Close
The Register
In association with NZI

The anatomy of a cyber attack

Have you ever wondered how susceptible your business is to a cyber attack? Find out what happened when a small beauty business owner named Paige, arranged for a cyber security professional to stage an attack on her business.

August 16, 2017 | News

The business

Running a business isn’t always easy. In a competitive environment such as retail, day-to-day operations can be very demanding, and as more processes become digitised, threats of cyber attacks and network breaches have sprung up alongside the traditional risks of fire safety and physical security.

Even a simple business can become a target for cyber criminals. Small, medium and large enterprises can all possess customer data, bank account details, and other business assets that can be vulnerable to a cyber attack.

Paige’s business specialises in providing beauty treatments and has a loyal customer base. Although some customers pay in cash most use internet banking to transfer funds straight into her business account.

Clients book appointments through an online booking system and she typically gets around 20 bookings a day. A scheduling app tells staff who they have booked in and when. A breach to her computer system could mean loss of oversight of customer bookings and sensitive customer data being compromised, resulting in not just lost revenue but also potential damage to her business reputation.

A cyber security professional by the name of Jason was engaged to attempt to breach Paige’s business’s digital assets. He was given one week to see how much business disruption he could cause. Jason was to proceed like any other cyber criminal to see what damage he could wreak, although it was agreed that any data and personal information stolen would be returned.

Prior to this experiment taking place, a reputable and popular antivirus programme was installed, some highly recommended password protection was put in place and all software updates were carried out.

The cyber attack

On the first day of the attack, Paige noticed that her business emails had been opened. Although it would have been easy to dismiss this, it is important to note that business emails are often the first target of a cyber criminal as they often contain customer and business information.

On the second day, she received an email that appeared to be sent by PayPal, instructing her that someone in India had breached her business account and had successfully taken money out of her account. The email requested she supply her business details in order to cancel the transaction.

This type of attack is often referred to as a phishing attack. It happens when a cyber criminal creates a website and email that mimics a legitimate website with the aim of tricking the victim into disclosing their details.

On the third day, a second phishing email was sent to Paige taking her to a well-designed but fictitious OneCard site which attempted to trick her into submitting her email and password. Behind the scenes, this gave Jason access to her business postal address, work Visa and Supermarket OneCard which are all registered under her business address.

By reading her emails, Jason could see that she had made a customer services request to Vodafone. Using this to his advantage, he had one of his colleagues call her to gain her Vodafone login details. Jason later informed Paige that he could in fact have transferred her savings to a different account, or purchased anything under her name once he did this.

Saving your credit card details to sites even if it makes things quicker and more convenient for you, compromises your security. Once someone has your login, Jason informed Paige, it’s only a matter of going through the retail sites you frequent to see which site has saved your entire credit card number.

On day four of the cyber attack, Paige woke to find she had been locked out of her business’s website server and WordPress accounts where all of her customer data was stored. She was unable to cancel or book appointments and could not access her clients data.  She realized her customer data had been compromised, along with employee details which were also held on the server.

Although it is not yet mandatory to notify customers in New Zealand if customer data has been lost, it is in Australia and it is likely New Zealand will one day follow suit.  Losing customer data can severely compromise your business reputation and brand.

Paige received a call on the fifth day from her bank alerting her to a possible breach attempt which had been repelled by the bank, but on the sixth day, she was the target of a successful breach.

A man called and identified himself as a representative of Vodafone, requesting she confirm her address and Vodafone login details in connection with an inquiry she had made to have fibre broadband connected. After the phone call ended and she had given out her address, it occurred to her that the number wasn’t Vodafone’s and her account may have been breached.

In reality, Jason now had access to her Visa card number that had been saved in her Vodafone account.

Paige was forced to cancel her Visa card which caused her even more inconvenience. She also had to contact her stock supplier, who received automatic payments from her card to let them know what had happened and she also had to order a new card.

By day seven, Jason had also managed to gain access to Paige’s laptop through a hidden PDF file that was encrypted to open on her device. As soon as she opened the blank email a malware programme installed itself onto her device.

This malware was powerful enough to shut down her entire system operations, including her business’s social media platforms and website. Jason was now able to deface her website or post any information on it that he wanted to and Paige was powerless to stop it. 

