Cyberattacks without malware

How cybercriminals attack companies without using malware.

How cybercriminals attack companies without using malware.

Every company needs reliable protection from cyberthreats, but it’s important to remember that antivirus software is not a cure-all solution. The majority of attacks on companies are caused by human error — for example, an employee clicks on a malicious link, activates a macro, and downloads an infected file. In some cases, cybercriminals don’t even need to use malware: they manage to gain access to a company’s infrastructure using only social engineering and legal software solutions. Here are a couple of examples.

Ransom, not ransomware

There was recently some news about the activity of the Luna Moth group, which specializes in stealing corporate data and blackmailing. The unique thing about Luna Moth is that they obtain information without using malware.

An attack on a company starts with a typical fraudulent email. The criminals pretend to be representatives of some online service and try to convince the recipients that they’ve signed up for a subscription and the payment will be debited the next day. If the employee wants to cancel the payment or get more information, they must call a phone number which they can find in a file attached to the email.

Seems like this is where the catch must be, right? But no, contrary to expectations, the file does not contain any malware, so it’s very likely that antivirus software allows the user to open it. The criminals’ task at this stage is just to make an employee call the number.

If they succeed, the attackers trick the victim into installing a remote access tool (RAT) on their device, probably under the pretense of helping the befuddled user cancel the subscription. Technically, RATs are not malware, so the majority of antiviruses don’t block them, and only some warn users about the potential dangers. As a result, the criminals gain remote access and control of the device.

Note that in many cases the fraudsters install more than one RAT on the device, so even if one is removed they can use another to keep control and reinstall the first one. Once they have control over the victim’s computer, the criminals often install additional tools to further infiltrate the infrastructure, access more resources, and exfiltrate data.

Phone scamming at the company level

The American telecommunications company Verizon recently became the victim of an even more ridiculous blackmail scheme. An anonymous hacker told Motherboard that he’d convinced a Verizon employee to grant him remote access to a company computer just by presenting himself as a member of internal tech support. On the computer, he supposedly ran an internal tool for processing employee information and, using a custom script, compiled a database containing the full names, email addresses, company IDs and phone numbers of hundreds of people.

Verizon confirms that the hacker contacted the company and demanded $250,000, threatening to publish the stolen data, but they deny that he managed to obtain anything important. However, Motherboard journalists called some of the people whose contacts were in the database. Some of them responded and confirmed their names, email addresses, and employment at Verizon.

What should we learn from this story?

The moral of the story is simple: your company can have the most up-to-date security solutions, but if the employees are not prepared for such social engineering attacks, then your data is not safe. For that reason, a complete cybersecurity strategy should involve not only installing technical security tools, but also raising employee awareness about the latest cyberthreats and cybercriminal tricks. For example, via an online education platform.