Employee emails easy entry point for hackers, expert says

Almost 90 percent of all hacker attacks start with an email, and not the kind from your long-lost “Nigerian prince cousin.” The email will appear to come from your boss or someone in the Human Resources department who needs a form filled out, according to Michael Bazzell, an author and computer crime specialist assigned to the FBI’s Cyber Crime Task Force.

Mr. Bazzell, speaking to the Cayman Captive Forum last week, explained this was how hackers broke into Target earlier this year and stole millions of credit card numbers. Someone opened an attachment on an email, which put a small program on that computer, and the hackers were able to make their way up through the system to find that fraction of a second when credit card numbers passed from a cashier to the payment system.

Gone are the days of the lone hacker, spending late nights in front of a computer in a basement somewhere. Hacking is now big business. Mr. Bazzell showed a video from an undercover officer in an unnamed Eastern European country touring a warehouse filled with banks of computers and people working in three shifts hacking the world’s computers. Organized hacker groups like this, he said, “have zero concern they’ll get caught.”

Here’s how the Target hack worked, according to Mr. Bazzell: A 17-year-old created a small piece of software code that would embed a malicious program into an Adobe PDF file, a file type that has become ubiquitous in businesses across the globe. The teen sold the code for $2,000. Whoever bought that code managed to steal $40 million. The hacker, or more likely group of hackers, got someone on a Target computer to open up a PDF, and that action immediately installed the code on that computer.

Hackers would then send a “dear employee” email, saying something along the lines of “Please fill out this form to update your personnel file” or “You must fill out this form to get your holiday bonus” and the email would appear as though it came from the Human Resources Department, or a manager. In Mr. Bazzell’s words, “Who wouldn’t open an email like that?”

“Your employee is the weakest link,” he told the crowd.

The digital thieves could now watch what was happening on that computer, record each and every keystroke, and make their way deeper into the network. Once they were in, they could make their way up the ladder and, in Target’s case, find that one little spot where credit card numbers crossed the network.

Mr. Bazzell told the room of several hundred insurance industry representatives that the traditional hacker attacks of breaking through the firewall and into the network are a minority now. Companies have invested in hardware and software that make it very difficult for hackers to break in. It’s much easier to get an employee to just open the door for you.

Adobe is working to fix that issue that allowed the hacker in this case to get into the system, Mr. Bazzell said, and the company should have a new update available soon. He urged companies to install security updates. But the cyber criminals, he warned, most likely are already on to a new way to break into computer systems and will always be happy to exploit an old version of the free PDF reader.

“By the time a patch comes out, the damage is usually done,” he said.


  1. For myself, I never trust any email, from any source, unless I know that I’m expecting an email from that specific source.

    Its really the little things that you need to be careful with.

    Little details that could easily slip by unnoticed, and cause damage in the future could be pretty fatal.

    Then again, there’s nothing a simple phone call can’t fix.

    My Advice, is to just be vigilant, take that extra second to think, and never trust any attachments that just randomly show up in your inbox unexpected, if you’re not sure, be vigilant and contact the source, a simple phone call can go a long way.

  2. Jeremy
    Great idea in theory but the business world would seize up if every time someone received an email from their boss or colleague they phoned them to make sure they sent it.

    But you are absolutely right about not opening attachments that you aren’t expecting.

Comments are closed.