Have Your Employees’ Accounts Been Compromised? Part 1
It is an unfortunate reality that business accounts and systems are compromised all the time. This article aims to help you understand how that can happen, and what SMB owners and operators can do about it.
Attackers are primarily motivated by profiting from data breaches, and with the rise of cryptocurrency an attacker’s ability to profit has significantly increased. This increased incentive has produced more hackers. With more hackers come more successful hacks.
With that basic understanding of the problem and motivation, this series of articles will take a look at some common tools and techniques hackers use to “make” money. Along the way we will suggest tools and techniques you can employ to counter them.
Attack #1: Use the front door
One of the easiest ways to access a system is through the front door. An attack known as “credential stuffing” attempts to do exactly that. Here is a run down of how it could be carried out against “Susan” a fictional member of your staff by “Harry” the hacker.
Harry obtains a list of email addresses and passwords from a recent data breach of a vendor’s website that your company uses to order materials through. In that list is Susan’s company email address ([email protected]) along with the password (MakenMoreMoney) she uses to log into that vendor’s website.
Harry uses an automated script to try to log into email accounts based on the domain of the email addresses and corresponding passwords in the list. Harry finds that he was able to log into Susan’s inbox because Susan uses the same password to log into her company email account that she uses to log into that vendor’s website to place orders.
Next Harry takes a look around Susan’s inbox. He finds that she keeps it very tidy, including an “Archives” folder with emails that go back 10 years. He is able to determine that Susan has access to the company’s online banking system, a customer relationship management system (CRM), and an online file sharing system. He is also able to view her contacts including titles, phone numbers and email addresses. What a treasure trove of information.
From bad to worse
Let’s take a moment to imagine how Harry could abuse his access to Susan’s inbox. Since Harry already knows that Susan reused her password at least once he tries to log into other interesting websites she has received emails from. It turns out she has used that password with quite a few sites, but it did not work with the banking site. No problem, Harry uses information in her inbox to determine when Susan is typically not working and proceeds to use the banking site’s password reset form during off hours. He opens the password reset email sent to Susan’s inbox, clicks the password reset link, and then deletes the message to hide his tracks. He changes Susan’s banking password and logs in. He notes bank account balances and numbers.
You can see where this is going, and I hope you can also empathize with Susan’s situation. A single individual in a small business can wear a lot of hats and end up with access to a lot of different systems. Employees often archive emails instead of deleting them so that there is a paper trail to go back to. Password reuse is very common and for understandable reasons. It is convenient to use the same password at every site, and can even feel safer than risking losing access to an important website because you forgot its password. So instead of blaming Susan let’s see what could be done better.
Tips and takeaways
It wasn’t software hacking nor malware that got Harry into Susan’s email account, but password reuse. And since you typically can’t control the password an employee uses to sign up for an online service the next best thing is to provide training and tools that encourage safer practices. Consider the following:
- Have them use a password manager. There are plenty of free and paid options. Free options are often just fine for personal use, but paid options like Bitwarden that supports features like being able to disable accounts and require two-factor authentication (2FA) are recommended for business use.
- Sign up for data breach notifications that relate to your business’ email addresses. There are many paid options, but a great free option is “Domain Search” by Have I been Pwned. These notifications can provide the opportunity to determine if an employee’s user account may be compromised or at risk of being compromised and respond accordingly (by changing passwords for example).
- Look into requiring or enabling 2FA to access critical services like company email and online banking. Since company email accounts are often the last line of defense against intrusion, being extra careful with them is worth the effort.
- Provide basic cybersecurity training to employees. Start simple and keep improving. Share these 10 tips from StaySafeOnline.org.