Online battlefield: Cyber attack vectors, part two

By Robert Tie, CFE, CFP

password-stolen.jpg "Israel, all your base are belong to us," tweeted hacker group Anonymous when, in support of Gaza militants, it launched millions of cyber attacks against Israeli government and corporate websites in November. According to media coverage, the hacktivist offensive brought down more than 600 Israeli websites, deleted the databases of the country's Ministry of Foreign Affairs and the Bank of Jerusalem, and exposed more than 2,000 email addresses and passwords.

"With cyber-attack losses on the front page yet again, CFEs should reiterate to clients that tomorrow's headlines might report the theft or disclosure of their most valuable and confidential information," said Jim Butterworth, CFE, an ACFE faculty member and chief security officer at HBGary, a cyber security firm in Sacramento, Calif.

"Such losses often have reputational, political or strategic consequences," he said. "But if management isn't equally mindful of a successful cyber attack's negative financial impact, information security will seem like a cost. In fact, it's an essential investment in organizational survival. Treating it as anything else is negligent."

An introduction to Butterworth's proactive recommendations on this subject appeared in's November 2012 Special to the Web article, "Cyber-Attack Vector? Who, Me?" This article continues that discussion.


"It's just WordPress," a company's overconfident system administrator recently told Butterworth after bringing him in to perform a routine security audit of the HBGary client's corporate system. (WordPress is a free and open-source blogging tool and content management system.) Butterworth had drawn the admin's attention to PHP blogging software files on the company's Web-connected server — an apparently harmless presence that in fact was cleverly concealing the means through which hackers were surreptitiously accessing proprietary corporate information. Unfortunately, by the time the client engaged Butterworth, its server had already been infected and its data stolen.

Coined in the 1990s, the acronym PHP is short for Personal Home Page — the versatile open-source scripting language whose English-like syntax non-programmers use to automate commands in their WordPress blogs and other web applications. Savvy hackers now hide powerful malware in WordPress PHP files — where only trend-aware security professionals would think to look for it.

"Blog-embedded malware is a new weapon in the hacker arsenal," Butterworth said. "But note that WordPress is not innately an attack vector. The vulnerability occurs when a company that has WordPress on its server doesn't properly configure it to resist hacker intrusions. Every organization should employ IT professionals who know how to detect and prevent such attacks. A company will get more than its money's worth; those staff members will be very busy."

Recent history bears this out. A media report quoted analysts from Kapersky Lab, a global IT security consultancy headquartered in Moscow, as saying that as many as 100,000 WordPress installations were infected early in 2012 — 85 percent of them in the U.S.

Hackers reportedly loaded onto these blog sites programming code that silently redirected visitors to the hackers' servers, which detected the operating systems on victims' PCs and sent customized malware to do the hackers' bidding. Many of the infected computers were Macs. 

(Due to the soaring growth in their numbers, Apple users no longer are a niche community whose hardware and software hackers mostly ignore.) Butterworth cited this example of a typical WordPress cyber attack.


Cyber criminals have a wide variety of motives and goals. However, CFEs can best serve their clients and employers by helping them detect and prevent hacker attempts to steal corporate information and sell it on the black market.

"Most hackers who misappropriate business information, such as credit card numbers, sell it to fraudsters who don't know how to steal it themselves," Butterworth said. "The hacker gets only pennies on the dollar — say, $500 for information on an account with $5,000 in available credit — but plays it safe by distancing himself from the fraudulent point-of-sale transaction. That makes it harder for investigators to trace the fraud back to the hacker, who makes a sizeable profit by performing thousands of such thefts by automated processes."


"The structure of a hacker attack generally corresponds with that of a non-technological financial crime," Butterworth said. "The fraudster plans the scheme, sets it up, executes it, keeps it going and reaps the benefit from it. Similarly, a cyber attack has the following five phases."

Phase 1: Reconnaissance. Most often, hackers do this by executing sophisticated Google queries using advanced search capabilities freely available on the search engine's home page. The sample WordPress query provided above illustrates this. The goal of such searches is to obtain a list of servers that are connected to the Internet and thus are potentially vulnerable to cyber attack.

Phase 2: Probing. Unlike the first phase, in which the hacker communicated with Google, here he communicates directly with servers. The hacker's objective in this phase is to determine whether those servers are vulnerable.

"The hacker will do this by attempting to confuse each server's login software and break into its system by disrupting the user identification process," Butterworth said. "Although the hacker's success rate is low, he stills stands to profit greatly each time he gains unauthorized access."

Phase 3: Attack. This part of the scheme consists simply of proceeding into a vulnerable server's contents once the login process has been subverted.

"Usually, this results in nothing more than the hacker getting far enough into a company's system to demonstrate that the fraudulent access can be repeated at a later time," Butterworth said. "And that paves the way for the hacker to come back after work hours when employees have gone home, and it's unlikely that a system administrator is monitoring activity on the server."

Phase 4: Payload Delivery. "This is the stage when a hacker would install malware on the server," Butterworth said. "But if all he wants to do is break in, copy information and never come back, no installation would be necessary."

Phase 5: Exploitation. "Successful completion of this step is the hacker's ultimate goal: a theft or other fraud on a date some time well after the original break-in," Butterworth said. "By this point, the server activity log that recorded the hacker's initial break-in might well have been overwritten. The distance between the first entry and this one frustrates investigators and makes it harder to identify the hacker, who gets away with data and leaves little or no trail. Sometimes the victim is completely unaware its system has been hacked."


Butterworth encourages his clients to check and protect their server activity logs. In his experience, it's one of the most effective ways a company can detect and prevent cyber attacks. To illustrate certain aspects of this approach, he cites this article on InterActiveCorp's website.

"Another big problem is that many companies overwrite their server activity logs far too frequently — sometimes every week," he said.

Thus, all a savvy hacker has to do after his initial break-in is wait a few weeks before returning. He then gets what he wants without the victim company ever knowing who he is, where he's from or that he stole its hush-hush new business plan.

"CFEs therefore should advise clients to maximize the amount of storage available for server logs," Butterworth said. "The less frequently you overwrite them, the more information you have. In fact, many big companies archive their logs before overwriting them; smaller organizations also should consider doing this."

To illustrate various possible log retention policies, Butterworth cited this discussion on Microsoft's website.

Among other precautions Butterworth recommends is having system administrators examine server logs for tell-tale "probing" traffic that indicates hackers are trying to break into your system.

"Not performing such analysis is dangerous," Butterworth said. "It can reveal a lax server configuration that accepts traffic from high-risk regions where you have no economic interest. Surprisingly, even some small U.S. companies whose business is entirely domestic don't configure their servers to shut out activity from, for example, Eastern Europe, where much international credit-card fraud originates. Why take that unnecessary risk? There's no reward associated with it."

Analyzing server activity is a critical but tedious task that must be performed frequently and accurately. To meet that challenge, Butterworth cites this example of an automated application that creates detail and summary reports of visitor traffic to a Web site.


"Hackers are relentlessly methodical and persistent, and we must be, too," Butterworth concluded. "Automation enables them to continually carpet-bomb business and government websites with malware. A single break-in could shrink your client's bottom line by tens of millions of dollars. So use every hacker-related headline and incident to remind executives that cyber–attack prevention and overall digital security must always be top priorities."

Robert Tie, CFE, CFP, is contributing editor of Fraud Magazine and a New York business writer. 

Read more insight and discuss this article in the ACFE's LinkedIn group.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on or ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to