Cyber criminals have infected online menus in popular restaurants in a bid to obtain valuable information about large corporations, a US security expert said.
Known as ‘watering hole’ hacking, the process involves planting a bug on a website popular with employees, such as an eatery near a major office.
Chris Furlow works with companies around the world to help them focus on cyber-risk and called for better international co-operation to track down criminals.
“These folks are thinking very clearly who they would like to target and how they are going to go about doing that,” he said.
‘Spear phishing’ emails are now used to target particular organisations for information such as passwords or bank account numbers.
“They may be coming after a specific individual because they have inside information about what is going on within your organisation,” Furlow added.
“We still are not mature enough as civilised societies in terms of getting all the protocols in place to go after these individuals because there are no borders in the cyber domain and it makes going after them much more difficult.”
British GCHQ intelligence has already identified a watering hole attack against a web design company which hosts sites for a number of UK businesses in the energy sector.
By adding code to one website, the attackers were able to redirect visiting users’ browsers to one of three sites controlled by them, in what GCHQ believed to have been part of a continuing commercial espionage campaign.
“Sometimes, especially near organisations that are targeted, let’s say there is a major corporate office near this restaurant, they may infect the restaurant and when you download the PDF version of the menu it is infected,” Furlow warned.
“These are the types of threats we are dealing with on a daily basis. They are leveraging this human element of cyber-security, they are carrying out digital deception.”
He warned that many data breaches occur as a result of human error by company employees.
“This is about employees or third parties like contractors who are in some way negligent.
“I think that is a tough term in the environment today, negligent, because there are some people who just don’t have the resources or they have not had the training in order to understand what they need to be doing.”
Furlow added: “But negligence is a really important term because as you look at the regulatory environment this is something that is advancing very quickly in the 21st century.”
It was recently discovered that nearly 100,000 Android devices in the UK have been infected with a virus called HummingBad, which can gain access to phones and tablets and control them.