Scott Schaffer with Blade Technologies explains how they do it.
Here's more information:
1 Pretty Fly for a Free WiFi
Share on Twitter Many hackers these days start by hanging out at the coffee shops or other free-WiFi hot spots near the offices of companies they want to infiltrate. Using easy to carry hardware, (Sophos underscored the ease in a recent bike trip around London) hackers can impersonate a free WiFi network and invite a user to join. It looks and feels like free Internet, and few people ask many questions if their browser works.
Almost all major coffee shop chains offer free WiFi
2 Stuck in the Middle With User
Share on Twitter What next? A relatively easy next move, the cyber security version of the 'the man in the middle' scam: create a mock login page for a site that`s likely visited by the hacker`s target-the Facebook login page, for instance. Or, a company`s Intranet login page. Many of these are easily downloadable from IT specialty sites that build them to test their vulnerability. The unsuspecting user logs in as usual, giving away username and password details. Since many people use the same details across platforms and sites, it`s often easy pickings for hackers from there. There`s password cracking software as well. Most passwords don`t take more than a few minutes to crack, Deacon says.
Would you like a password with your coffee?
3 One Password to Rule Them All
Share on Twitter Once the hacker has a password for one account, even a personal one carefully segregated from an employee`s work account, the hacker can start trying to gain access into their victim`s other accounts, any of which may have corporate data worth mining: Gmail, Yahoo, Hotmail, or go right for their corporate intranet and email.
Stop using the same password across all your accounts.
4 Hi, it's Peter from IT
Share on Twitter The hacker now has access. Let the real trouble begin. What would you do if you received this email: 'Hi, it`s Peter from IT. We`ve got a security update we need you to run, can you run it for me please? Just double click the attachment. Thanks.' According to Sophos` Deacon, many employees do as they`re told when they see an email which looks like it came from their company`s IT department. What`s been unleashed? One threat is a Trojan Horse malware program. It sits unseen on a company`s server and can be used to pilfer data like passwords and internal communications.
Do as your inbox tells you
5 Hey, You, Get That Off of My Cloud
Share on Twitter There`s another new trend that`s also worrying IT security experts: the move toward cloud storage. The free cloud storage and file sharing market is a potential goldmine for hackers. Employees tend to upload confidential business data into their personal accounts with weak or no security controls. In a report this week, cloud provider Intralinks found that people were uploading and sharing live links to personal photos, tax returns, bank records, mortgage applications, blueprints and business plans. Intralinks was able to download several of these documents without needing to insert a password.
Mixing business and pleasure on the cloud