Forbes contributor Davey Winder wrote an excellent comment: "It hasn't been the greatest week for the non-profit sector with the revelation that two well-known charities have fallen victim to less than charitable cyber con-artists.
In the same week that the Save the Children Federation confirmed it had been scammed out of $1 million by email fraudsters, so the Wellcome Trust has revealed the email of four senior executives was compromised and sensitive information monitored for several months. Without wishing to be uncharitable, both of these cyber-attacks fall firmly into the 'oldest trick in the book' category.
Let me start by saying that I am not in the habit of victim shaming; the focus must be on the threat actor when it comes to attributing bad guy status. That said, as we fast approach 2019, I also think the time for pussy-footing around the lack of security awareness issue within many large organizations has long since passed.
The Wellcome Trust is most certainly a large organization any which way you look at it; in fact, with some £26 billion of assets, it is the biggest charity in Britain. So, when I read in my copy of the Times today that no less than four senior executives were "misled into entering their passwords when sent a link to click on" my will to live starts fading away. That I'm still breathing given that, apparently, the threat actors maintained that access to executive emails for several months is nothing short of miraculous.
The details of the phishing attack were revealed in the Wellcome Trust annual report and auditors Deloitte are quoted in that Times story as saying it resulted in "unauthorized access to systems and sensitive information." While it doesn't appear, at this stage of the investigation which has been ongoing since the breach discovery in August at least, that there are any financial losses as a result that's not the main concern in my mind.
Instead, it's that an organization of this size and maturity should ever be in a position where it has to admit 'we got phished.' When I say the oldest trick in the fraud playbook, I'm not joking. It would appear that those senior management players were conned into clicking the links that required them to enter their email account passwords because the request 'had the appearance' of coming from a colleague.
Pretty much the same methodology, the old 'it appears to be a genuine request from a colleague' trick, was used to defraud the Save the Children Federation of nearly $1 million. That phishing attack, or business email compromise (BEC) if you prefer the more formal terminology, happened last year but has only just been confirmed. Attackers gained access to a staff member's email and then created fake invoices to a fake company in Japan that was supposedly supplying solar panels for health centers in Pakistan.
Both of these attacks on non-profits reveal not only just how despicable criminal actors are, taking money from a charity that saves the lives of children is the lowest of the low, but how hacking humans remains one of the easiest strategies for launching a successful threat campaign. "Given the fact that phishing is one of the oldest and most common attack methods used by criminals, it's quite amazing how effective they still are" says Ed Macnair, CEO at CensorNet, who continues "phishing has got far more sophisticated over the years and there's been more of a focus on highly targeted attacks."
And that, right there, is the key. The days of blunderbuss grapeshot campaigns involving poorly written requests from Nigerian politicians wanting to transfer millions out of the country might not be over, but the most serious threat actors know that tightly focused research and reconnaissance pays off when combined with credible communications to the right people. Known as whaling, it's a highly successful threat technique. Full story at Forbes