Every day all over the world, companies fall victim to cybersecurity attacks. It’s nearly a constant these days. Many of these attacks are preventable with the right amount of attention to detail in system setup and hardening. The three common themes in postmortem examination of all of these attacks boil down to 1) human error; 2) configuration error; 3) failing to proactively defend. In this series of six posts, we will dive into each attack’s anatomy, the attack vector, and the ways companies can attempt to avoid being victim to them. In the last post, guest bloggers from G2 Insurance will walk through how insurance companies react to claims, what to watch out for in your policies, and appropriate coverage levels for cyber insurance based on their experience handling claims.
#1 Email Spoofing and Wire Fraud
This attack is essentially a wire instruction interception/redirection or wholly fake request for a transfer. This is an event that comes up daily or at least weekly in any cybersecurity professional’s world. This attack typically plays out with a threat actor masquerading as a legitimate authority within a company, typically someone in the C-suite or Director level. To make it successful, the recipient of the wire transfer request has to believe it’s legitimately originating from one of those authoritative people.
One way attackers do this is using actual stolen credentials. Despite the flood of data security breaches and database hacks, people unfortunately still use weak passwords and also re-use passwords. We have seen dozens of instances of successful credential attacks where the attacker used publicly available database leak information to gain unauthorized access to corporate accounts. The approach goes like this: an attacker harvests information regarding corporate leadership from various data sources about companies (LinkedIn, Dunn & Bradstreet, Bloomberg, Google Finance) and chooses a few people to target. They then cross-reference those names to leaked credential databases, often times hosted on Darkweb sites, IRC chat rooms, or other forums dedicated to hacking. If the attacker is able to find other accounts belonging to their targets that have been compromised and have a password, they can try that password, and tens of thousands of variations of it, to attack the corporate account of their victim.
Here is an example: Dejan Stanisaviovich is the CFO of a mature manufacturing company. Unfortunately, his MySpace account, that he forgot he had, was leaked as one of 360 million in 2008. Dejan has used the same password since 2007. The attacker found the myspace.com account belonging to Dejan, and his password, which was “4321drowssaP.” The attacker then worked out the format of Dejan’s corporate email to be firstname.lastname@example.org, and then tried the password. Since Dejan hasn’t changed his password for any account in 10 years, the attacker got access to Dejan’s account. From there, the attacker can use the actual account to make wire transfer requests to other employees, which won’t be hard to figure out since the attacker has access to his email. The receiving employee sees the requests, and as long as the attacker is careful about wording, format, and the amount requested, the fraudulent wire transfer may actually happen. It’s critical that if your company catches this activity, that it contact the FBI immediately because once the initial wire is made, the attacker will move the money several more times to avoid it being frozen.
Another way attackers carry out these attacks when they can’t get actual access to a corporate account is through email spoofing. Spoofing an email involves making an email appear to come from someone else. The image below is an actual spoofed email. The name that’s blurred in the “From” field is actually a C-suite employee at a startup. However, note the Gmail account that is after it, which is a telltale sign that it’s a spoofed email. When employees receive this, many are not trained to check the actual email account address. They may see the name and just assume it’s legitimate. This employee caught this one, mainly because their Office 365 administrator setup a warning to prepend to the email body, which shows: CAUTION: EXTERNAL EMAIL SENDER at the top of the email. That’s one great way to raise awareness, as is the prepended “EXTERNAL SENDER” in the subject line. Both are easily set up in Office 365.
However, that’s not the only issue to contend with. This one was easy since it had a gmail.com originating address. Often, attackers will forge email header information to make it more believable. For example, it could have appeared to come from email@example.com directly even without the attacker having valid credentials! Often, companies of all sizes (small, medium, large, publicly traded…) don’t have proper email validation settings setup in DNS. Those technologies are entire subjects in and of themselves, but every company should make sure their IT group has properly setup SPF, DMARC, and DKIM protections in their domain’s MX (mail exchange) records. This website has a good primer on those technologies: https://blog.higherlogic.com/spf-dkim-dmarc-email-authentication.
How to prevent all of this?
- Be proactive! First, to check if your accounts have been leaked, go to https://haveibeenpwned.com/. As of this writing, there are over 6.4 billion account leaks on that website. If your corporate or personal email is listed there, you should make sure that whatever password you used for that account is not in use on ANY current account you have. Attackers automate leaked databases to gain access to other accounts of people whose credentials were leaked. You should also consider using password manager software. We recommend 1Password, which automatically integrates with known leaked database sites and warns you about weak/leaked/reused passwords. We also recommend your company have a robust Password Policy that includes prohibition on password re-use, enforces periodic changes in passwords, and ensures complexity requirements. Password complexity is key.
- Train your employees. This is often overlooked or under-executed. Humans are usually the weakest link. It’s true. Proper training will raise awareness, reduce risk, and ultimately protect your company and its employees. Specifically, whenever a wire transfer is requested, all details should be verified with a phone call!
- Make sure your domain’s DNS records are setup properly to use SPF, DMARC, and DKIM. Want to check? Input your company’s domain at MXToolbox and see if there are errors with the setup. If so, call your DNS administrator in IT.
- Make sure your Office 365 (or similar) settings are helping, not hurting, you. Office 365 is a great platform, but out of the box it is NOT set up for exceptional protection against spoofing, fraud, spam, and phishing. Microsoft has several articles on this, the main section of which is here: https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spam-and-anti-malware-protection. You may also want to consider a third party detection software like ProofPoint to assist Office 365 in defending against attacks.
- Set up domain accounts with two-factor authentication. Cisco’s newly acquired Duo Security is a great choice. This requires employees to enter a password and a token from their smartphone when logging into any corporate resource.
In the next blog post, we will enter the nasty world of paycheck theft, including how it happens and how you can prevent your employees from causing it.