The answer to the title question is “psychology and access.” Many forget that cyber-attacks are equal parts mental manipulation and digital execution. Cyber-criminals use psychological theories to force ransomware payments, namely “hubris syndrome” (ego), authority bias, and reptilian instincts. And with so many upper-level managers strictly reliant on third parties for cybersecurity guidance, cyber-criminals are aware of this lapse in knowledge and extort it.
Like any physical trait, the larger a person’s ego, the larger the target and the easier it is to hit. Professional egos are built from positions of power and the reinforcement of positive acclimations from subordinates. Sometimes referred to as a personality disorder, “Hubris Syndrome” is the darker side of positive reinforcement, in which a person develops blind pride, overconfidence, impulsivity, and a disdain for any seemingly contrarian thought.
Authority bias occurs when someone only listens to a specific person because of his/her position – not because of his/she subject-matter expertise. Often, the existence of actual subject-matter expertise is totally ignored. And when coupled with Hubris Syndrome, cyber-blind executives tend to encourage the complacency of each other on such an important topic.
The reptile theory refers to a psychological strategy that attempts to use fear and anger to encourage the subject to embrace knee-jerk reactions in furtherance of its own safety and security. Coupled with “Hubris Syndrome,” the reptilian portions of the brain encourage cover-ups (Uber…), denial, and poor judgment.
Despite daily news warnings of successful and pending acts of cyber-crime (Example: FTC reports U.S. Consumers lost $770M in social media scams in 2021), psychological traits still cause poor decision making at the top tiers of business and government.
Recently reported by BleepingComputer.com, a new campaign called “OiVaVoii” targets c-suite executives by hijacking the individual’s Microsoft Office account through “OAuth” applications disguised as legitimate tools. The malicious “OAuth” applications use the Microsoft logo and if the user attempts to select cancel (and not agree to the launch of the application), the OAuth will constantly reload itself in a “Rick Roll” style loop until the user acquiesces.
While Microsoft is aware of and battling the tactics, the issue is on-going. The campaign is delivered to victims through basic phishing emails carrying malicious applications that steal login authentication data (credentials). Once credentials are stolen, the attacker becomes disguised as the executive (digitally), infiltrating the rest of the business’s network, stealing data, trade secrets, sending commands to subordinates, or launching ransomware.
With the press releases, LinkedIn titles/announcements, and websites identifying the leadership of the business, it is extremely easy for cyber criminals to identify the best targets: C-Suite Executives. Without knowledge of indicators of compromise, the authority bias, ego, and reptilian instincts make executives perfect candidates. Furthermore, executives are rarely, if ever, subject to access controls within a business’s network like other employees.
For example, a company receptionist should only have access to contact lists within the business, human resources policies, organizational charts, and basic Microsoft office applications. Therefore, phishing a receptionist will give the attacker very limited access to the network and no administrative controls. Also, a receptionist is more likely to have attended cybersecurity and anti-phishing training and may be more astute of potential compromises.
A C-Suite Executive perhaps skipped the training seminars and can access every portion of the business’s network. And, once the executive realizes something is amiss, he/she is more likely to try to “remedy” the issue him/herself.
Fortunately, times are changing in terms of increased attention to cybersecurity at the upper-echelons of business and government.
Comments