Hacked! Crooks are Grabbing Nonprofit Websites and Demanding Ransom
March 30, 2017 Andy Segedin
Joy O’Neal, executive director of The Red Barn, received an unexpected telephone call from her brother early one April morning in 2015. He had been out with a friend and talking about the Leeds, Ala.- based organization, when they visited the website. It had been hacked and taken over by a terrorist sympathizer group.
The organization was not specifically targeted, according to O’Neal. The server The Red Barn’s site and others was located on was attacked and all of the websites were affected. By coincidence, a story about two area students becoming radicalized was receiving national attention. Local news organizations sensationalized the hack, O’Neal said, making it seem as if the Christian nonprofit was targeted by a radical Muslim group. Supporters remained firm, understanding the situation.
The hosting company was able to quickly take the website down. O’Neal’s concern was that someone would Google the organization and see information that didn’t represent it. That left The Red Barn without a website. Complicating matters was that the organization was preparing for a fundraising concert, with people buying tickets and checking for information online.
O’Neal conceded that The Red Barn, which aids those with emotional, cognitive or physical disabilities by using horses, has always been a low-tech operation. As she endeavored to pick up the pieces and rebuild the site, some asserted that there should have been more security on the site — a notion that O’Neal countered with the fact that government agencies and major corporations have also been victims of hacks.
“We didn’t do anything wrong,” O’Neal said. “Even our hosting place didn’t do anything wrong…This is a risk we all live with in today’s day and age.”
The Red Barn has high-level peers when it comes to security concerns. NetHope is a connector with 50 of the largest international organizations in the world. All of the 50 have staff dedicated to organizational technology and leaders overseeing such work. Yet when group members meet, the single most talked about topic is security, according to David Goodman, chief information officer in residence.
Most nonprofits do not have dedicated information technology (IT) security staff, according to Goodman. Such duties are typically tacked onto a staffer’s other chores. Existing security frameworks can also be cumbersome for organizations lacking staff members who are tech-savvy. NetHope is in the process of developing a security framework designed for easier use. Goodman said that NetHope will publish the framework when completed and will seek both audit partners to identify potential gaps and those looking to adopt it.
Another challenge facing nonprofit workplaces is the consumerization of technology. A few decades ago, technology served business. These days an employee can waltz into an Apple store and walk out with better technology than they can find at their workplace. There is a desire to have that same high-level capability on the job.
Organizations have to adapt, Goodman said. Applications such as the Google toolset and Box can be embraced, perhaps with enterprise-levels purchased to ensure more organizational control. Consumerization can also mean that staff members walk around with sensitive organizational information on their phones, subject to potential compromise if stolen.
“When you blur the line between your personal technology footprint and your work technology footprint, you do raise issues that can be complicated,” Goodman said.
Oxfam is a large international organization taking a long, serious look at security. There are 19 Oxfams throughout the world, according to Jim Daniell, chief operations officer at Oxfam America. Each has its own threat levels and security needs. In the U.S., it might be credit card scams. In war-torn areas overseas, laptops might be stolen at gunpoint and politically comprising material might be specifically sought.
Two common exposures at the moment are ransomware and determined actors. Ransomware lures users into clicking on an attachment that locks up systems. Daniell referred to it as a multi-billion dollar industry in which there is honor among thieves, with systems unlocked in exchange for a payment — typically a few hundred dollars.
Powerful, determined actors offer a larger, more sinister exposure in which specific targets are sought. About 1.5 million trojans and pieces of malware are created every day, according to Daniell. The reality is that determined actors cannot be stopped and priorities must then switch to anonymizing data and detecting breaches that have occurred. Oxfam tries to lean on its partners. Box, for instance, is used for file-sharing and has very good security provisions, such as security at rest. That means that files are always encrypted to the point where not even Box can see them.
“The simplistic view is that the walls we build are high and thick. The second you assume that you are at risk,” Daniell said. Technologies are constantly being developed to get past firewalls so having additional layers of security inside firewalls has become of great importance. Oxfam donor records, for instance, are on a separate subnet. If a determined actor were to break through the firewall and search around they’d be unable to access the information. Files in Box cannot be accessed even if a computer has been hacked. “If the company we are using can’t see the data, they can’t give it to anybody — even if a government tells them to,” Daniell said. “If a laptop is stolen, they can’t see it.”
Intrusion detection is another layer of security that enables users to know whether there has been a breach and passwords should be reset. The technology is very expensive and not used by Oxfam. Daniell advises employees to regularly change passwords, never reusing old ones and making each different by more than a few characters.
“It’s like the shores of this war are spilling onto us,” Daniell said of cyber security and cybercrime against nonprofits. “The next two or three years will really be about circling the wagons…I feel like we’re the poor townspeople who can’t protect ourselves. We need a gunfighter and I don’t know where to find that person.”
Back down in Alabama, leaders at The Red Barn had to act quickly. O’Neal purchased a new domain and rebuilt the site within three days. She leaned on a volunteer who built the first website several years ago. O’Neal knew how to edit the site but everything was static. She had no idea about servers or where the site was hosted.
Though only a few years had passed, 2015 was a different time in terms of personal technology, O’Neal said. Creating a website wasn’t nearly as complicated and so she built the new site using GoDaddy’s platform that blocked third-party widgets, the source of the terrorist group’s hack. If there is one thing that O’Neal would recommend to other small nonprofits it would be to build the website themselves, she said, leveraging existing technology rather than trying to start from scratch.
O’Neal also recommends the WayBack Machine – a pay-as-you-can service that periodically screenshots webpages. Using the service, O’Neal didn’t have to reinvent content when she rebuilt the website, simply copying from previous versions of the site. “If we can do it, I think others should be able to do it as well,” O’Neal said of rebuilding the site.
