BLOG

Breaking the law: How legal firms get hacked

law firm hacks

Ever hear about how companies lose their clients’ files without knowing it? It happens to firms every day of all sizes. Cybersecurity is something everyone needs to know about these days.

There are two types of law firms: those that know they’ve been hacked and those that do not; said attorney Vincent Polley recently at the American Bar Association Expo. He went on to express: “everyone in this room has been hacked. How you deal with it is the critical factor.”

Picture it: The year is 2012; the U.S. Federal Bureau of Investigation just informed a New York law firm that all of their clients’ files were found on a server in another country. With their stolen files en route to China, the firm was left desperately figuring out how to keep their attorney-client privilege obligations intact. A few months earlier, the FBI held a briefing with the top 200 firms in New York. The FBI’s message at that meeting was clear: “Hackers see attorneys as a back door to the valuable data of their corporate clients.”

Attorneys have inside details on mergers, patents, and private or personal information. The right details can blackmail people and outflank businesses. In 2011, at least 80 major American legal firms get hacked and that number seems to be rising. With many states now having laws that require disclosure to clients when their information has been lost, once legal firms get hacked, secrecy may not be an option.

Cyber crimes are committed primarily by four types of people:
1) State-sponsored organizations, such as the People’s Liberation Army of China, attack firms who have advanced technological knowledge their government may want. State sponsors also attempt to derail mergers and acquisitions deemed “in the national best interest”.

2) Organized crime syndicates such as “The Mob” employ hacking to gain information for extortion.

3) Hacktivists like Anonymous and LuzSec are groups of people that steal information and take over accounts to advance a political agenda.

4) Independent hackers invade networks for revenge, fun, notoriety, or profit.

The basic path of hacking into an organization is fairly simple. The hacker first decides whether to use bad code such as a virus, Trojan, or malware to invade systems and networks, or use social engineering. Then they pick their target and attack.

Most bad code these days is malware: a semi-automated, slow and steady way to access information. Fully functional code samples can be purchased on Internet message boards for hundreds of dollars. The organizations that create malware sometimes employ hundreds of people—some even operating a help desk providing support. In a malware attack hackers insert a piece of malicious code on a server or computer which then sends passwords, files or emails back to the attackers’ system. Malware is also more frequently being disseminated through social media and social engineering attacks.

Social engineering is an entirely different approach to extracting information than traditional malware attacks against systems. Falling prey to social engineering, a law firms’ employees and partners accidentally provide basic information that then can be used to unlock data. Social engineering is often the fastest way to gain access to critical systems. In this type of attack hackers can be in and out before anyone suspects foul play.

A shocking 48% of enterprises have been victims of social engineering attacks. But not all attacks come from people clicking links… simply opening an email containing maliciously encoded images can be enough to infect a system. The average cost of these attacks range from $25,000 to $100,000.

Surprisingly, employees don’t need to take any specific action to be attacked and find themselves in a situation where existing security solutions, like antivirus software, cannot help. A law firm or any of its employees simply need to have any type of social media presence to provide a forum for attack. In one recent high-profile case, GoDaddy transferred ownership of a domain to a malicious party using information taken from a social media public profile. The hackers then gained control of every email being sent to the affected organization.

Most hackers gather information through phishing, which is the act of attempting to acquire information such as usernames and passwords or enticing the user to click on a malicious link by masquerading as a trustworthy entity. Although most phishing attacks traditionally happen through email, recent trends are indicating that phishing attacks via social media are on the rise.

So how do social media engineering attacks work?
1) First, cybercrooks build popular-looking Facebook or Twitter profiles by uploading relevant content, trending YouTube videos, etc.

2) Fake fans and followers are then purchased for these profiles for pennies on the dollar, giving these pages the appearance of having a huge following. For example, on sites such as Socialyup.com 500 likes can be purchased for only $30 and 20,000 likes for $699.

3) Once a profile reaches threshold popularity, cyber-bandits sell their profile on the black market. In one recent example, a Facebook page dedicated to the memory of the Boston bombing victims was available for $1,000.

4) With a popular profile purchased, hackers set up a fake website and plant malicious javascript designed to open back doors and steal information.

5) Links are posted to the recently sold Facebook and Twitter profiles with messages aimed at persuading people to click on them. The hackers can gain entry into critical systems or infect the corporate network as soon as an unsuspecting user clicks on one of these links.

So how do legal firms get hacked, and attacked with the rise in social media?
With average attacks costing between $25,000 and $100,000 to clean up, firms need to first understand their vulnerabilities. Start by mapping your social presence to get a clearer picture of how your organization could be being attacked. Once you know how you could be attacked you can start to protect your firm from compromise.