Assessing the damage

At the end of the week long cyber attack, Jason had gained enough information to successfully log into Paige’s bank account, access her clients’ banking details and incur a significant loss of brand reputation and loss of customer trust.

Jason emailed Paige a folder full of PDFs displaying all the information he had managed to retrieve from her systems. It totalled 30 pages.

Among the details, the PDF contained an all-inclusive list of customer names; emails; phone numbers; and her appointment diary, which included every scheduled client for the next year. It also held the bank account details of many of her customers and photographs they’d emailed in relation to their appointments.

The PDF included Paige’s business’s bank account details; phone number; address and tax code, plus a startlingly complete dossier of information about her. Breaching her email accounts had proved the easiest, Jason later said. Emails are often the first target of cyber criminals as this account usually gains them information which can then be used to further infiltrate a person’s security. Individuals often fail to have more than simple password security protecting their email accounts.

As a result of the cyber attack, Paige had to cancel her Visa card which would have caused significant disruption to her business as she relies heavily on stock coming in and out to service her clients. This hold up would have resulted in loss of business, letting clients down, and impacted heavily on her business reputation.

Different types of cyber attacks

One of the best lines of defence for your business is doing regular system backups. This can often be your only real recourse in the event of a ransomware attack. 

Your backups should be completely isolated from the main network, both physically (in the event of theft/fire) and electronically (in the event that a virus is transmitted from the main network to the back-up).

Cyber risk type one: Ransomware

Ransomware is a type of malware designed to infect a user's system and encrypt the data. Cyber criminals then demand a ransom payment from the victim in exchange for decrypting the system's data.

This kind of malware has come under the spotlight due to global attacks by ransomware software named ‘WannaCry’ in May 2017 and ‘Petya’ in June. According to the European Union police agency, WannaCry affected more than 200,000 victims in at least 150 countries within its first day of activity.

What can be done if your business is targeted?

Cyber insurance can help cover the payment of a ransom; costs to restore that system without ransom payments; or costs associated with negotiating or mediating due to an extortion attempt.

If the business in this exercise were to have its customer data held for ransom, NZI Cyber Ultra Insurance could help cover those ransom payments as it is an extortion attempt.

Cyber risk type two: Phishing

‘Phishing’ is an attack designed to target individuals. In a phishing attack, a cyber criminal creates emails that appear to come from a credible source.

Phishing emails can cause a range of disruptions for businesses. If sensitive information such as customer data is lost it can force a business to halt operations until they rectify the situation.

What can be done if your business is targeted?

Cyber threats are a risk of doing business in today’s digital world. The financial losses can be significant and for many small businesses, the losses can be hard to sustain.

These attacks from third parties can result in fraud, extortion or theft of assets. Insurance plans such as NZI’s Cyber Ultra Insurance provides extensive coverage for your business and can assist with the clean-up and management of the breach’s aftermath.

Cyber insurance can also help customers with the process of restoring data lost as a result of a cyber attack and help cover their liability, as well as any other defence costs.

If an individual discovers a cyber breach, their first act should be to contact their insurance broker, or in NZI’s case, their 24/7 emergency hotline, which has a panel of experts on call to help mitigate the damage.

Cyber risk type three: Human error

A cyber breach doesn’t always have to come from a malicious third party– an employee can create just as much damage, whether through simple human error or malicious intent. This havoc could be caused through social media postings or damage to a business’s computer systems, or unintentionally through human error, where an employee accidentally sends out private customer information or loses it.

What can be done if your business is targeted?

To avoid human error, businesses are encouraged to educate and talk about the risks with their employees. Data loss can include accidental damage to or destruction of the business’ computer records. Cyber insurance plans such as NZI’s Cyber Ultra Insurance helps cover the costs of retrieving, repairing or replacing data, systems or hardware, as well as the cost of external IT consultants. This means that in a situation similar to my experiment, NZI would try to recover that lost data if the business owner was insured.

NZI Cyber Ultra Insurance provides businesses with access to a panel of cyber experts, anytime, anywhere. This means PR consultants would be on call for the business to help rectify any loss of brand reputation which happened as a result of stolen customer data.

