Companies have increasingly turned to the cloud for their email solution. Cybercriminals or attackers have watched this trend and are finding ways to access email hosted in the cloud, which is known in the security community as a Business Email Compromise (BEC). Unfortunately, many companies are implementing cloud-based email without an understanding of how attackers are getting in and what safeguards help prevent an attack.
The vectors for compromised email attacks are the same as many other types of system or network occurrences. The most common attack vectors are phishing or spear phishing emails, which contain an attachment containing malware or a malicious link that brings the user to a legitimate-looking website and prompts the user for credentials. When the email recipient clicks on the link and provides credentials or opens the attachment from a phishing email, the attacker is able to get a foot in the “door” of the company, so to speak. The security community refers to this as gaining a foothold, and this is the first step in a cyberattack.
Credential stuffing is another attack vector often used, which involves using stolen credentials, typically obtained from successful data breaches, to access the cloud-based email environment. Attackers find that credential stuffing works well because many people use the same username and passwords for multiple accounts across the internet. Credential stuffing involves the automated entry of stolen credentials into online accounts in an attempt to gain access to accounts or systems. Sites such as haveibeenpwned.com allows users to determine if their email address account has been compromised from discoverable past breaches.
Once an attacker has access to the cloud-based email environment, it is easy to view email within the account to identify any information of value. Additionally, the attacker may try to gain access to other systems in the environment or launch other phishing attacks using the compromised account to make the phishing emails look legitimate. If the attacker has or gains administrative access to cloud-based email environment, the attacker may even modify rules within the system to forward emails to an external email account or even create her/his own email account on the system.
The goal of the attacker is typically monetary gain. There are several methods, many of which are often very creative and are used to obtain money from the company. The first involves fraudulent wire transfers where the attackers attempt to impersonate an executive in the office via email instructing someone in finance to wire money to a particular account, usually for the alleged reason of paying an invoice. The second method often used (if sufficient anti-fraud procedures are in place to prevent the wire transfer) is to obtain and modify invoices that have not been issued with payment instructions redirecting the funds to an account the cybercriminal has set up. The attacker then issues the modified invoice to a client of the company from the company’s cloud-based email, thus making the invoice look legitimate. Here, the attacker relies on the client paying the invoice without verifying the modified bank information.
See also: How Can Insurers Leverage the Cloud?
Unfortunately, these attacks are often successful despite security practices in place to prevent them. For example, most users do not have administrative rights to the cloud-based email environment. Restricting rights is one of the basic components of security, called the principle of least privilege (POLP). But attackers have ways of escalating privileges by searching for cached credentials, using key loggers that track users’ keystrokes, and a variety of other means. Once the administrative credentials are located, the attacker can escalate their compromised accounts to higher levels and set rules that are not obvious to the average user. This allows the attacker to move throughout the email environment without being noticed and helps the attacker to cover her/his trail.
Now that the attacker has the proverbial “keys to the kingdom,” the attacker will typically modify rules so that she/he can monitor the organization’s email content and traffic. Oftentimes, this includes having email of key personnel, such as the CEO, CFO or HR personnel, forwarded to the attacker. At present, most attacks involve locating banking credentials and information to help attempt wire fraud, but as companies get better at prevention, attackers will likely morph their methods for other financial gain. For example, email communications may provide attackers with information to attempt to extort an organization or an employee.
Most organizations discover an attacker’s presence only after the attacker has executed some fraudulent activity; however, there are times when perceptive IT personnel may see evidence of the attack such as modified rules or the addition of email accounts. Once an attack is detected, the company should start an investigation.
While investigating, it is important to make sure the attacker is no longer in the environment; then the focus can turn to what information may have been compromised. As a first step, the company should change passwords and enable two-factor authentication. Additionally, the settings, including whether any forwarding rules are in place, should be reviewed. Unfortunately, even if the attacker was unsuccessful in achieving financial gain, the company’s information, potentially including personally identifiable information (PII), or protected health information (PHI) may have been exposed.
Reporting requirements for exposed PII vary among states. In some, access to PII may be reportable even if there is no evidence the information was acquired. So, it is important to involve outside counsel to examine if there are reporting requirements. Use of forensic experts can also prove beneficial in understanding how the attacker got in, whether the attacker is still in the environment and what information was accessed or acquired while the attacker was there.
As Ben Franklin said, “An ounce of prevention is worth a pound of cure.” This holds true when it comes to cyber security. It is difficult to build a house that is impenetrable, because people need to get in and out and commerce needs to continue. However, there are some actions that should be considered by IT security, including:
- Using dual-factor or two-factor authentication (2FA);
- Reviewing email security settings to ensure adequate controls;
- Monitoring traffic for unusual activity – consider using an email gateway to help monitor traffic;
- Keeping email authentication and trace logs for as long as possible;
- Training employees to recognize phishing attacks.
As companies continue to migrate to the cloud, cybercriminals will continue to target the cloud as a gateway to commit crimes. Prior to migration, companies should consider these risks and make sure the security measures in place are as strong as possible. Doing so will help make the cloud a less lucrative target and can help reduce the volume of attacks.
Until then, the Rolling Stones song “Get Off of My Cloud” seems to be a fitting warning to cybercriminals: “Hey, you, get off of my cloud.”