Hackers are continuing to evolve their techniques to get through a company’s defenses. And why shouldn’t they, when the reward for getting into your mailbox can be so lucrative? The cat-and-mouse game that criminals and security professionals play is happening every day at all hours, and despite the best efforts of IT security, would-be cyber thieves often experience success and are enriching themselves at your expense. Read on to learn more about Business Email Compromise and protecting yourself so that you don’t become their next victim!
Your Mailbox, Your Battlefield
Your mailbox is a transparent window into your organization. The company address book is a core component of every email system. The directory of names and titles is a trove of useful information that can come in very handy to a thief looking to defraud your partners, your vendors, and your customers. While the most lucrative mailboxes are those belonging to C-suite, finance, and information technology admins, all it takes is a single cracked mailbox, any mailbox, and a hacker has an opening in to expand their reach.
They’ve Got Their Hooks in You
Phishing is one of the most common vectors into a compromised mailbox. SANS.org defines phishing as: an attack that uses email or a messaging service (like those on social media sites) that tricks or fools you into taking an action, such as clicking on a link or opening an attachment.
If you receive an email with links to websites or attachments, but you weren’t expecting that email—be suspicious. Links and attachments can hide malicious software that compromises your computer. If you click on the link or open the attachment, even if you don’t have installation rights on your computer, attackers can use unpatched vulnerabilities to install malicious software on your computer. Their links can direct you to fake websites that look identical to banking institutions or cloud applications. Any credentials you type are being recorded by the hackers and they will use this information to take control of your accounts.
Once They’re In, They Hide Their Activity
Once they’ve compromised your email account, they’ll create rules to automatically move all your correspondence, as well as possible replies, so that you are none the wiser. An example from a recent investigation was a rule that watched for incoming mail with keywords that would indicate someone received something suspicious and was attempting to alert the mailbox owner. It would mark the incoming email as read, and move it to the RSS Subscriptions folder – which is an obscure folder that very few users have a habit of checking. With this rule in place, the attacker is free to log on to your account from anywhere in the world and carry on conversations from your inbox, with you none the wiser. They will converse with your suppliers and customers, and opportunistically ask them for payments—but first, they’ll say that the terms have changed, and all payments now go to *this* account—an account that belongs to the criminals and *not* to your company.
5 Ways to Protect Your Accounts
- Don’t click on links or open attachments you weren’t expecting. Be suspicious! Cast a wary eye at any mail you weren’t expecting. Hover over links before clicking on them, and if the target location (usually shown in the bottom left corner of a web browser, or as a popup over your mouse in Outlook) doesn’t match the link text, there’s a good chance that’s a malicious link. Do not click on it, and notify your IT Security team immediately. They can let you know whether or not it’s a phishing attempt. Attachments can also take advantage of unpatched vulnerabilities to execute code. If you weren’t expecting an attachment, don’t open it!
- Always create a new unique password for every account you access. Something else that attackers will take advantage of is users who have the same password for multiple accounts. Always use unique passwords on every account. Once an attacker compromises one of your accounts, they will try the same credentials for many other services. Don’t let one breach affect all of your accounts! Use unique passwords!
- Use Multi Factor Authentication (MFA). If Multi Factor Authentication is available, you should take advantage of it. MFA is a system where your username and password (the first “factor”) are used in combination with a second “factor,” such as your phone, to ensure that the person logging onto your account is really you. When you successfully enter your account credentials, the system will send a notification to the second factor. If it is in your possession, you can approve the notification, and the system will let you in. An attacker located halfway around the globe will not be able to log in because he or she is missing the second factor.
- Use strong passwords. This is a necessity. Some applications take steps to protect your account by limiting the number of failed login attempts. After consecutive failed attempts, the system will lock your account for an amount of time so that no new logins are accepted. But many systems allow unlimited attempts. These are vulnerable to “brute force” attacks, where an attacker with a large amount of computing power will try combination after combination, attempting to guess your password. The stronger your password is, the longer it will take for them to crack it. A strong password will consist of 12 or more characters, and contain a mix of uppercase, lowercase, digits and symbols. It also won’t contain dictionary words.
- Change your password regularly. It is a mathematical certainty that a brute force attack (as explained above) will eventually succeed. Even on systems that limit failed login attempts, if hackers are able to steal the account database, they can decrypt it and discover all of the passwords in it. You can protect yourself by changing your password at regular intervals (such as every ninety days) so that by the time the attack succeeds, your password has already changed.
Attackers have a lot to gain by compromising your accounts. Don’t let them do it! If you need assistance assessing your risk level or developing a security strategy for your organization, contact us at firstname.lastname@example.org. We are happy to help!