Phishing with supply chains

Feb 25, 2016
Typically, criminals will be searching for the easiest way into your data systems – but have you ever considered if the weak link lies within your supply chain? By James Moore, Senior Security Consultant for Phish’d at MWR InfoSecurity.
Supply chain phishingThe Financial Times highlighted the case of Target, the US retailer, whose database was compromised by a hacker who entered the system using permissions that were granted to a refrigeration and aircon supplier. The criminal stole details of more than 70 million customers, including the account information for 40 million credit card holders. 

If you have tightened up your own act and policies – in terms of defending yourself against cyber attacks – you still have to look at the bigger picture. If you’ve educated every single one of your own staff about suspicious e-mails and weak passwords, that’s great – but it only makes it more likely that hackers will choose to target and attack you through your supply chain.

You know that the companies in your supply chain hold your data. But do you know if they protect it with the same care that you do? In the worst case scenario, they hold all of your data but with none of your protection.

Send the office manager an e-mail from known office supplier – guaranteed success!

Lately we have been seeing a rise in phishing e-mails coming either from legitimate suppliers or from someone masquerading as a third party supplier.  And with so much information regarding an organisation’s employees available online, the most common way to exploit employees in a company is a phishing e-mail that targets the user and attempts to attract them to click on a link or attachment. These can be anything from promises of deals or offers to e-mails that purport to be invoices or banking statements.  Phishing assessments against employees have shown that as many as 60-90% of employees are susceptible to these attacks - effectively allowing an attacker to jump right over the traditional security controls so many organisations are still heavily investing in and relying on.

So how do you protect yourself? Well, you have to think like the hacker who is targeting your own network. For example, how would you target the office manager? You would send them an e-mail from a known office supplier, with an almost guaranteed success. This is easy, particularly with a lot of this type of information available on the Internet, such as on your ‘Our partners’ webpage or LinkedIn profiles. 

Originally seen with defence contractors and APT actors targeting companies for government intelligence, this MO is now extending its way into the commercial world where intellectual property can be lifted from your suppliers.

If your data is held on third party systems, it is just as much at risk as on your own network. You need to consider the cyber defences which are in place there, just as thoroughly as you do your own. 

How do you extend cyber security to the third party suppliers that you rely upon?
Well, you can phish them yourself or you can simply check that they have the necessary phishing and security awareness in place. If you need to receive e-mails from third party suppliers, you should train your own staff to look out for ‘unnatural’ and unusual e-mails. And, if you can extend this training to your suppliers’ staff, this will actually add an extra layer to your defences.

Testing through phishing is generally extremely useful: it enables you to analyse your business-wide susceptibility; it helps to sharpen your incident response processes and encourage users’ reporting of real-world phishing to IT; it tests password policies; and it helps you to understand your supply chain vulnerabilities too.

When considering cyber security, there tends to be a greater emphasis on the latest technology or the latest programmes which are constantly evolving and updating but practical employee security awareness training needs to happen frequently in addition to the traditional awareness training most organisations already use. Disregarding these crucial elements can prove dangerous, because when you take away the technology element, all that’s left is to target people.

In this modern world of ubiquitous connectivity and constant communication, your systems are only as strong as the weakest link – and that link may very well be in your supply chain.


James Moore

James Moore is Senior Security Consultant for Phish’d at MWR InfoSecurity, where he is responsible for delivering a suite of managed security services designed to measure, track and improve employee security awareness - including managed phishing campaigns, point-in-time employee security training and threat intelligence services. He also has a number of years’ experience as a senior penetration testing consultant (CREST CCT Apps & Inf) providing information security assurance to a range of firms from FTSE 100 to public sector.