be guessable or even memorable. Yet, the most common password that is used as a breach entry point, is “password123”. Other variations include “yourcompanyname123”, “welcome123”, etc.

What this means, is not everyone follows password best practices, and brute forcing a password is not even feasible unless password best practices have been ignored.

Social Engineering

Social engineering is a neat word that we use to describe a situation where a person is tricked or fooled, basically conned.

When someone sends you an email which has a malicious link, and they pose as someone they are not in order to increase the chance you will click that link, that is called “phishing” and it is a form of social engineering. A hook has been dangled, and the attacker hopes you bite it, and whether you do or don’t depends on whether you forget information security best practices and bite that hook.

These are just two big examples of attacking your company’s people and processes. Other examples would be an attacker calling your company’s tech support posing as the company owner, to get the company owner’s password reset.

There are a gazillion ways that people and processes can be exploited, and as soon as I try to list all examples, new ones will be thought up.

A key point is this: if your company has employees, attackers can, and will, attack those people to attack your company.

Supply Chain Attacks

Throughout this article, we have brushed on the concept of supply chain attacks. The key point is this: even if your company is well-secured, and your people are trained and never fall for people/process attacks, you still have to be concerned about supply chain attacks.

Why? because let’s say your company uses a vendor to supply something your company needs. If an attacker compromises that supplier, the attacker can then pose as that company and get you or your employee to give that attacker something they need, whether it is information or access to systems.

I’ve said before and will say again, you can secure all your technology assets, train your people, prevent all direct attacks on your company, and still be vulnerable to weaknesses in your company’s supply chain.

Random vs Managed Security

Earlier we talked about random versus targeted attacks, but what does “random vs managed security” mean?

I just made it up, to be honest. But what I am hoping to convey is the idea of “random security” and how that is just not enough.

Random Security

When I say “random security”, I am referring to a company without security policies or specific efforts to establish and maintain cyber security. For example, a company that has web servers, database servers, email servers, etc. could follow system admin best practices which result in those systems being secured according to general best practices.

In this scenario, the company might be impenetrable through attacks on those systems. But that doesn’t do anything to address all the other ways attackers will attack. This simply assures that “infrastructure” attacks won’t be successful. “Application, People/Process, and Supply Chain” attacks have not been addressed at all.

Moreover, in this scenario, the “infrastructure attack” security is effective for a period of time, not indefinitely. Cybercriminals are constantly finding vulnerabilities in products, and at some point, there will be vulnerabilities found.

“But they turned on auto-update”.

Well, that is a good thing, and maybe because of that their infrastructure assets will remain updated, but it is a bad thing because enabling auto-updates increases the attack surface.

How? If the vendors behind those products get breached, and malicious code is embedded into an update, those with auto-update turned on will also be enabling “auto malware insertion”.

But how likely is that going to happen? Well, I am sure the 30,000 corporate customers and government customers of SolarWinds would have said that too…. before the SolarWinds breach.

What Is “Managed Security”

Managed security is an ongoing process and one that is necessary for 2023. Small businesses struggle with it because they think they cannot afford it. The reality is, not only can they afford it — small businesses can’t afford to not have it!

Carlisle Technology Solutions have announced a new service offending which aims to bring affordable cybersecurity expertise into your business, which will put cybersecurity management into the foundation of your business.

You will always know what your security posture is, where you might be vulnerable, and how attacks might be crafted to exploit your weaknesses. Of course, you will always be advised how to close off those weaknesses, but we know that isn’t always possible.

Anything is better than ignoring cybersecurity and just crossing your fingers.