Investigations Inc.: Cyber Espionage

10 Ways Companies Get Hacked

10 Ways Companies Get Hacked

Hacking is often called the biggest danger to the economic security of the United States.has gone on record as calling the cyber threat “one of the most serious and economic and national security challenges we face as a nation.”What was once a series of isolated incidents has now become almost common place in Corporate America. By attacking business networks, hackers are accessing company secrets and confidential strategies and creating huge losses for the overall economy, say experts. Many of t
James Lauritz | Digital Vision | Getty Images

Hacking is often called the biggest danger to the economic security of the United States.

President Obamahas gone on record as calling the cyber threat “one of the most serious and economic and national security challenges we face as a nation.”

What was once a series of isolated incidents has now become almost common place in Corporate America. By attacking business networks, hackers are accessing company secrets and confidential strategies and creating huge losses for the overall economy, say experts.

Many of the economic espionage cases are in the tens or hundreds of millions of dollars, the FBI says, and that can translate into job losses.

“This is stealing American wealth,” Gen. Michael Hayden, former director of the National Security Agency and the CIA, told CNBC. “It’s stealing American jobs. It’s stealing American competitive advantage.”

Every company is at risk. Even big names are not immune —  LinkedInwas the victim of hackers in June, and Googlewas attacked in 2011, when hackers gained access to hundreds of user accounts.

“Operation Aurora, which was an attack on Google, I think, was a watershed moment where we suddenly realized that even the best companies with tremendously smart people, great security, are vulnerable to the threat,” cyber security expert Dmitri Alperovitch said.

So how do hackers get in the door?  Alperovitch, who once worked for McAfee and is now the co-founder and CTO of the cyber security firm CrowdStrike,compiled a list for CNBC.com. 

Click ahead to see the 10 most common ways hackers access corporate computer systems.

By Michelle FoxPosted 6 July 2012

Email Social Engineering/Spear Phishing

“Spear phishing” — social engineering through email — is one of the most common tactics hackers use when attacking a system, according to cyber security expert Dmitri Alperovitch.Cyber spies can get into a network by sending an email or instant message to a targeted victim that will have an attachment or perhaps a link to a website. It will also be customized for the recipient. For example, “if you are in the sales department, it will ask for information about products,” Alperovitch said. Once y
Photo: Angela Cappetta | Photolibrary | Getty Images

“Spear phishing” — social engineering through email — is one of the most common tactics hackers use when attacking a system, according to Alperovitch.

Cyber spies can get into a network by sending an email or instant message to a targeted victim that will have an attachment or perhaps a link to a website. It will also be customized for the recipient.

For example, “if you are in the sales department, it will ask for information about products,” Alperovitch said.

Once you open the attachment or click on the link, a vulnerability in the system's application such as a word processor or browser will be exploited. Malicious software, known as malware, will then start executing on the machine and open up a communication channel to the hacker to allow them to browse and control the system.

Hackers can also use the infected computer “as a beachhead to get into other machines within that network,” he said.

Alperovitch said that’s how cyber spies were able to hack into Google last year.

Infection Via a Drive-By Web Download

Photo: Epoxydude | Getty Images

If cyber spies are interested in a lot of people within a larger group, they can target a website that’s used by the group or company, Alperovitch said.

The hackers will look for a vulnerability on the website to get in, or access it through spear phishing.

“They will … implant a piece of code on that website so that anyone who comes on that website will be immediately infected,” he explained.

It’s a tactic that is growing in popularity and is a common way to target dissidents, he said. However, it can also affect company or government websites.

USB Key Malware

Malicious software, called malware, can also get onto a computer through a USB key.
Jeffrey Hamilton | Digital Vision | Getty Images

Malware can also get onto a computer through a USB key. For instance, someone can slide infected USB keys into packets given out at a conference, Alperovitch said. Once the unsuspecting person plugs the key into his or her machine, malware is installed. It can also be surreptitiously inserted into a computer by a spy on the inside of a company.

Scanning Networks for Vulnerabilities and Exploitment

Hackers can remotely scan servers to determine vulnerabilities within that system. Once they find vulnerability, they exploit it by sending a command or data to the server that will cause the application to crash and will then start executing code.In other words, it is like a potential burglar “looking at your house and seeing your doors unlocked and simply [walking] in,” Alperovitch said. Typically it’s the smaller companies that get hit this way, Alperovitch said, since most large companies ha
Photo: JGI | Tom Grill | Blend Images | Getty Images

Hackers can remotely scan servers to determine vulnerabilities within that system. Once they find a vulnerability, they exploit it by sending a command or data to the server that will cause the application to crash and will then start executing code.

