author photo
By Bruce Sussman
Tue | Sep 29, 2020 | 11:28 AM PDT

Many organizations believe they are not targets for a cyberattack because they "have nothing of value" that cybercriminals would want.

Do you have an employee who is authorized to order office supplies, like printer ink? It turns out, cybercriminals would like that person's login credentials because they have value.

Office supply phishing cyberattack campaign

A federal judge just sentenced a Nigerian national to three years in prison for being part of a phishing ring that effectively stole office supplies so it could resell them.

Olumide Ogunremi, aka "Tony Williams," admitted to the following cybercrime scheme, according to the U.S. Department of Justice:

"Ogunremi and others perpetrated a computer hacking and theft scheme on U.S. government agencies' email systems and General Services Administration vendors. The ring employed 'phishing' attacks, which used fraudulent e-mails and websites that mimicked the legitimate e-mails and web pages of U.S. government agencies including the U.S. Environmental Protection Agency. Unwitting employees of the agencies visited the fake web pages and provided their e-mail account usernames and passwords.

Ogunremi and his conspirators used these stolen credentials to access the employees' e-mail accounts in order to place fraudulent orders for office products, typically printer toner cartridges, in the employees' names from vendors who were authorized to do business with U.S. government agencies. Ogunremi and his conspirators directed the vendors to ship the fraudulent orders to individuals located in New Jersey and elsewhere to be repackaged and ultimately shipped to overseas locations, which were controlled by Ogunremi and his conspirators. Once the orders were received in Nigeria, Ogunremi and his conspirators sold the toner cartridges to another individual on the black market for profit."

The U.S. DOJ says total losses by office supply vendors totaled nearly $1 million.

What could my company have that hackers want?

On a recent SecureWorld cybersecurity webinar, attorney Shawn Tuma of Spencer Fane LLP explained that a surprising number of organizations, particularly SMBs, believe they do not have anything that hackers would want; and therefore, many companies continue to downplay cyber risk.

"While hackers may not actually care about the particular data you have, they know you care about it. In a ransomware attack, they encrypt it or steal it and threaten to publish your data unless you pay a ransom. And no organization wants to find themselves in that situation."

[For more, watch or listen to the SecureWorld webcast, The Ever-Evolving Threat Landscape.]

So what do you have of value at your organization?

From office supplies to data, you'd be surprised how valuable it becomes when cybercriminals steal it from you.