How Do Hackers Breach Law Firms?

In our last blog, Why Are Law Firms an Attractive Target for Hackers?, we laid out the reasons why law firms get hacked – they are a one-stop-shop for valuable information and they are perceived to be an easy target, especially smaller firms with a less secure cybersecurity infrastructure.

 

So how do cybercriminals break into a law firm’s network? According to the Verizon Business 2020 Data Breach Investigations Report, attacks are primarily external and seek personal information or credentials (user names, passwords, etc). Phishing and social engineering are the easiest ways to get up-to-date credentials or personal information.

 

More sophisticated hackers can breach networks by exploiting known vulnerabilities in your network. Or, they can gain network access by hacking into one of your third-party vendors.

 

For the lucky hacker, employee error is also a factor in data breaches, whether accidental or intentional. The Verizon report indicates the professional services industry, which includes law firms, suffers 22% of their breaches at the hands of employees. However, this is less than North American companies as a whole, at 31%.

 

PHISHING

 

Phishing is usually carried out using emails, but text messages and social media are other avenues hackers use.

 

Phishing scams are increasingly difficult to detect since they appear to be legitimate messages and the embedded URL links take you to official-looking websites. Three telltale indications of a phishing scheme are:

 

• Messages that have an urgent or emergency nature; and/or
• Messages that take advantage of fear; and/or
• Messages that have awkward or grammatically incorrect language.

 

However, many phishing campaigns involve mundane or routine events. For example, the following is a sample of phishing attacks that have been successfully used to breach law firms.

 

• Malicious link claiming to be a software update
• Hackers posing as law firm executives and requesting W-2s for employees
• Warning that your Office 365 account is being deactivated
• Delinquent membership dues for Bar Associations
• Notification of a disciplinary complaint
• A last-minute change in money wiring instructions
• A notice to appear in court
• Invoice from “Quicken Billpay-center”
• Alert to change password
• Vendor request to change payment options
• File sharing services (Sharepoint, Dropbox, ShareFile, WeTransfer, Google Docs, and Egnyte) with malware-infected documents

 

SOCIAL ENGINEERING

 

Social engineering can take many forms and it’s often employed in phishing campaigns. Emails, texts, phone calls, or even a fake job application seeking an interview with your firm are techniques used by bad actors to fool your employees and gather more and more information to piece together ways to infiltrate your network.

 

Law firm websites are great for intelligence gathering. From attorney bios and significant verdicts to past and upcoming panel presentations, insight papers and news coverage.  Hackers can use that knowledge together with court records and information from social media accounts to craft highly-targeted and personalized messages that don’t raise suspicion. They may even impersonate a client, friend, or family member.

 

EXPLOITS

 

You’ve probably heard about the importance of patching, but didn’t give it much thought. Hackers regularly use known vulnerabilities in software as an entry point into your network. In fact, the breach we discussed in our last blog at celebrity law firm Grubman, Shire, Meiselas & Sacks likely was an exploit of their Pulse Secure VPN (Virtual Private Network) server, according to BankInfoSecurity.

 

The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert of the Top Ten Routinely Exploited Vulnerabilities and noted that unpatched VPNs, particularly Pulse Secure VPN and Citrix VPN, are top targets in work-from-home environment in 2020. So too are cloud collaboration services, such as Microsoft Office 365.

 

The Panama Papers hack is a stunning example of the devastating consequences of ignoring cybersecurity. The law firm, Moassack Fonesca, had many outdated and unpatched systems that made them a sitting duck. Ultimately, the hackers were able to take advantage of known vulnerabilities with working exploits in outdated and unpatched versions of Drupal and Revolution Slider, a WordPress plugin.

 

VENDORS

 

Any third-party vendors your firm uses represent another attack vector for your network. We mentioned the data breach of 193 U.K. law firms in our last blog that was the result of a software security flaw in a legal documentation product from Laserform Hubs, owned by Advanced Computer Software Group Limited (and also reported in the Financial Times).

 

Cybercriminals will always attack the weakest link in the supply chain, so even if your firm has a nearly impenetrable network, you may still be vulnerable if a vendor has a weak cybersecurity posture.

 

INSIDER THREAT

 

Many data breaches are simply the result of human error. It can be sending sensitive information to the wrong person or failing to shred confidential documents that end up in the wrong hands.

 

Losing or failing to secure devices such as laptops, tablets, smartphones, and thumb drives are another way that employees put your firm’s data at risk. Likewise, your network is vulnerable when employees log in remotely using public WIFI as well as their home WIFI.

And, while we don’t like to think there are any bad actors in our firm, there is also the possibility of an employee intentionally leaking, stealing, or deleting client data for reasons such as revenge, financial gain, blackmail, or even mental instability. Fortunately, malicious insider threats are not very common.

UP NEXT

 

In our next blog, we’ll look at the ramifications of a data breach for your law firm.

 

UNTIL THEN: What Does 756 Gigabytes of Data Look Like?

 

Back to our last blog and the Grubman breach/ransomware attack. The hackers stole 756 gigabytes of data including “contracts, agreements, NDA, confidential information, court conflicts [and] internal correspondence with the firm.”

 

Given the different categories of data, it’s hard to quantify how many printed pages would result from 756 GB. For example, 1 GB would be roughly 100,000 pages of email, nearly 65,000 pages of Word files and almost 15,500 pages of images.

 

For reference, there are approximately 250 sheets of paper in an inch, so a foot would be 3000 pages. That makes a stack of 100,000 pages of email approximately 33 feet. Let’s look at some examples to visualize data amounts, assuming it is all printed email.

 

• 1 GB of printed email would be as tall as the columns of the Lincoln Memorial (we finally got to the headline reference!). But, there’s more. It would also stack up to Bebot in Philadelphia, the Trans Am Totem in Vancouver, the Looking Up sculpture in Austin, and the world’s largest office chair in Anniston, Alabama.
• 500 GB of these pages (16,500 feet) would just surpass the elevation of Ecuador’s Tungurahua Volcano at 16,480 feet.
• 750 GB of hardcopy emails would reach the top of Skyang Kangri in Pakistan, the world’s 36^th highest peak at 24,750.
• 1000 GB or 1 terabyte of email pages would get you to a cruising altitude of 33,000 feet, or the distance Vesna Vulovic fell from an exploding airplane without a parachute in 1972…and lived!
• The Panama Papers hack we mentioned earlier resulted in the leak of 2.6 TB of data. That’s 2,600 Bebots!