Human is always weakest part of security. But the interesting part is the hacker is willing to search employee personal email (rather than work email), where people usually don't take precautions or open it from personal PC which contain all important files.
......
That personal email part got my attention too and yes it's less likely for employees to be less cautious when opening mails. Maybe they thought it's more private and more secure
Spear Phishing has been getting worse because people are getting cheaper and not investing in proper IT security.
If I am an employee at Yogee Exchange and I get an email from my boss ETFbitcoin there should be 1 of 2 things happening.
1) There is an indication that it came from a local account
2) An indication that it did not and I should be careful.
Either one works, but if you do not have your corporate email server setup to do that then you do not have even a basic IT security policy in place.
IF the hackers managed to get into the mail server to actually authenticate and send as ETFbitcoin then you are already in deep trouble.
-Dave
It is hard to believe and I personally doubt that crypto echanges wouldn't invest in proper security but that seems to be the case. For sure they have the funds but maybe they're trying to save up for more profits in exchange of user funds
I agree that employees & executives needs to be educated and it doesn't take a lot to brief them every now and then. Most companies will avert these kinds of attacks if they are well informed and they apply what they were taught.
I heard of the sim port attack before but this is the first time I've read a personal testimony of a victim.
Social engineering is by far the most used method, because normally the very weak point of a system is the person that is employed by the company, and doesn't have knowledge in social engineering attempts. Usually, somewhat low qualified, and low wage, where as if they wanted to hack into the system through a sophisticated way they would be likely dealing with Cyber Security experts which are on a lot of money, and therefore put more effort into their work. For example, a lowly paid, and therefore lowly motivated employee with decent access to the backend usually isn't going to be as motivated to protect against these types of attacks.
Accessing accounts of lower tier employees is probably where it started in all the hacking cases stated in the article. It's also true that the level of security awareness are different.
Exchanges and it's employees are going to be a high value target for this scammers and cyber-criminals. That's why it is very important that this people understand how those criminals work and how it can be prevented by educating them on good security hygiene. Attacks came from different directions but I think the one of the best practice is not to click anything on their email, specially unknown sources with URL shortener, emails with attachments. This should be practice not by just mid-tier employees, but it should start from top management as well.
Spot on. Unfortunately, most of these guys do not verify first if the file they got is legitimate. It's unlikely they will even question their boss or superior if it really came from them out of fear.
......
Not only employees or their executives are careless but they don't have enough knowledge and don't put enough resources in developing better and higher security standards.
......
More savings and profit over security. Priorities
It's the oldest tactic in the phishing book and it continues to work until today. My cousin's company just lost a huge amount of money last week too and guess why? Their boss requested their HR to make a payment to a supplier invoice but he didn't realize the sender was fake. They had been spying on his email for a long time, and found out a huge supplier was supposed to bill them, so they did that, pretended to be the supplier and boom.
If the boss himself is unable to verify if the supplier is legit, then the company is in big trouble. This is not the first time I heard of such cases.
It's not related to the topic but is HR the Human Resource? If that's the case, I am curious as to why the owner would ask their HR instead of the company accountant who is likely more knowledgeable and more cautious when it comes to releasing payments.