If the human error results in an extortion attempt, NZI Cyber Ultra Insurance covers all reasonable and necessary legal fees, costs and expenses that they incur. If the cyber professional had held the customer data for ransom, NZI may pay that ransom.

NZI Cyber Ultra Insurance also can cover the loss of profits caused by business interruption. As the small enterprise, I simulated was unable to trade for a four-day period after its accounts were locked, NZI would be able to cover the profit loss if the business was adequately insured.

Cyber risk type four: Malware

Viruses are the most common type of malware. They’re malicious programmes that can execute themselves and spread by infecting other programmes or files. Malware is difficult to combat as updates of certain codes are created to work with anti-virus software.

By opening a blank link in an email that is encrypted with self-installing malware individuals can allow a malicious piece of software to encrypt itself upon their device. The software provides a backdoor to enter to control of the device and shut down the business’s entire system.

What can be done if your business is targeted?

With NZI Cyber Ultra Insurance, the small business would be protected against the loss of sensitive personal and corporate information caused by theft or altering of data, virus or malware, denial of service, and other losses of data from its systems.

As the malware was able to lock the owner out and prevent them from accessing sensitive data, as well as having the ability to shut down the systems completely, NZI Cyber Ultra Insurance could provide IT specialists to assist the owner in retrieving the accounts.

IT specialists can rid the device of viruses and add extra protection. This means the business would have better added security measures in the future.

NZI’s Cyber Ultra Insurance also helps cover businesses’ liability arising from these attacks and will also provide IT experts to find the issue and implement solutions

Cyber risk type five: Denial of Service

A Denial of Service (DoS) attack is a hacking technique which can take down a site or server by flooding that site or server with copious traffic. The server is unable to process all the traffic in real time and crashes. DoS attacks can also be executed with malware, which can freeze and steal codes to a website.

In these kinds of attacks, cyber criminals often deploy computers that are exclusively tasked with attacking websites.

What can be done if your business is targeted?

Businesses are advised by their insurance provider not to admit liability in any circumstance, or to do or say anything that may prejudice their ability to defend the claim against the insured.

Rather, they are instructed to contact the provider immediately if the insured becomes aware of any event that is likely to give rise to a claim under their policy. The owner, in this case, should have contacted the insurance provider as soon as they noticed the breach, rather than leave it for four working days like the business did.

A cyber attack includes any malicious or unauthorised electronic attack including, phishing, denial of service attack, initiated by any third party that is designed to damage, destroy, or impair the functionality of the business’ computer systems or computer records.

If this business was insured with NZI, it would include a breach coach and legal and forensics experts who would work with the small enterprise to resolve cyber breaches with minimum impact to the business.

The IT specialists may have been able to retrieve the customer data that the owner was unable to access when the systems were breached. PR consultants would have helped to repair the reputational damage that the business faced after alerting customers to the loss of their data.

After a cyber event, your business may not be able to trade while the issue is resolved, resulting in loss of income and potential business. NZI Cyber Ultra Insurance provides business interruption protection to help cover a loss of revenue should your business be unable to operate for more than 12 hours due to a cyber attack or loss of service, and may pay for public relations professionals to help you minimise any resulting reputational damage.

​ ​

This is a community discussion forum. Comment is free but please respect our rules:

  1. Don’t be abusive or use sweary type words
  2. Don’t break the law: libel, slander and defamatory comments are forbidden
  3. Don’t resort to name-calling, mean-spiritedness, or slagging off
  4. Don’t pretend to be someone else.

If we find you doing these things, your comments will be edited without recourse and you may be asked to go away and reconsider your actions.
We respect the right to free speech and anonymous comments. Don’t abuse the privilege.

News

The retail salary guide

In an industry where every dollar matters, NZ Retail and Frontline Retail have teamed up to help retailers understand what salaries their staff are seeking.

Results for
Topics
Jobs
About us.

The Register provides essential industry news and intelligence, updated daily. And the digital newsletter delivers the latest news to your inbox twice a week — for free!

©2009–2015 Tangible Media. All rights reserved.
Use of this site constitutes acceptance of our Privacy policy.

Advertise
The Register

editor@theregister.co.nz

Content marketing/advertising? Email anita.hayhoe@icg.co.nz or call 022 639 3004

View Media Kit