[BreachExchange] Account takeovers spreading, becoming big threat to corporate security

[Destry Winant]

http://thirdcertainty.com/featured-story/account-takeovers-spreading-becoming-big-threat-to-corporate-security/

The DocuSign malware attack that occurred in mid-May is noteworthy
because it highlights a go-to tactic popular with cyber criminals at
the moment: account takeovers.

Attackers will first steal email data or credentials and then use them
to launch highly targeted phishing campaigns. The one-two punch
targets anyone with an email address and is becoming increasingly
common.

DocuSign confirmed on May 15 that a spate of malware phishing attacks
was the result of email addresses and account logins stolen by
hackers. DocuSign, a major provider of electronic signature
technology, stressed that stolen data was limited to customer and user
email addresses. But this made the attack all the more dangerous as it
targeted users who would be expecting to click on links sent by the
company. Anyone and everyone with an email address is a target.

The San Francisco-based startup had been tracking a malicious email
campaign as early as May 9. But at that time, the company said that
the malicious emails—which linked to a downloadable Microsoft Word
document harboring malware—were not associated with DocuSign. Then, on
Monday, May 15, DocuSign confirmed that hackers were able to send the
emails because they had hacked and stolen the company’s list of users.

According to Steve Malone, director of security product management at
Mimecast, a cloud-based email security provider, the attack followed a
classic pattern. Several common phishing tactics were used, including
spoofed domains visually similar to the original, a seemingly harmless
document, and social engineering to persuade the victim to download
and open the file.

Two-pronged attack

What made the attack different, however, was that the phish resulted
from the theft of a list of DocuSign users. This allowed the hacker to
specifically target people who are familiar with the service and thus
more likely to open the file. This formed step one of a two-step
attack.

The second step was to target those users with the aim of installing
information-stealing malware on their devices. Security & Compliance
Officer Rahul Iyer of cloud-based email security firm The Email
Laundry, believes the Word document installs the Hancitor download.
The Hancitor download will then download credit-stealing malware.
Reports suggest that Pony, EvilPony and ZLoader malware are being
used.

No end in sight

Directly after the initial wave of attacks, Mimecast noted that key
elements of the phishing email began to change. Small iterations, like
changing the subject line, ensure successful hits for hackers. And
attacks, part of a billion-dollar industry, show no sign of stopping
anytime soon.

Iyer advises organizations to take email security seriously, if they
aren’t already. The primary concern for users is that their email
addresses are now “in the wild” and will be used for other
phishing/spam campaigns. “So, anyone who received one of these
DocuSign phishing mails should be alert for other phishing emails,” he
says.

Attackers change tactics

The breach is part of a growing trend of cyber criminals shifting from
data theft to account takeovers. It’s not just access to data that
hackers get. It’s a way into a company. Malone describes a scenario
where gaining access to a corporate webmail system allows hackers to
send phishing emails literally inside an organization. Users are much
more likely to open something they see a colleague has sent, so the
likelihood of infection increases.

Brute force attacks are on the rise, too. Distil Networks, a
cybersecurity vendor that monitors bot traffic, identified over 567
billion malicious bot requests in 2016. Part of that was a significant
spike in attempts to break into online accounts. Hackers are combining
the brute force nature of bots with millions of stolen usernames and
passwords to see what works. Even if no one acted on your data stolen
several years ago, you are still at risk. A bot eventually will find
it, and if you share a password between several websites, hackers may
be able to force their way into your account.

Education best defense

One of the reasons such attacks are so successful is that they are
able to bypass standard cybersecurity defenses. Only users could have
prevented attacks by refraining from downloading the file. “Malicious
email attachments are a critical threat as they can easily bypass
traditional defenses as part of sophisticated spear-phishing attacks.
All DocuSign customers need to educate users to be extra vigilant when
opening any documents purporting to be from their service,” Malone
says.

Whether your company has been caught in the DocuSign attacks or not,
it is recommended your organization and employees follow cybersecurity
best practices. These include never sending your personal information
from an unsecured email, changing passwords frequently, ensuring
employees are properly trained, and enlisting the help of a
cybersecurity provider.

In the end, a little paranoia goes a long way. Malone advises users to
verify with the sender before opening any documents or clicking on any
links. “Criminals will try all manner of ways to trick employees into
enabling macros in weaponized email attachments. So, users should
think twice before they click.”