The Utah Food Bank (UFB) in Salt Lake City had a similar scare during the summer of 2015. The food bank was experiencing a spike in donation volumes during a summer campaign. The company that oversees the organization’s web traffic found that the personal information of about 10,000 supporters, representing about 8 percent of the organization’s total file, had been compromised. It was never found whether the information fell into the wrong hands, according to Kent Liston, chief financial officer.
Liston, IT Director Jacob Buhler and others quickly worked with UFB’s web hosting company and internally analyzed the situation. They next reached out to UFB’s insurance company concerning its cyber policy. The policy ended up being quite valuable, he said, both in relieving some of the financial burden of the hack as well as placing the organization in contact with attorneys and technology experts well versed in such situations.
Though there were initial questions as to why a food bank would be targeted, Liston said that he quickly came to learn that such hacks are perpetrated by robots who do not see information as having belonged to the food bank, but rather a vulnerable IP address. Donors remained supportive, Liston said, both due to a dedication to the food bank’s mission and, perhaps, because the public has become callused to such events.
Still, Liston stressed the importance of avoiding another hack. “The security of our donors’ information is our top priority as they would be less forgiving if another incident were to occur,” Liston said.
UFB added PayPal for donations so that supporters wouldn’t have to input sensitive information directly on the organization’s site. A new website was launched in February, a project that was 18 months in the making and culminated with the organization leveraging nonprofit tech-provider Blackbaud’s donation platform. Information security executives were sought and an ad hoc committee was developed under the food bank board’s finance and audit committee, allowing for a more informed, close look at organizational operations. Buhler has also worked with an operations technology group during Feeding America’s conference as a means of both sharing lessons and best practices.
One of the biggest developments has been the implementation of an alien vault. In response to the frustration of being compromised without knowing it, the committee suggested implementing the vault — which essentially monitors website servers and logs traffic. Buhler recommended hiring a vendor to do such work if it is impossible to do so in-house. “It alerts you in real time what could be suspicious,” he said. “It filters through volumes of data and creates alerts.”
MasterCard works with businesses and nonprofits on security measures. Its Mock Retail Cyber Hack initiative has been one such way of helping, according to Ron Green, chief security officer. The sessions are intended to present a simulation of the realities associated with a hack and problems and questions participants should anticipate including engaging forensic companies and law enforcement. MasterCard will be rolling out the initiative on a global scale this year.
Nonprofits tend to struggle on the resource side when it comes to cyber security, Green said via email. Security can be just one of many hats a nonprofit employee wears despite such responsibilities requiring a full-time commitment. Businesses are no more focused on security, but generally have a greater opportunity to budget for support, he said.
In the oft-occurring scenario that a nonprofit can’t afford hiring a staffer dedicated to security, Green recommends seeking grants to cover expenses or working with a board member to establish connections and recommendations. Searching for grants of time, as opposed to dollars, is another path as nonprofits might be able to leverage the expertise of large companies such as MasterCard.
Basic steps nonprofits managers can immediately take include educating staff on potential threats and to be wary of what they click. Adopting a security framework is another way of creating some stability. Green recommends the NIST Cybersecurity Framework that allows organizational leaders to identify an appropriate level of security and then, if desired, move onto a harder level once standards are met.
Attackers might try different fraudulent strategies between businesses and nonprofits, but the cyber methodologies remain unchanged. Resources and attention paid to security can make nonprofits at greater risk, however. “Nonprofit organizations could be easier targets due to a lack of resources and expertise as they tend to invest less in this area,” Green said. “There needs to be more investment and recognition given to the threats they face.”
One of the common misconceptions nonprofit managers have about data security, particularly those running smaller organizations, is focusing on end-point protection, according to James Franklin, chief executive officer of TechBridge in Atlanta, Ga. The majority of attention is paid to devices and virus protection when the most important protection against hacks are the employees using the devices. About 70 percent or more of security lapses is a result of user action, he said, yet few nonprofits base security measures around employee best practices.
“Many executives within the nonprofit industry believe that they can buy something to make the problem go away,” Franklin said. “There is nothing you can buy to make your organization secure, especially on the budgets in the nonprofit sector…Security is an arms race. The nonprofits don’t have the budgets to participate in that arms race.”
The three most prominent kinds of attacks at the moment can all involve user action. Bitlockers is currently the biggest issue, Franklin said. An employee can click on an attachment and a trojan propagates and locks up the entire organizational system. Phishing attacks, which access passwords, are the next most common.
Finally, social engineering attacks — which involve a robot posing as a co-worker or superior — have become popular in the past two years. An employee, for instance, might receive an email from what seems to be the organization’s controller requesting a wire transfer. The robots used by hackers now are able to scan individual’s LinkedIn pages and send emails with a high level of authenticity, Franklin said.
Franklin provided three key best practices to facilitate better organizational security. First and foremost is to move to cloud-based platforms that are free or of low cost to nonprofits. In essence, moving to the cloud allows nonprofits to outsource a big part of its security needs to leaders in the market such as Google and Salesforce, leveraging the technologies of those who have the budgets and resources to combat evolving threats.
Second, Franklin suggests building policies around the use of mobile devices and laptops – particularly concerning what kinds of equipment are permitted to have access to organizational systems.
It is important to let staff know that security starts with them and periodically follow up with information and examples. “When we get phishing emails, I’ll send the actual phishing attempt to the staff — ‘Here is an example of what you should be looking out for,’ really baking it in,” Franklin said. “‘Bob in accounting got this email, this what you should be worried about.’ As opposed to yearly meetings, sprinkle it throughout.”