There is a common thread when it comes to why the bulk of cyberattacks launched against businesses and the population at large manage to be successful even though they are not new, or even particularly inventive.
The glue that holds these together is a combination of sticking with what works, regardless of how dumb or outdated the attack is, and laziness. Laziness by the criminal, but in some cases the victim had to go out of his or her way to allow the hack to take place.
Malwarebytes researcher William Tsing recently put together a list “The top 5 dumbest cyberthreats that work anyway” that does a great job explaining how and why really dumb and easy to discern cyberattacks still manage to be successful. In each case the attack type is listed then Tsing's solution.
1. The Browser Locker – AKA: the Fake Blue Screen of Death, this easily mitigated, and long running, scam uses what Tsing described as entry-level code to simulate a computer having a nervous breakdown tied to the end users lack of knowledge about what is taking place. Such scams have caused hundreds of millions of dollars in damage when the victim follows the on-screen advice and calls the “tech support” number to have their computer fixes.
2. DDOS Extortion – Distributed Denial of Service (DDoS) attacks are all too real having as to which anyone hit with the Mirai botnet last fall can attest. However, real DDoS attacks have a not so dangerous cousin that truly highlights the laziness factor. Even though DDoS bots can be bought, DDoS extortions attacks see the criminal not bothering to spend any money and instead simply emails a company threating it with such an attack, Tsing said. The blackmail demand is usually low to entice a company into paying it upfront in order to forestall the attack.
Solution: “Given that the ransom in question has tended to be relatively low, companies in industries requiring continuous uptime have sometimes shrugged their shoulders and paid. If this happens to you, talk to your service provider to work out mitigations; don't talk to the attacker.”
3. SQL Injection – Like a DDoS attack, a SQL injection is no laughing matter, but what is a bit of a joke is the attack methodology is almost 20 years old and has been well covered by Open Web Application Security Project (OWASP) so any cybersecurity person on staff should be well versed in how to defend against these attacks.
Solution – OWASP's SQL mitigation profile even it admits anyone successfully attacked should be embarrassed. “It's somewhat shameful that there are so many successful SQL Injection attacks occurring, because it is EXTREMELY simple to avoid SQL Injection vulnerabilities in your code,” the group noted before offering up solutions.
4. Business Email Compromise – The attack isn't necessarily dumb, it wisely plays on the fears of employees to please their boss – no matter how dumb the supposed request might be. Like send me all 53,000 corporate employee W-2 forms. Really? In what world does that make any sense, but nobody wants to tick off their boss so the spearphishing emails work. Tsing noted it works so well it has cost U.S. businesses more than $960 million in the last four years.
Solution: “There is a reasonably simple mitigation against business email compromise: if you are a boss, don't be a jerk. Environments, where individual contributors are comfortable asking the boss for clarification if they give an unusual order, stand a much better chance of defending against this attack.”
5. Macro Malware – Blame for falling for this attack lands squarely on the victim. After undergoing a long string of attacks when Microsoft had macros set to run upon opening, but since this practice was halted cybercriminals had to come up with a new way to make this attack vector viable. And they found out that by asking nicely most people will happily enable their macros allowing all kinds of malware to be injected onto their computer.Solution: “The defense against macro malware is to not enable macros, no matter how politely an attacker asks. More broadly, a collaborative document editing environment that eliminates the need to pass files around the office can defend against a wide variety of malicious attachments.”