By Bill Minahan | January 11, 2019 | 0 Comments
I found a great article in SecurityWeek by Alastair Paterson, the CEO of Digital Shadows, that warned about a new email scam. I could not have said it better myself. Paterson alerted everyone to new email scams that are even new to me.
We’ve all heard the proverb: Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime. These new email scams threat actors don’t even have to exert the effort to phish to land business email accounts.
So, how are they doing it?
1. Paying for access. It’s common for accounts to be shared and sold across criminal forums. The emails of finance departments and CEO/CFOs are no exception. It’s even possible to outsource this work to online actors who will acquire company credentials for a percentage of earnings or a set fee beginning as low as $150.
2. Getting lucky with previously compromised credentials. As I’ve discussed before, individuals will often reuse passwords across multiple accounts. In our research, we’ve detected more than 33,000 finance department email addresses exposed within our own third-party data breach repository 83 percent of which had passwords associated. With many email and password combinations of finance department email accounts already compromised, cybercriminals can get lucky.
3. Searching across misconfigured archives and file stores. Inboxes, particularly those of finance departments and CEO/CFOs, are replete with financially-sensitive information such as contract scans, purchase orders, and payroll and tax documents. Then, someone uses it for fraud or re-sells it on a criminal forum. The sad reality is that there’s no need to go to a dark web market when sensitive data is available for free on the open web. Employees and contractors sometimes turn to easy, rather than secure, ways of archiving their emails. We identified that more than 12.5 million email archive files and 50,000 emails that contained “invoice”, “payment” or “purchase order” have been exposed due to unauthenticated or misconfigured file stores.
We are seeing new, more expeditious methods emerge to gain access to business email accounts. Hackers can buy compromised credentials online in criminal forums. From those purchases, new email scams arise. How do they get there? They’re either exposed through third-party compromises, or vulnerable through misconfigured backups and file-sharing services.
As a result, new email scams make the opportunity to profit from business email compromise(BEC) easier than ever.
Hackers are using inboxes to request wire transfers, steal financially-sensitive information stored within these accounts, and to request information from other employees. With declining barriers to entry for BEC and more ways to monetize these new email scams, we can expect the losses to continue to rise and perhaps even accelerate in the near term.
As a result, these new email scams are profitable for hackers. Organizations make it easy for them to access the valuable information within their inboxes.
However, with the right combination of people, processes, and technology, organizations can mitigate the risk. As said, the source of this story is the excellent SecurityWeek site. Cross-posted with grateful acknowledgment.
aNetworks’ new-school security awareness training platform allows you to run multiple simulated BEC scenarios. That way there’s frequent ad-hoc training for high-risk employees. Finally, inspect what you expect. Have experts examine your systems periodically. That way you can be sure your compliance standards are met.