Hacked! - all because of a damn pair of runners....<br />  

Let’s say next week you decide you need to buy a new pair of runners. You search the internet and eventually find a website in Italy that has the most perfect pair of runners you’ve ever seen. And they have them in your size. So, you whip out your credit card and proceed to order them. But before you do, you must register on their website using an email address and password. Now, because your work email address is the one you use all day. You use that one. Oh, and because you keep on forgetting passwords, you also decide to use the same password which you use to access your work email account. Let’s face it, a sports store in Italy is hardly going to hack you. A week later, your new runners arrive. They fit like a glove, look great and are super comfy!
 
How a simple e-commerce transaction can lead to a cyber-attack…

Roll on six months later.  The e-commerce platform of the online sports store where you bought your runners from gets hacked by a professional cyber criminal group.  The operators of the store didn’t even know yet. However, all the emails and passwords used to register on the site for the last 10 years are now for sale on the Dark Web. That includes your email address and password.
 
Don’t be stuffed by a “credential stuffing” attack…

Cyber criminals can now use “credential stuffing” tools which take stolen email addresses + password combinations which input them into services such as Outlook 365 and DropBox. This is akin to a criminal walking along a street with a stolen set of keys trying the lock on every house. Except in this case, cyber criminals use highly sophisticated software which automatically inputs stolen email addresses and passwords into various email and cloud services trying to get lucky.

And if they do get lucky, and assuming there is no MFA, they will have complete access to your email account. Your hijacked email account can now be used propagate malware to your customers or other stakeholders. Or, it could be used to execute invoice fraud attacks. Either way, this is all done under your name and the name of your organisation. On a personal level, it can be professionally embarrassing. On an organisational level, such an attack can be reputationally damaging. All because of a damn pair of runners…

You can lower the risk of this sort of attack happening in your organisation.

Preventing this attack vector is heavily reliant on your employees knowing about the basic dynamics of this type of attack. Moreover, an effective preventative measure is providing them with actionable information on how to lower the risk of this threat. Doesn’t it make sense to do everything possible to lower the risk of a costly cyber attack or data breach occurring in your organisation?