Cyber criminals have infected online menus in popular restaurants in a bid to obtain information about large corporations, a US security expert said.
It is known as “watering hole” hacking and involves planting a bug on a website popular with employees — such as an eatery near a major office.
Chris Furlow works with companies around the world to help them focus on cyber-risk and called for better international co-operation to track down criminals.
He said: “These folks are thinking very clearly who they would like to target and how they are going to go about doing that.”
Mr Furlow said “spear phishing” emails targeting particular organisations for information like passwords or bank account numbers are a digital deception threat which was more developed than a decade ago.
He added: “They may be coming after a specific individual because they have inside information about what is going on within your organisation. We still are not mature enough as civilised societies in terms of getting all the protocols in place to go after these individuals because there are no borders in the cyber domain and it makes going after them much more difficult.”
British GCHQ intelligence has already identified a watering hole attack against a web design company which hosts sites for a number of British businesses in the energy sector.
By adding code to one website, the attackers were able to redirect visiting users’ browsers to one of three sites controlled by them, in what GCHQ believed to have been part of a continuing commercial espionage campaign.
Mr Furlow is president of US risk company Ridge Global. He outlined the watering hole threat during a meeting of the World Credit Union Conference in Belfast.
He said: “Sometimes, especially near organisations that are targeted, let’s say there is a major corporate office near this restaurant, they may infect the restaurant and when you download the PDF version of the menu it is infected. These are the types of threats we are dealing with on a daily basis. They are leveraging this human element of cyber-security, they are carrying out digital deception.”
Mr Furlow said a report published by computer giant IBM this year on the cost of data breaches said a quarter involved human error.
He added: “ This is about employees or third parties like contractors who are in some way negligent.
“I think that is a tough term in the environment today, negligent, because there are some people who just don’t have the resources or they have not had the training in order to understand what they need to be doing.”
“But negligence is a really important term because as you look at the regulatory environment this is something that is advancing very quickly in the 21st century.”
© Irish Examiner Ltd. All rights reserved