A new joint venture, Totally Online (TO) was created to provide better leverage for deals with premium content providers. The new company has moved to a new secured office. However, from the very start of the new company, it's been plagued by an unlikely amount of sophisticated phishing attacks. Unless something is done, it is a matter of time that one of these attacks succeeds with potentially unlimited damaging consequences.
Phone2U is a mobile services provider. It has succeeded in an extremely crowded market because it targets young consumers with competitive prices, has easy sign-up and top-up procedures, and offers its customers tickets to highly popular music events. But competition for this customer segment has increased, and revenues are declining. Phone2U wants to offer a different proposition to young adults by bundling mobile phone contracts with premium content (games and entertainment) at a competitive price. Suppliers of premium content will only work with ‘serious players’ that are likely to generate significant revenue – so Phone2U joined forces with a competitor, Smashphone, and created a new company, Totally Online (TO). 150 Phone2U staff and 150 Smashphone staff have moved into 3 floors in Phone2U’s headquarters building. For business and legal reasons, only TO employees can enter the 3 TO floors, or gain access to TO’s computers and network.
The fusion process leaves the organisation especially vulnerable to attacks. With the creation of TO, the number of phishing attacks per 100 employees almost doubled with the newly allocated staff, arriving at 18 spearfishing or whaling e-mails per week. However, a more disturbing emerging trend is attackers focusing on credentials of key employees that would allow them to distribute phishing content that appeared to come from legitimate sources.
Analysis suggests that attacks would typically start with prolonged campaigns of collecting personal information about employees of interest. This preparatory phase is typically followed by personalised scam which aims to acquire the target employee's credentials to access a system in the company intranet. Since the targeted employees do not have access to user payment details or other financial data, it is suspected that the aim is to use employee credentials to organize a mass phishing campaign on users. In one particular case where the spear-phishing was successful and attacker files were detected on the server, the attack appeared to focus on circumstances where it is difficult to identify which customers are targeted and thus difficult to inform of the breach personally. The attackers rely on this and the reluctance of the company to contact all customers to inform them about a possible breach that would have only affected a relatively small portion of them.
A cluster of attacks have been identified as originating from various groups in a small town in Eastern Europe dubbed Hackerville, where tricks and techniques related to hacking are widely accessible public knowledge. Any lack of own expertise (e.g. when necessary coding, design, logistics and translation) is usually overcome through exploiting contacts within legitimate professional communities, and subsequent outsourcing to members of those communities who are more willing to take risks in search for better returns.
An estimate of the possible cost of a successful two-staged spear phishing attack of this kind could be up to 100,000 EUR. However, the far bigger negative impact is on the corporate image, with 42% of customers declaring that they are less likely to do business with companies that they know are targeted by phishing attacks.
Consider the problem and proposed interventions as a security designer as described in the text to the right. From this perspective please rate each of the intervention methods listed in the table below.
How will the implementation of the following intervention methods affect the probability of further attacks?
Fraud has always been a problem for us, so we take security seriously, and Data Protection. However, we have never before seen phishing campaigns designed so well that even security experts are unsure to identify them. And then not all staff exercise due care and attention at all times. I do worry about who gets access to our servers and what they could do with it. I have spoken to our security officers about this as well and we are trying to identify patterns in the attacks, but they are overwhelmed with other tasks and we need all the additional help we could get. Unfortunately with these things our employees don’t find out their accounts have been breached until it is too late.
Now read the descriptiton of the offender perspective in the text to the right and try to think from their perspective try to answer the question below, rate the methods in the table accordingly and motivate your answers.
How will the following intervention methods affect the probability of success of future attacks?
There’s companies and they have competition. Everyone is trying to get information on the others. So I’m a mercenary who gets paid to get that information from the competitors. The demand for information is huge. All of us wanted to prove who’s the best, and it’s just fun, even today it’s a lot of fun for me. We’re talking about sums that can get as high as tens of thousands of dollars or euros, it depends. If you have information on your competitors, you’ll always be one step ahead. I’ve had clients who sometimes didn’t just want information, but wanted to have their competitors’ databases damaged or destroyed or taken offline. Of course this pays more.
In your final assessment try to get into the shoes of the company management - a potential promoter or preventer. Please rate the impact of each of the methods in the table.
How will the proposed intervention methods affect the harm caused by potential future attacks?
Working on this new venture is very demanding, I often find myself working extra hours just to be able to keep up with all the mails I need to respond. Now they tell us that the mails or even calls we receive might be a scam. They tell us that what such mails could now contain references from our private lives. How am I supposed to do my job if I have to doubt the source of any message I receive? It's simply not possible.
Please rate the ideas for each of the intervention methods listed in the table below according to the scale, relating the following question in bold to the intervention method, assuming it is implemented in the context of the provided scenario provided.
How great an impact do you think the intervention method might have on the crime problem?
In case you have any type of comments or clarifications, use the space provided to the right.