By John San Filippo
Cybersecurity expert Jim Stickley, cofounder and namesake of education company Stickley on Security, is a long-time fixture on the credit union tech conference speaking circuit. His presentations always address the very latest security threats. Yet, the format he follows has been very consistent over the years.
First, Stickley describes the threat he’ll be focused on during the presentation. Then with frightening ease, he shows how simple it really is to perpetrate these cyber scams. Finally, he pulls the audience back from their horror by offering commonsense tips on how to prevent such events.
However, when he presented this week at the 2021 Corelation client conference, he strayed from this format in one terrifying aspect. Yes, he explained the threat of ransomware as well as it’s ever been explained to a credit union audience. And yes, he showed the audience just how easy these exploits are to deploy. Unfortunately, he made it clear to the audience that he would not be offering any reassuring words at the end of the presentation. His message: You can seemingly do everything right and still get hit. The only way to make sure you don’t is to stay off the Internet.
“I’m going to give you no hope today,” he told the audience.
According to Stickley, ransomware is rarely a targeted attack. “About 99% of the time, it’s just bad luck,” he told the audience. This makes it much more difficult to mitigate.
Stickley walked the audience through an example of an employee who decides to visit The New York Times website. This employee then decides to click on a banner ad that’s on some news article they’re reading. The thinking is that since it’s the NYT website, all of the content on the site must be safe. Not necessarily.
Stickley pointed out that none of these ads are actually vetted by the NYT. Instead, they’re managed by a third-party ad aggregator that may or may not be as diligent in its vetting its advertisers as it should be.
He then introduced the audience to the word malvertising, which he characterized as a “dumb” word. “Everyone in the audience is now a little dumber for having heard that word,” he said. Yet, it accurately describes the situation presented here: malware spread via advertising.
Stickley explained that malicious advertisers will often start by running “legitimate” ads for actual companies, directing those who click through to that company’s real website. Then once the ad has been established, the scammers will start redirecting the ad to a cloned version of the company website that’s loaded with malicious code.
He then moved on to an example of the same employee reading an article on the FDIC website and deciding to send the URL to a colleague via email. The colleague then opens the email and clicks the link to the article on the FDIC website. What could go wrong? Apparently, plenty.
At this point, Stickley described what he called email man-in-the-middle attacks. With this sort of attack, malware can manipulate and alter an employee’s email. In this scenario, the first employee’s computer was already infected. Then, behind the scenes, the malware modified the link that was emailed to the second employee, thereby infecting their computer, too. Stickley added that the same type of malware can also infect legitimate email attachments sent from one employee to another.
Stickley then went on to explain how malware can alter a desktop computer’s HOSTS file such that entering a legitimate URL in your browser takes you to some other malicious site.
In the end, Stickley predicted a day when everything moves to a “zero trust” environment where each device is configured to access only the services it needs and nothing more, and different functions within organizations operate on totally discreet networks.
Scary stuff.