The hack of AshleyMadison.com has been a wakeup call to many Americans that there's no such thing as a "safe" secret on the web -- but it should also be a wake-up call to another important group: the 28 million small businesses scattered across the U.S.
While the media's coverage of the AshleyMadison hack mostly centered around who was on the list of potential cheaters, a key point has been missed. After all, this wasn't your standard variety data breach where hackers broke in and stole the data. In this case, there was a twist -- before going public with the user database, the hackers offered Avid Life Media, the company behind AshleyMadison, a choice: shut-down your websites (including AshleyMadison.com and EstablishedMen.com) or pay the price.
In the security industry, this is what's known as "cyber-extortion," and it's becoming increasingly common throughout the business community. In fact, on July 31st the Federal Bureau of Investigation issued an alert to businesses after noticing a dramatic increase among cybercriminals for one specific type of extortion attack.
Any business, regardless of size, industry or customer base, can become a victim of cyber-extortion. This is a big growth industry for cybercriminals, as they can earn tens of thousands of dollars per month with a variety of schemes, all of which are becoming easier to do thanks to widespread hacking tools, "crimeware kits," online black hat services and shared knowledge in the hacking underground.
Here are seven ways small businesses could be extorted by hackers:
- DDoS - One of the most popular extortion scams among cybercriminals today is the distributed denial-of-service (DDoS) attack. This is when hackers flood a company's website with bogus network traffic in order to force it offline. The FBI specifically warned about this attack on businesses in its July alert and it's been documented in a few high-profile incidents in recent years, such as Code Spaces, which went out of business as a result. Security Tip: Consider signing up now with a DDoS protection service. This is often available through the Internet Service Provider as an additional service feature, as well as through cloud security firms specializing in robust protection, such as Akamai, CloudFlare and Arbor Networks.
- Data Dumps - As in the case of AshleyMadison, hackers may break into a company's network, steal sensitive records such as a customer list, credit card numbers, or other personally identifiable information (PII) and hold that data hostage to their demands. If the company fails to comply, the hackers "dump" the data on the "Dark Web" for criminals, or the public web for reporters. Security Tip: The best way to guard against this threat is by making sure all sensitive data is encrypted. Commercial encryption products are widely available, including pre-installed utilities in common operating systems (BitLocker for Windows and FileVault 2 for Mac). These products make it easy for anyone, regardless of technical expertise, to encrypt specific files and folders, entire hard drives, as well as email, WiFi connection and cloud-based accounts.
- Doxing - Another variation on the data dump is "doxing." However, instead of going after a large cache of sensitive records, this is a far more targeted and personal attack against one individual. Hackers will try to discover private or embarrassing information about this person (such as the business owner or CEO) and then threaten to release it to the public unless they're paid off. Security Tip: Consider doing an information audit to see what kind of information can be found using special queries in public search engines (known in hacker lingo as "dorking"), and find out if any sensitive company records are inadvertently linked to public-facing web servers.
- Encryption Malware and Wipers - Increasingly, hackers are using an insidious type of malware to bring companies to their knees: encryption Trojans (often referred to as "ransomware"), which lock up important files, and even the computer itself, until the victim pays a ransom -- usually one or two Bitcoins. (The current street value of one Bitcoin is $230.) The flip-side of encryption malware is destructive malware -- "wipers," which don't hijack data, they simply erase it from the hard drive and may even erase the boot-up process itself to render computers unusable. Security Tip: Conduct data backups as frequently as possible. This is the best way to protect your data. If possible, use a combination of external hard drives or mobile USBs as well as a cloud-based account (make sure to use encryption whenever storing in the cloud).
- Website Attacks and Defacement - SMBs usually lack rigorous website security and it can be trivially easy for a hacker to exploit these flaws in order to deface the site, shut it down, use it to launch spam or infect it with malicious code that will attack customers who visit the site. Not only will these attacks disrupt the business and hurt its relationship with customers, but they could also get the website blacklisted by online malware/spam detection sites (and thus from browsers, particularly Chrome), or potentially disabled by the Internet Service Provider or hosting provider. Security Tip: Talk to your web designer and make sure they checked the site against the OWASP Top 10 -- this is a list of the most common web vulnerabilities. Also, use a web vulnerability scanner to check the site for flaws (examples include Qualys FreeScan, which provides 10 free scans, or paid services like McAfee SECURE for Websites and Symantec Safe Site).
- DNS Poisoning - Hackers can also make a company's website redirect customers to a fake and malicious website which they control. This is an attack on the domain name system (DNS). The DNS is sort of like an air traffic controller for the web, making sure Internet searches follow the right path. Cybercriminals can corrupt this process by impersonating a company employee and tricking the web hosting provider into redirecting the site to another site; by hacking the DNS servers, which may be hosted by an ISP or by the company itself if it's a larger organization; or by getting a fake digital certificate for the website. The bottom line is that any visitor to the company's site will be redirected to an entirely fake site which could infect them with malware or contain false and harmful information about the company. Security Tip: This isn't an easy fix for SMBs, as in most cases the attack will be conducted against an outside ISP or domain registrar that manages the company website. What SMBs can do, however, is sign up for extra security protections with their domain registrar (e.g., GoDaddy, Google Domains, Hover, Namecheap), such as DNS change locking, two-factor authentication and DNSSSEC.
- Online Harassment - But cybercriminals don't have to be talented hackers to extort a business online. They can also use non-technical means like "Yelp-bombing," or posting a slew of negative reviews online; "cybersquatting" a business' domain name by buying up similar names to confuse consumers (such as a variation on the real domain name or the same name with ".net" or ".org" as suffix); submit complaints to the website hosting provider claiming that the company website contains libelous or copyright infringing material (the host may suspend the site until the issue is resolved); make false reports about the domain to spam/malware directories to try to get the site blacklisted; and, as noted in #6, they can also trick the domain registrar into redirecting the website to another one controlled by the hackers. Security Tip: Talk to your domain name register about adding security to your account. Buy up the available domain names closely related to the business website (For example, if the main website is "HardwareStore.com," also buy up the ".net," ".biz," and ".org" domains, as well as variants on the name spelling like "Hardware-Store.com," etc.). Check regularly with Internet blacklist sites like MXToolbox.com, URLBlacklist.com, WhatIsMyIPAddress.com.
SMBs can no longer afford to turn a blind eye to the technology underlying their businesses, nor can they expect to outsource the responsibility of ensuring the security of their sites. Business owners should be actively involved in the cybersecurity of their companies, and start taking steps now to both prevent attacks and control the damage when they occur.