Exclusive: Triage An Email Security Breach
August 12, 2022 | Technology, Security
E-mail security breaches are on the rise and are having a large impact on New Zealand businesses in 2022. These are as a result of an attacker gaining access to a mailbox through password compromise or a successful phishing link attack.
Passwords
Password comprises are a typical entry point for an attacker into a mailbox. There have been a number of well publicized password compromises such as the LinkedIn password compromise here and archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author.
The hackers know that it is common for people to use the same password for multiple systems and software accounts. They exploit this by either purchasing bulk passwords on the dark web or via published password compromises. You can easily check whether your password has been compromised by visiting Have I been pwnd.
You should be changing your password regularly and not using the same password on multiple accounts. Two factor authentication is also imperative as a redundant security measure.
Phishing Attacks
We are noticing with greater, and quite alarming, frequency that mailboxes are being compromised by phishing attacks.
A phishing attack is easy to explain. The attacker sends an email crafted to look legitimate in the hope that a user inside a company will click non the link. The link is the trigger for the attacker to compromise the email account. Sometimes it only takes one click. One inattentive moment and your mailbox, and possibly your whole system, is at serious risk.
Once inside the attacker usually waits. Waits for the right moment to act. Usually, they lay in wait for a transaction that is occurring. Reading email exchanges between parties about that transaction they can then spring into action at the perfect moment. This usually takes the form of sending a recipient an email purportedly from the staff member mailbox that has been compromised. The recipient has absolutely no way of knowing that the e-mail they have received is not legitimate.
It has been sent from the actual real email account of the victim. These fake emails will be sent and hidden so that the victim is unaware emails are being sent from their account.
Typically, the attacker will request a bank account change for the transaction so they can divert the funds. We have had clients, victims, that have lost as little as $1200 to as much as $2.5 million by exactly this method.
Post Event
Ok so the unthinkable has happened what now.
Well, lots actually.
First you need to triage the hack. We do this by:
-
Securing and analysing the logs to determine; when the attack occurred, what mailboxes have been compromised, what fake emails have been sent and to whom. We will also turn on mailboxes features to secure the account from further or ongoing attacks.
-
Next, we will secure and download a forensic copy of the compromised mailbox for further analysis.
-
Some businesses will have statutory obligations to report the breach to either the Financial Markets Authority or the Office of the Privacy Commissioner. There is a specific method and timing to these notifications.
-
Lastly, we work to engage stricter e-mail security procedures in the business to prevent this type of attack from happening again.
Last Thoughts
E-mail compromise attacks can happen at the largest or smallest organizations. All it takes is weak email security and a moment of inattention by a staff member.
They can cause irreparable commercial damage to the business and should be treated as a existential threat to your business.
Now is the time to make sure of your e-mail security.
If you are the victim of an attack - don’t delay in calling in experts such as our team to help.