In other words, it is like a potential burglar “looking at your house and seeing your doors unlocked and simply [walking] in,” Alperovitch said.

Typically it’s the smaller companies that get hit this way, Alperovitch said, since most large companies have good security around its system perimeters.

Guessing or Social Engineering Passwords

Most companies have the ability for its workers to log in remotely to the corporate computer system, or to access company email through a website. To get into the system, workers need a user name and password, which are coveted by hackers.“If [hackers] can find out the credentials for that user, they can log in [remotely] as that user and access network resources,” Alperovitch said. To obtain passwords, hackers have various ways to trick users into giving up their credentials. For example, they
Photo: Gregor Shuster | The Image Bank | Getty Images

Most companies have the ability for their workers to log in remotely to the corporate computer system, or to access company email through a website. To get into the system, workers need a username and password, which are coveted by hackers.

“If [hackers] can find out the credentials for that user, they can log in [remotely] as that user and access network resources,” Alperovitch said.

To obtain passwords, hackers have various ways to trick users into giving up their credentials. For example, they can send an email asking their target to reset their password. Once the target clicks on the supplied link and enters his or her password, the hacker now has it and will use it to remotely log into the computer system.

Wifi Compromises

Hackers can invade a system by exploiting an open wireless network, or one with easy security. They can literally sit outside a business firm’s physical location and get into the system through the unsecured or poorly secured wifi. knows all too well about these dangers. Alperovitch said that’s how hackers got into the retailer’s system several years ago and 45.7 million credit and debit cards from the company.
Photo: DAJ | Getty Images

Hackers can invade a system by exploiting an open wireless network, or one with easy security. They can literally sit outside a business firm’s physical location and get into the system through the unsecured or poorly secured wifi.

TJ Maxxknows all too well about these dangers. Alperovitch said that’s how hackers got into the retailer’s system several years ago and stole45.7 million credit and debit cards from the company.

Stolen Credentials From Third-Party Sites

Photo: Getty Images

Some cyber spies like to troll for victims on third-party sites, like LinkedIn.When they find someone working for a company they want to infiltrate, they attempt to hack into the third party website and steal the employee’s credentials. Since some people tend use the same username and password for both work and other websites, the hacker can now log onto the company website and compromise the system, Alperovitch said.

This is why IT security experts recommend using different user names and passwords for different websites.

Compromising Web-Based Databases

When a person enters information on a website, like an email or credit card, it gets stored in that company’s data base. Those web-based forms are a simple tool for users, but they are also another way hackers can exploit a company’s system. Instead of inputting a name into the website, cyber spies can put in a specially crafted text that may cause the database to execute the code instead of simply storing it, Alperovitch said. The result is a “malicious takeover of the system,” he said.
Photo: Matthias Hauser | Getty Images

When a person enters information on a website, like an email address or credit card, it gets stored in that company’s data base. Those web-based forms are a simple tool for users, but they are also another way hackers can exploit a company’s system. Instead of inputting a name into the website, cyber spies can put in a specially crafted text that may cause the database to execute the code instead of simply storing it, Alperovitch said. The result is a “malicious takeover of the system,” he said.

Exploiting Password Reset Services to Hijack Accounts

Some hackers are able to hijack email accounts by resetting the user’s password without the person’s knowledge. Alperovitch said the execution is quite simple — hackers find out the answers to possible security questions by researching the victim on social networking sites and other places, and use the email company’s reset service to change the password. Once the password is changed, they have unlimited access to its victim’s email account.
Photo: hotmail.com

Some hackers are able to hijack email accounts by resetting the user’s password without the person’s knowledge. Alperovitch said the execution is quite simple — hackers find out the answers to possible security questions by researching the victim on social networking sites and other places, and use the email company’s reset service to change the password. Once the password is changed, they have unlimited access to its victim’s email account.

Insiders

Photo: Yvane Dube | Vetta | Getty Images

Even in a high-tech world, cyber spies have resorted to old-fashioned cloak-and-dagger techniques to infiltrate systems. Spies find ways to get hired by companies, and once inside they try to get into the system. They’ve also been known to bribe an individual already employed by the corporation they’re targeting to hack into the network.

"Cyber Espionage: The Chinese Threat"

An unseen army of hackers from China are on a mission — to steal from American business. CNBC takes you inside this new wave of espionage and the battle to protect America's economic security.• • •

An unseen army of hackers from China are on a mission — to steal from American business. CNBC takes you inside this new wave of espionage and the battle to protect America's economic security.

• Visit the show page• Chinese Espionage on the RiseHow to Defend Against a Cyberattack