If you work in the legal sector there could be bad news lurking just round the corner. Law firms are not only coming under increasing scrutiny from cyber-criminals keen to tap potentially lucrative client data, they’re making the hackers’ job even easier. A new report has revealed over one million email addresses and passwords linked to the UK’s top 500 law firms — all available on hidden corners of the web.
IT leaders need to get a handle on this now before GDPR regulators come knocking, or there could be some very serious fines heading their way.
One million problems
The study from threat intelligence firm RepKnight was compiled by scouring the dark web and paste and dump sites for 620 domains linked to the law firms in question. They were chosen from lists compiled by reputable sources such as The Lawyer, Law360 and others, and even include elite Magic Circle players. After just a few minutes of number crunching, RepKnight had found 1.16m email addresses — an average of 2,000 per firm. Even worse, 80% had an associated password, either stored in cleartext or hashed with a crackable protocol.
To be clear, these credentials weren’t available on underground crime sites because the law firm in question had been breached. Instead, they had previously been used by an employee to register with a third-party site which was subsequently breached, like LinkedIn. Some credentials may well be out-of-date by now, but the majority were posted to the dark web and data dump sites within the past six months.
This is bad news on several fronts. Even with an email address, an attacker could craft a convincing spear-phishing email designed to trick the user into handing over their password, or else installing data-stealing malware without their knowledge. If the hacker gains both password and email, and the password also works for the corporate network, they have the virtual keys to the kingdom: access to a trove of sensitive client data.
That’s not to mention the risk of Business Email Compromise (BEC). Typical “CEO fraud” works by the attacker tricking a recipient in the finance department to wiring a large sum of corporate funds to a third party source. If the attacker was able to hijack a CFO or partner’s mail account, they could craft a highly convincing money transfer request. It’s a tactic which is netting cyber-criminals big bucks: Trend Micro predicts total BEC losses will grow to $9bn by the end of 2018.