Hackers and phishers see charities as 'soft targets'

Malicious hackers are exploiting charitable organisations because they have precious few resources to spend on information security or compliance measures.

Always looking for an easy target, hackers and other digital criminals who normally target banks and other large organisations are increasingly turning their attention toward charities.

The most dramatic example came at the end of June, when attackers stole personal details belonging to 8,500 members of the Columbia Triathlon Association, a small U.S.-based charity, and posted the information on a hacker website.

Jacques Erasmus, director of malware research at security company Prevx, who analysed the attack, said: "TriColumbia.org was hacked via SQL injection and RFI file inclusion. The hackers managed to get in and dumped the entire database and made it available online."

The database contained names, addresses and also site passwords in encrypted form, which Erasmus said could be easily cracked. While it contained no credit card details, he said the information could be used for spear-phishing attacks -- targeted emails that look convincing because the sender appears to know a lot of personal detail.

PayPal account holders could also be threatened. "The charity supported PayPal payments and I would guess that statistically about 1,000 of the 8,500 people affected use the same password for the site as for PayPal," Erasmus said.

He said smaller organisations, such as charities, are now being targeted because they lack the resources to protect themselves effectively.

"You hear about TJX getting fined, but in my opinion, the biggest risk is from these smaller organisations. They are not spending money on being compliant and they are a soft target to the hackers," he said. "I have seen several charities hacked before, but this is the first I've seen where the hackers have taken the information and made it available to the underground. Those details are being used by really bad people, and this will happen more as [attackers] realise that charities are saving crucial information on their systems."

Brian Shorten, head of security at Cancer Research, agreed that many small charities are vulnerable to attack. Shorten recently founded a special interest group, the Charities Security Forum, to try to spread best practices, but says that many charities are still unaware of the risks. "In a lot of cases, they don't have anyone dedicated to security, and many have not even heard of PCI, for instance," he said.

Martyn Croft, head of information systems at the Salvation Army, said phishing attacks are a particular problem for charities because they play on the sympathy of donors.

"These guys are really on the ball, they wait for a disaster to happen and then push out their phishing emails. Something bad has happened so it pulls on a different set of strings [compared to bank-related phishing emails]," he said. "When people respond they are taken to a spoof website where the hackers try to harvest the details.

"When people are being exploited it is doubly damaging. The donors lose and so do the intended recipients. It's something we should be on top of as charities, but I'm not sure we are."

A further increasing problem for charities is that criminals use their donation websites to test out the validity of stolen or generated credit card numbers. By offering to make a tiny donation with each number, attackers can determine if a card is valid. If it is rejected, they will keep going through their list until the donation is accepted. Once a valid card is identified, they can then use it for a more valuable purchase.

"They use us as a free card clearing facility, but we have to pay for our card verification service," said Croft. "They piggy-back on it. We accept anonymous donations, and we don't need a delivery address, so it is very difficult to spot."

Croft said that as the banks have tightened their security, the charities are increasingly being seen as a soft target for criminals. And that is unlikely to change, according to Shorten.

"We are getting better at security, but we'll never be as good as the banks. We don't have the resources, or indeed the drivers, because we don't have the assets to protect. We don't have lots of money, we don't have trade secrets, and we're not doing mergers and acquisitions. And we don't have the same level of regulation as the banks."

Shorten said that without regulatory compliance, it is hard to get money to spend on security. As a former employee of WorldCom, he admitted, "I never thought I'd miss Sarbanes Oxley, but it meant that I could go to senior management and say 'we must do this or we'll be punished'."

But he said the introduction of the Payment Card Industry Data Security Standard (PCI DSS) has made people concentrate on security.

"It has given them a deadline to meet. If charities can't take credit cards, it would be a problem."

Read more on Hackers and cybercrime prevention