By Bill Minahan | January 11, 2019 | 0 Comments
I found a great article in SecurityWeek by Alastair Paterson, the CEO of Digital Shadows. Could not have said it better myself, and he alerted everyone about an attack vector that was even a new one to me: email archives.
At the end, he suggests 7 security measures to mitigate these risks. You should really check out how your own organization is doing with those.
“We’ve all heard the proverb: Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime. Well now, threat actors don’t even have to exert the effort to phish to land business email accounts.
According to an alert published earlier this year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. These methods play out as follows:
1. Social engineering and email spoofing: Attackers will use social engineering to pose as a colleague or business partner and send fake requests for information or the transfer of funds. These emails can be quite convincing as the attacker makes a significant effort to identify an appropriate victim and register a fake domain, so that at first glance the email appears to belong to a colleague or supplier.
2. Account takeover: Here, attackers use information-stealing malware and keyloggers to gain access to and hijack a corporate email account, which they then use to make fraudulent requests to colleagues, accounting departments and suppliers. They can also alter mailbox rules so that the victim’s email messages are forwarded to the attacker, or emails sent by the attacker are deleted from the list of sent emails.
These techniques have served threat actors well for quite some time. But now we are seeing new, more expeditious methods emerge to gain access to business email accounts. Compromised credentials being offered on criminal forums, exposed through third-party compromises, or vulnerable through mis-configured backups and file sharing services, make the opportunity to profit from BEC easier than ever.
Email inboxes are also being used not just to request wire transfers, but to steal financially-sensitive information stored within these accounts or to request information from other employees. With declining barriers to entry for BEC, and more ways to monetize this type of fraud, we can expect the losses to continue to rise and perhaps even accelerate in the near term.
Here’s how these alternative methods work:
1. Paying for access. It’s common for accounts to be shared and sold across criminal forums, and the emails of finance departments and CEO/CFOs are no exception. It’s even possible to outsource this work to online actors who will acquire company credentials for a percentage of earnings or a set fee beginning as low as $150.
2. Getting lucky with previously compromised credentials. Individuals will often reuse passwords across multiple accounts. In our research we’ve detected more than 33,000 finance department email addresses exposed within our own third-party data breach repository 83 percent of which had passwords associated. With many email and password combinations of finance department email accounts already compromised, cyber-criminals can get lucky.
3. Searching across misconfigured archives and file stores. Inboxes, particularly those of finance departments and CEO/CFOs, are replete with financially-sensitive information such as contract scans, purchase orders, and payroll and tax documents. This information can be used for fraud or re-sold on forums and marketplaces. The sad reality is that there’s no need to go to a dark web market when sensitive data is available for free on the open web. Employees and contractors sometimes turn to easy, rather than secure, ways of archiving their emails. We identified that more than 12.5 million email archive files and 50,000 emails that contained “invoice”, “payment” or “purchase order” have been exposed due to unauthenticated or mis-configured file stores.
Regardless of the method attackers use to perform a BEC scam, these seven security measures can help to mitigate the risks.
BEC is becoming increasingly profitable for threat actors as organizations are making it easy for adversaries to gain access to the valuable information that sits within these inboxes. However, with the right combination of people, processes and technology, organizations can mitigate the risk.” As said, the source of this story is the excellent SecurityWeek site. Cross-posted with grateful acknowledgement.
aNetworks’ new-school security awareness training platform allows you to run multiple simulated BEC scenarios to do frequent ad-hoc training for high-risk employees. Also, Inspect what you Expect. Periodically have experts examine your systems to ensure compliance standards are being met.