Executives have always been a top target for hackers, but in the last two years we’ve seen new tactics emerge which make this threat even more urgent for businesses to address.
Recent attacks by organized criminal syndicates, such as the 0ktapus and Lapsus$ groups, demonstrate the effectiveness that targeted attacks on personal devices and non-work accounts can have at undermining even the most robust corporate network security. These attacks are even more likely for the executive, as hackers shift from traditional attacks on business email to more varied forms that will catch officials off-guard.
A successful attack on a high-ranking executive such as the CFO, CIO or CEO often provides the cybercriminal with an all-access pass to the corporation’s data, network and employees.
Business Everything Compromise
The standard attack on business executives has long been centered around “business email compromise” (BEC), and it still is, although these attacks are now taking new forms.
While an executive’s corporate email account is still extremely valuable, hackers have found that taking over other accounts, such as Slack, Zoom, Gmail, LinkedIn, WhatsApp, etc. can be equally if not even more effective for stealing information or impersonating the executive to social engineer other employees. In fact, the FBI issued an alert earlier this year warning that a growing number of criminals are launching BEC-style scams in Zoom.
Hackers can hijack these accounts through various means – phishing attacks to steal the executive’s passwords or session cookies, either through malware or fake login pages; purchasing already stolen credentials or cookies in the dark web; or resetting the accounts through other compromises, social engineering or guessing the security questions.
Mobile Device Attacks
An executive’s mobile device can be a gateway into work and personal accounts, company data, network credentials and multi-factor authentication codes – so it ranks high on the list of targets for cybercriminals.
While there are a number of ways cybercriminals could target an executive’s phone, two specific scenarios companies should be prepared for are SMS phishing (or “smishing”) and “SIM jacking.”
Smishing, which can also occur in messaging apps like WhatsApp and Telegram, is commonly used by cybercriminals to steal login credentials and one-time passcodes by impersonating the IT department or a software or security vendor. SMS and messaging apps are ideal platforms for phishing attacks, because there is no way for the recipient to verify the authenticity of the phone number. The brief, unformatted nature of these messages, and the widespread use of tiny URLs, also makes it easier for an attacker to sneak under the radar by impersonating a legitimate contact.
Attackers can also gain full control of the executive’s phone number (which is easy for them to find via data brokers) through SIM jacking. This attack is invisible to the victim, since it’s actually an attack on the mobile carrier – by tricking the carrier into porting the executive’s phone number to a device controlled by the attacker. This allows the attacker to receive all of the executive’s phone calls and text messages, access voicemail and make calls as the executive. Where organizations have implemented dual factor authentication, this attack allows for the SMS code to be intercepted as well.
Home Network Threats
Hackers know they can bypass corporate security by infiltrating the executive’s home network to reach his or her devices directly, such as laptops, desktops, tablets, etc. Most home networks are fundamentally insecure, from unpatched WiFi routers to publicly accessible Internet of Things (IoT) devices set with default passwords, like security cameras. In fact, the more “connected” the home is, the more vulnerable it is to these attacks. In our research, we have found that 20% of connected homes are accessible over the Internet by strangers.
It is also relatively easy to locate an executive’s home IP address. According to our research, 40% of online data brokers collect this information, which anyone can access for a small fee. This makes it relatively trivial for a hacker to scan the network, look for a vulnerable endpoint and establish a foothold. From there, they can “sniff” the network traffic, exploit other devices and spread malware. Even the home printer can pose a danger if the executive has used it to print or scan important documents. Many all-in-one printers store these documents in their memory, which can be accessed by an attacker.
An executive’s spouse and children can also be a pathway into her personal and professional accounts.
Since family members don’t think of themselves as a target for sophisticated cybercriminals, they are likely to have less protections in place – such as online accounts lacking MFA, devices running older software or lacking new security patches, etc. A hacker may also contact them directly through social media, messaging apps and dating apps to compromise them through a social engineering attack. Catfishing scams can also be an effective way for a cybercriminal to gain leverage, not only over the family member, but over the executive as well. Our concierge team has dealt with recent sextortion scams that targeted the family members of corporate executives of our client companies. In one case, a cybercriminal hacked into the webcam of an executive’s teenage child and recorded her without her knowledge, then moved throughout the entire home network.
Hackers will also breach family members’ online accounts in order to compromise the executive through hard-to-detect phishing messages. One clever tactic is known as “conversation hijacking,” where the cybercriminal inserts himself into an ongoing email or message thread, then slips in a malicious link or attachment which the executive may open, thinking it was sent by the family member.
Preventing Targeted Attacks
Targeted attacks on executives outside of work can be difficult to prevent because they exploit cybersecurity blind spots where few if any corporate protections are in place.
However, there are a number of steps executives can take to reduce their risk.
To begin with, executives should remove their personal information from online data brokers. This is not easy to do, and there are over 200 data brokers, but there are professional services that can help. By removing sensitive information, such as the executive’s personal cell phone number, home IP address, online accounts, family information, etc., they will make it harder for a cybercriminal to target that executive.
An executive’s home network must be fortified. At a minimum, this should include keeping every single device on the network (from desktops and laptops to WiFi router, home IoT devices, printers, smart TVs, etc.) updated with the latest software, firmware and security patches. Change out any default passwords on these devices. Keep IoT devices off the home’s main WiFi network, by segmenting them to the “guest” network. And make sure all external guests remain on the WiFi guest network as well; that way, if the guest has viruses on their devices, they will not impact the executive’s devices or home.
Personal accounts should be as carefully protected as work accounts, especially if they can be used to communicate with other employees – such as Gmail, LinkedIn, WhatsApp, etc. Every account should have a strong unique password with dual factor authentication protections enabled.
He served for over a decade on the Department of Homeland Security’s Privacy Committee and Cybersecurity Subcommittee. He is the former president of the Federal Bureau of Investigation’s Arizona InfraGard and the former Chief Privacy Officer for Royal Bank of Scotland. Dr. Pierson is a Distinguished Fellow of the Ponemon Institute.