Email Account compromise typically happens when an employee is tricked into providing credentials through a malicious link, or an attachment that installs a keylogger (malware that steals your credentials).
Once the attackers have your credentials, they will access your email account and set up rules to forward and/or delete your incoming email. They will immediately start spamming your contacts with a similar malicious email to steal their credentials too. Not only are you compromising any confidential/private email in your inbox, but you are also jeopardizing your friends, family and business contacts...
Just suppose you are an network administrator and your email account is compromised, then what will happen?
The bad actors will attempt to hijack your network, email server and/or your cloud assets. These extreme cases cause much more severe business interruption when they change all of your passwords, lock out your employees and use your IT resources for their own gain.
The major reason why these attacks are difficult to be detected by users, is their ignorance and lack of attention to detail. Let’s understand this through an example:
Below is the same email address written twice, how fast can you spot the one with some error?
eeryaeel@reveantivirus.com
eeryaeel@reventivirus.com
It is hard to figure out the irregularity, especially when you have a hectic schedule at work and many distractions.
So many companies' employees are manipulated by this type of 'Business Email Compromise (BEC)'.
-
Business Email Compromise
Business email compromise is an attack that targets customers or employees that work with your external-facing business associates.
Here’s an overview of how it might work:
You have a customer 'A'...
Your customer A falls for a phishing scam and their email credentials are compromised. The attackers snoop around A’s email account and notice that they conduct business, including wire transfers and payments, with your company. The attackers use A’s email account to send a request for a wire transfer or payment that doesn’t particularly stand out as unusual because it is similar to other requests you’ve received in the past.
However, instead of using the bank account on file, they ask you to send the payment to a different bank account that’s not on file. The scammer may even proactively offer some kind of reason for this, such as “Our accounts are under audit right now, please send to the account below instead”.
Essentially, attackers in this scenario use a compromised email account to manipulate the trust between you and your customers.
This can also happen in reverse. Your employee could fall for a phishing scam and then the attackers use his or her credentials to target your customers, hoping to initiate a fraudulent wire transfer in your company’s name.
In many cases, attackers carry out BECs by registering a look-alike 'Domain' and create a new email ID using a similar name to the person being impersonated. The attacker sends an email message to the target asking them to respond urgently. For instance, impersonating the target’s boss, the attacker creates an email id smith@reventivirus.com and asks the victim to make urgent payment for an invoice attached with the message.
This type of scam can be difficult to detect, because attackers will send what might appear to be an authentic email from the victim’s real email account. They may target accounting employees or financial officers that have authorization to initiate wire transfers. They may also use compromised email accounts to learn more information about your organization, such as lingo, employee titles, customers and vendors to make the attack seem more authentic.
-
Here are the five current BEC/EAC attack types:
1. CEO Fraud
In these scams, a threat actor pretends to be an executive and requests that a finance or HR employee make an urgent payment.
2. Payroll Diversion
In a payroll diversion scam, a criminal sends a fraudulent email to HR or payroll employees requesting to change or update direct deposit information from a legitimate employee bank account to the fraudster’s account or a pre-paid card account. The latest FBI data shows that the dollars lost as a result of payroll diversion scams have increased more than 815% between Jan 1, 2018 and Jun 30, 2019.
3. Gift Card Scam
In this attack, the criminal poses as a supervisor or employee with authority and sends an urgent email requesting assistance to purchase gift cards for staff or clients. The email asks for serial numbers so s/he can email them out right away.
4. Supplier Invoicing
When implementing this attack type, a criminal will impersonate a vendor your company regularly does business with and send a request to update bank information for payment of outstanding invoices. When you consider the large dollar amounts often associated with supplier invoices, this type of scam leads to the biggest losses.
5. M&A Fraud
M&A fraud involves the fraudster pretending to be an executive of the victim company (either using impersonation or a compromised account). He or she requests that funds be transferred to a given 3rd party. For example, the email might say something like “We’re buying Company X and we need to make a payment or we risk losing the deal.”
-
However, this type of scam can also be stopped when SOP’s are in place...
• A process that requires your employees to verify transfer requests before initiating payment.
• In addition, you should never change bank account or address information for your customers or vendors via email; such changes should always require a follow up phone call at the very least for verification.
• Furthermore, enabling two-factor authentication for email where possible can mitigate the risk of unauthorized access to business email.
• As an added measure, it’s important to be aware of the information relating to your employees and your organization available on social media.
Many attackers do their homework before attempting these types of scams; the more information that’s publicly available about your organization’s structure, the easier it is for them to plan and execute their attacks.
-
EMAIL SPOOFING
Then there is one more technique 'Email Spoofing' which is frequently used by attackers.
It involves the distribution of forged electronic documents that attempt to trick the victim into believing they have received a request from a specific person, when in reality, it came from a malicious third party.
The secret to the success of this attack lies in the headers of an email. Like all good hacks, the exploit lies in a feature that has a perfectly legitimate function. The P1 MAIL FROM header within SMTP is used to authenticate the sender of an email to a specific domain name. This is who the email actually comes from.
The P2 FROM header can be used to display a sender alias. This field can be manipulated to display as if it came from anyone. Unfortunately, the P2 header is normally displayed to the recipient instead of the P1, authentic sender.
Emails generated from very look-alike domain also come into this category.
-
Spoofing can be detected and prevented in a few specific ways.
1. A common method used by many large organizations is modifying the subject line of all external emails coming into the organization with an identifier that helps employees identify that said email is coming from an external source. If your organization utilizes Microsoft Exchange, you can use a Hub Transport Rule to append the subject of emails with a label such as “OUTSIDE”, “EXTERNAL”, or “UNTRUSTED”. When this label is seen by your employees, they will automatically know that the email came from outside the organization.
As an example, if the CFO of your company receives a spoofed email that appears to be from the CEO, it would be easy for them to determine that the email was spoofed with little to no technical understanding of SMTP because the subject of the email would be appended with an untrusted label.
2. Perhaps one of the most effective ways of detecting and blocking spoofed email is by implementing DKIM functionality within your mail system. DKIM (DomainKeys Identified Mail) provides a way for verifying a domain name associated with an email message. At its essence, it’s a check to ensure that an email that claims to come from a specific domain was authorized by the owner of that domain. DKIM is the most effective way to automate the detection and prevention of spoofed emails.
3. Similarly, by analyzing Microsoft Exchange logs, you could theoretically write a SIEM use case that detects a difference between the source user name field (the “from” address) and the X-Sender field. By comparing the “Return-Path” or the “X-Sender field” against the “From” field, you can easily detect spoofed emails coming into your organization. If these fields do not match, it’s very possible that the email is malicious.
-
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM