Hackers Continue to Compromise Email Accounts

Jim Rumph, CISSA, CISSP

Systems Senior Manager

October 26, 2017

Overview
According to the FBI’s Internet Crime Report, there were approximately $1.33 Billion in victim losses in 2016 alone with the largest loss attributed to “Business Email Compromise/Email Account Compromise” (BEC/EAC). These are both scams that target businesses or individuals to compromise their email accounts. Likely targets are those that have access to funds or the ability to move funds (i.e. wire transfer, ACH), but can really include anybody.

Between October 2013 and December 2016, there was over $5 Billion in international and domestic losses reported by the FBI due to this type of attack. In addition, between January 2015 and December 2016, there was a 2,370% increase in identified exposed losses. The following BEC/EAC statistics were reported in victim complaints to the FBI’s Internet Crime Complaint Center (IC3)from October 2013 to December 2016: Total U.S. victims: 22,292 and Total U.S. exposed dollar loss: $1,594,503,669.

These statistics speak heavily to the prevalence of this type of attack. Hackers are getting in successfully (not to mention easily) and will not be stopping any time soon.

How it Works
One of the more popular ways that public facing email accounts (such as Gmail or Office365) are compromised is through phishing campaigns, which tricks the user into entering their credentials on “look-a-like” pages. Once the email is compromised, the attacker will then carry out their end-goal, which often times includes requesting fake wire transfers. We’ve recently seen how attackers are also using compromised accounts to send phishing/malware links to all the contacts in the account’s address book. This is hard to catch using normal email filters as it is technically a legitimate user and email address.

How to Help Mitigate these Attacks

  • Consider restricting access to web-facing email systems to only internal users. This can be accomplished through dedicated VPNs to the internal network.
  • If white listing is not an option, enforce Multi-Factor Authentication: For any public facing system (email, file storage, etc.) implement multi-factor authentication. This mitigates the risk of just relying on a username and password that can be easily compromised.
  • Training: Training has be done constantly. We have to stay in front of our employees and let them know what to look for and also when to report activity.
  • Phishing Tests: It’s not enough to train your users, but you also need to conduct phishing tests periodically. Be sure to alter your approach every time you do a test.
  • Email Filters: We need to take action to block potential malicious emails. This includes blocking suspicious attachments such as renamed executable files and .pdf files with executable code in it. This also includes analyzing links in emails to check for malicious sites. We also need to block spoofed emails (emails coming into your network from your own domain).

References
https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise
https://www.ic3.gov/media/2017/170504.aspx

If you have any questions on how to better protect yourself and your business from these types of attacks or would like additional training for your employees, please reach out to Jim Rumph at jrumph@pkm.com or (404) 420-5639.

Stay Up-to-date