Paubox blog: HIPAA compliant email made easy

3 sneaky ways hackers exploit uninformed employees

Written by Rick Kuwahara | December 12, 2019

We recognize and combat phishing attacks everyday, but there are also lesser-known, underhanded hacking methods to consider. Here are three sneaky methods used to exploit the weakest security link - employees - and how you can foil them. 

 

The unfamiliar USB drive

 

Everyone has stumbled upon a lost flash drive or was handed one randomly by a friend, but how many would connect it to their computer without hesitation? A 2016 University of Illinois study discovered the answer by dropping 300 USB drives throughout the campus. Ninety-eight percent were picked up; out of these, 45% had at least one file opened. This is alarming as some drives are manufactured to carry disguised viruses that can infect upon connection.

 

Phony charging cable

 

Like USB drives, charging cables are available for purchase everywhere and can be found/given as easily. Hackers can (and do) construct fake cables that give them remote access when plugged in. In a recent experiment, a hacker used a rigged Apple USB Lighting cable called O.MG to run commands remotely when plugged in.

Thankfully O.MG was developed to generate awareness of victim-deployed hardware rather than exploit the technology. Such a cable in the wrong hands, however, could shut down or damage a business quickly.

Once connected, an attacker can remotely control the affected computer to send realistic-looking phishing pages to a victim’s screen, or remotely lock a computer screen to collect the user’s password when they log back in.

 

Deceitful browser add-ons

 

The third duplicitous method employs a different type of plugin: the browser extension. Third party add-ons, used by most popular browsers, extend a browser’s capabilities and are handy to users. Who wouldn’t want to block ads, find coupons, or translate webpages with a simple add-on? Unfortunately, the wrong extension can be malicious, such as AdBlock and ublock for Google Chrome, thankfully removed from the browser in September.

 

How do we inform employees?

 

Blocking a browser extension can be as simple as restricting its use. More than anything, however, common sense and employee awareness are imperative. Keep security up-to-date and ensure employees understand the risks of bringing personal drives or cables.

It may seem like the "nuclear" option, but organizations can greatly help reduce risks by not allowing usb drives to be used, which is much easier to accomplish with so many HIPAA compliant file sharing and encrypted email solutions.

Not allowing personal items to be connected to your organization's network is another way to insure that if an employee is hacked, then there is less chance it can compromise company data. Tell them not to connect or download anything without research or provide these tools/information yourself. With such underhanded hacking, knowledge and awareness are vital security needs.

 

Try Paubox Email Suite for FREE today.