“Hackers wouldn’t waste their time hacking my business. It just isn’t big enough.” This is the kind of thinking I often encounter when I talk to businesspeople with small to medium-sized firms. They often have simple antivirus protection, firewalls, and sometimes use VPNs. For the most part, they are completely unconcerned about a cyber attack. They think hackers are only interested in the big companies or organizations.
To some extent, they may be right. Most hackers are after either money or information. If you don’t have much of either, hackers may not waste their time organizing a major attack on your business. True, your business could be victimized by the random phishing attack that compromises an employee, but you may not be a major target. However, this is no reason to be complacent. There are times that businesses with seemingly little to offer can still become prime targets.
If a small or medium-sized business has clients or suppliers who are big companies or institutions, then these small or medium-sized businesses can have a targets on their backs. This is because attackers may be able to leverage these connections to attack those larger enterprises. It is much easier, for example, to have a phishing email get through a network’s defenses if it appears to come from a known supplier or client. That’s what happened in both the Target and Office of Personnel Management (OPM) attacks, as well as many more.
But a small or medium-sized business doesn’t even need connections to major companies to be attractive to hackers. If the business involves the transfer of large sums of money, then cyber criminals will want to find a way to get in on the deal. This is what is currently happening in the real estate business.
Here’s why real estate agencies, agents, and their clients are so attractive to hackers.
1. Multiple endpoints
Real estate agents need to be accessible to potential clients. Accessibility means they have to be easy to contact by cell phone, office phone, and email. When these accessibility points (smartphones, tablets, computers) are connected to a firm’s network, they qualify as endpoints. With multiple salespeople, management, and technical personnel all connected to the same network, a company’s security is only as good as its least protected link. In other words, the term, ‘multiple endpoints’, is synonymous with multiple potential vulnerabilities.
2. Financial Benefits
As I mentioned above, hacking for financial gain is a main motivation for hacking. A lot of money is moved around when buying a home or other property. For many people, this is the biggest financial transaction of their lives. That being the case, it is little wonder that hackers would target real estate agencies, their workers, and their clients.
3. Greed Outpaces Fear
That’s probably the most direct way to state this vulnerability. Hackers realize that real estate agents are battling it out for clients. If an agent gets an email that seems to be from a potential client (that is, it seems to have face validity) the chances are better than 50-50 that they won’t throw it into the trash bin. Their desire for financial awards would overpower the logic factor in their brains (see Phishing with Naked Women and Romantic Lures ). In other words, greed lowers the normal caution levels.
4. One Worker, Multiple Firms
Keep in mind that real estate agents may work for more than one firm and may have their own private firm as well. This means there is a lot of personal information out there to be mined by a clever attacker. The more information available, the easier it is for a hacker to craft a believable phishing email.
Designing a Phishing Email to Con Real Estate Agents
In order to demonstrate the point that personal information about real estate agents is readily available, I tried to find out all the information I could about a particular agent. I could then use this information to design a phishing email that could circumvent network security and the agent’s suspicions. In other words, the email would appear to be a valid correspondence. I was just doing what a hacker would do to get control of an agent’s transactions.
To this end, I initially stacked the deck against myself by choosing a firm that had already been hacked, Re/Max. I figured that, because they were recently hacked, they would have the best security in place. I chose their New York office because it would give me more agents to choose from. Most agents had profile pictures, which was good because I was going to use profiling to choose my victim. Profiling is based on stereotyping and, before you say anything, hackers aren’t going to care if they are politically correct. They are simply playing the odds. Based on profiling, I wanted to choose a middle-aged female because I would expect them to be the least knowledgeable on cyber security matters. I may be completely wrong, but, as a hacker, I have to play the odds.
So I chose my victim, who will be unnamed here. This is the useful information I found about her:
Her cell phone and office number
Her home address
Her cell phone provider
Her voice mail message
Her Facebook site with almost 200 friends/family
The name of her husband/boyfriend
Her email address
The languages she could speak
Where she went on vacations.
Now, armed with this information, I was ready to construct my phishing email.
Of course, what I really needed was her email address. This was not as easy to find as I thought it would be. Yes, the firm had a contact form I could fill out, but this would ask me for my name and email address. I could create a false identity and email on, for example, Yahoo. I could add a note on the contact form stating that I needed more information on a particular property that was being advertised. This might look valid enough to begin a conversation with my victim and, hopefully, would eventually allow me to get an email address. Once I gained her confidence and was accepted as a potential client, I could then send an email with some sort of attachment. The attachment would be a file with a seemingly valid name like, ‘Photos of some homes I’m interested in’. Of course, also included in the attachment would be malware which would install itself on her computer and give me complete control of it. My goal is to get her passwords and have complete control of what goes on in her mailbox.
I could do this, and even more, if I had her personal email. Then I could pretend to be one of her Facebook friends. In this case, however, my email name would have to show some connection with the name of the friend. I could also include references to mutual friends or activities/interests that I learned about when I got personal details about her. All of this may lower her suspicions. If I included some family photos as an attachment, I could be pretty sure she’d look at them. I could also begin my attack, posing as a friend, by creating a false Facebook page. This page would have the friend’s stolen photo and name (or a close variant of it). Through this false profile, I could send her a message through Facebook, asking for her email address so that I could email her something. Ideally, I would like both her business and personal email. This is because some agents will use both for business purposes, even though their agencies may warn against this.
Let me give you an example of what can be done with a hacked email account. This is what happened to a Canadian woman when her Re/Max agent’s Gmail account was hacked last year. The woman had been communicating with the agent on a home she was purchasing. After the deal was concluded in person, the woman got an email from the agent asking her to transfer $10,000 into the agency’s account. Unfortunately for the woman, the account number given for the transfer belonged to a hacker who had been secretly watching the history of this real estate transaction all along via their email correspondence. Once the attacker saw that the deal was finalized, he/she asked for the money transfer. The agency refused to take responsibility for the loss and the woman was $10,000 poorer. By the way, the agent’s Gmail address is still readily available.
There have been a number of these scams surfacing, enough so that the Rhode Island Association of Realtors has issued a warning about the scam to all of its members. Other attacks may have occurred without either the agent or client realizing it. After all, the client just assumes they transferred funds into the agencies account and the agency knows nothing of such a transfer. If the client asks for verification, the hacker could send that without the agent even knowing that their email is no longer in their control.
The National Association of Realtors (NAR) gives the following warnings to realtors in the face of these current attacks. First, they recommend realtors “create, maintain, and follow a comprehensive Data Security Program”. Well, that’s kind of a no brainer. Second, “implement good email practices. We are increasingly hearing about data breaches resulting from a hacked email account. Therefore, it’s important for all email users to change passwords on a regular basis and to use complex passwords that would be difficult to guess.” Sure, that’s fine if the attacker got into your account by guessing your password. However, if they have a keylogger installed on your device, they will simply wait for you to type in your new password. Third, “be paranoid. If an email, phone call, or social media posting looks suspicious, it probably is best to avoid engaging. If a member thinks a breach has occurred, then all affected or potentially affected parties, as well as proper law enforcement, should be notified as soon as possible.” This is probably good overall advice, but it’s easier said than done. If an agent is as paranoid as they are suggested to be, they may not get any clients at all.
To be perfectly frank, real estate agencies, their employees, and their clients are the low-hanging fruit of the hacker universe. If there is any business that needs to invest in the best security, it is the real estate business. At this point in time, real estate hacks are in their infancy. In other words, you can expect them to mature and multiply over time. Let the buyer beware.