Help! Email hacked

Kornhole said:
Sorry for the necro but we have had incidence in the last two weeks where they idk intercept our emails and change the banking details. Lucky our customers have picked up on this . Anyone know how they are doing it?
Click to expand...
This can be done through spoofing and social engineering methods where the mail account is not actually compromised but in the last few years it has been more common that attackers actually gain access to the mail account and hang out there gathering intelligence until the time comes to strike. Office 365 accounts have been highly targeted (because of their prevalence) but the same type of attack could be leveraged at pretty much any other email system.

Typically, the accounts are compromised by a phishing email that adds the victim's credentials to the attacker's database. The credentials could also be obtained by malware or other methods but phishing is cheap, low risk for the attacker, less likely to be detected by security technology and generally most effective from the attacker's point of view.

Once the attacker has gained access to the system they will gather intelligence to launch their attack and may take steps to persist access (so they can still access the account if the password is changed for instance.) They will access the webmail for the account and set up rules to forward interesting mails or move them to an obscure folder like rss feeds or deleted items. They bide their time for an opportunity to intercept a high value transaction and then launch a BEC attack.

Indicators of compromise include:
  • Presence of suspicious inbox/forwarding rules that forward, delete and/or move
  • Inbox/forwarding rules created via web client
  • Access to the account from suspicious locations
  • Access to the account via web client or legacy protocols (eg. POP, IMAP) - can be used to bypass MFA
  • Suspicious 3rd party cloud apps authorised on the account (App permissions can be used to persist access even after password resets.)
Countermeasures/Mitigations include:
  • Multi-factor Authention on all accounts (not doing this on O365, Google or similar platforms is pretty much on a par with not backing up your servers if you are a business)
  • Block access via legacy protocols such as POP, IMAP, SMTP
  • Geoblocking
  • Block webmail if not used/needed
  • Restriction of third party apps or API's on cloud platforms
  • Strong inbound email security (eg. Microsoft ATP or Mimecast.)
  • End user cybersecurity and anti-phishing training (eg. Mimecast, KnowBe4, Microsoft)
I'm not a security specialist but I hope that answers your question and give you a bit more insight. Please anyone chip in if there's important anything I've overlooked.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X