[BreachExchange] Attackers Are Landing Email Inboxes Without the Need to Phish

[Inga Goddijn]

https://www.securityweek.com/attackers-are-landing-email-inboxes-without-need-phish

We’ve all heard the proverb: *Give a man a fish and you feed him for a day.
Teach a man to fish and you feed him for a lifetime*. Well now, threat
actors don’t even have to exert the effort to phish to land business email
accounts.

According to an alert published earlier this year by the FBI, Business
Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12
billion in losses
<https://www.securityweek.com/bec-scam-losses-top-12-billion-fbi> since
October 2013. Traditionally, social engineering and intrusion techniques
have been the most common ways to gain access to business email accounts
and dupe individuals to wire funds to an attacker-controlled account. These
methods play out as follows:

*1. Social engineering and email spoofing*: Attackers will use social
engineering to pose as a colleague or business partner and send fake
requests for information or the transfer of funds. These emails can be
quite convincing as the attacker makes a significant effort to identify an
appropriate victim and register a fake domain, so that at first glance the
email appears to belong to a colleague or supplier.

*2. Account takeover*: Here, attackers use information-stealing malware and
key loggers to gain access to and hijack a corporate email account, which
they then use to make fraudulent requests to colleagues, accounting
departments and suppliers. They can also alter mailbox rules so that the
victim’s email messages are forwarded to the attacker, or emails sent by
the attacker are deleted from the list of sent emails.

These techniques have served threat actors well for quite some time. But
now we are seeing new, more expeditious methods emerge to gain access to
business email accounts. Compromised credentials being offered on criminal
forums, exposed through third-party compromises, or vulnerable through
misconfigured backups and file sharing services, make the opportunity to
profit from BEC easier than ever. Email inboxes are also being used not
just to request wire transfers, but to steal financially-sensitive
information stored within these accounts or to request information from
other employees. With declining barriers to entry for BEC, and more ways to
monetize this type of fraud, we can expect the losses to continue to rise
and perhaps even accelerate in the near term.

Here’s how these alternative methods work:

*1. Paying for access*. It’s common for accounts to be shared and sold
across criminal forums, and the emails of finance departments and CEO/CFOs
are no exception. It’s even possible to outsource this work to online
actors who will acquire company credentials for a percentage of earnings or
a set fee beginning as low as $150.

*2. Getting lucky with previously compromised credentials*. As I’ve discussed
before <https://www.securityweek.com/cyber-risk-mixing-business-pleasure>,
individuals will often reuse passwords across multiple accounts. In our
research we’ve detected more than 33,000 finance department email addresses
exposed within our own third-party data breach repository 83 percent of
which had passwords associated. With many email and password combinations
of finance department email accounts already compromised, cybercriminals
can get lucky.

*3. Searching across misconfigured archives and file stores*. Inboxes,
particularly those of finance departments and CEO/CFOs, are replete with
financially-sensitive information such as contract scans, purchase orders,
and payroll and tax documents. This information can be used for fraud or
re-sold on forums and marketplaces. The sad reality is that there’s no need
to go to a dark web market when sensitive data is available for free on the
open web <https://www.securityweek.com/picture-now-protect-it>. Employees
and contractors sometimes turn to easy, rather than secure, ways of
archiving their emails. We identified that more than 12.5 million email
archive files and 50,000 emails that contained “invoice”, “payment” or
“purchase order” have been exposed due to unauthenticated or misconfigured
file stores.

Regardless of the method attackers use to perform a BEC scam, these seven
security measures can help to mitigate the risks.

1. Update your security awareness training content to include the BEC
scenario. This should be a part of new hire training, but you should
conduct ad-hoc training for this scenario now.

2. Build BEC into your contingency plans, just as you have built ransomware
and destructive malware into your incident response/business continuity
planning.

3. Work with your wire transfer application vendors to build in manual
controls as well as multiple person authorizations to approve significant
wire transfers.

4. Monitor for exposed credentials. This is crucial for your finance
department email, but it’s important for all user accounts. Multifactor
authentication will also increase the difficulty for attackers to perform
account takeovers.

5. Conduct ongoing assessments of your executives’ digital footprints. You
can start with using Google Alerts to track new web content related to them.

6. Prevent email archives from being publicly exposed. For services like
Server Message Block (SMB), rsync and the File Transfer Protocol (FTP), use
a strong, unique password and disable guest or anonymous access and
firewall the port off from the Internet. If it needs to be on the Internet
or without a password, then make sure you whitelist the IPs which are
expressly permitted to access the resource.

7. Be aware of the risks of contractors who back up their emails on Network
Attached Storage (NAS) devices. Users should add a password and disable
guest/anonymous access, as well as opt for NAS devices that are secured by
default. Ideally, organizations should provide training on the risks of
using home NAS drives, as well as offer backup solutions so that
contractors and employees don’t feel the need to backup their devices at
home.

BEC is becoming increasingly profitable for threat actors as organizations
are making it easy for adversaries to gain access to the valuable
information that sits within these inboxes. However, with the right
combination of people, processes and technology, organizations can mitigate
the risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181123/72ece15b/attachment.html>