Email correspondence is second nature in today’s digital world because of all the inherent advantages it affords. Among those advantages it provides a dated written record which can easily located and reviewed at any time, it can be sent in the middle of the night and will be waiting for the recipient whenever they next check their mail, and it can be accessed from just about anywhere in the world on a host of different devices. It is today an integral part of daily life. But what happens when an email account is hacked?
Recently a very curious case came to our doorstep – An organization in India (To maintain privacy let’s just refer to them as organization A) was working with a client in Canada on a very large project. Since they were old partners, invoices were usually cleared within one month of delivery. However, in this particular case, an invoice of $ 1.5 million was not cleared in the stipulated time. On reminding the client, they were informed that the invoice had been cleared almost fifteen days back. They were also informed that the early payment was done on the behest of the organization A itself.
The client showed bank deposit slips, invoice raised by Organization A as well as multiple mails coming from their mail ID requesting for an early release. On investigation it was identified that a separate trail mail showed requests for change of Bank accounts for ‘auditing’ purposes. On detailed investigation it was identified that though the mails had come from the same mail ID, they had never originated from any of the systems inside the organization. A hacker had hacked into one of the accounts, and sent a couple of mails requesting for a change of bank accounts. He had continuously replied to the client authenticating the fact that account details had to be changed and deleted the mails from the inbox.
A simple hack account cost the company $ 1.5 million.
In another case, a top CEO of an organization was blackmailed into paying $ 40,000 to hackers who had hacked into his mail ID and found certain pictures of the CEO in compromising positions. Such cases are just the tip of the iceberg. Email hacking is the latest and probably one of the biggest challenges of Information Security. It targets the weakest link in the IT Security landscape – a non-aware user.
According to a public service announcement released by the Internet Crime Complaint Center (IC3), in the period between October 1, 2013, and December 1, 2014 – 14 months in all – there have been nearly 1200 US and a little over 900 non-US victims of scams where the Business mails have been compromised.
The attack targets businesses working with foreign suppliers and / or businesses that regularly perform international money transfers. Attacks are carried out using compromised email accounts as the springboard for diverting company funds meant for legitimate vendors. Most of the banks where these illegitimate funds are transferred are located in China and Hong Kong.
The targets are usually high-level executives (CEO’s / CFO’s) etc at medium and large organizations. There are three types of Business Email compromise (BEC) scams taking place these days –
Type 1 – Mail Compromise of the senior partners in the organization
Hackers hack into the mail ID’s of the users in the Finance department using a simple phishing scam where the user is asked to change his user name and password in a mail seemingly originating from the IT department. Once the mail is compromised client details are identified from the mails. Invoices are then resent to the client with one small difference – The details of the bank accounts are changed. Once the client pays off the money, the funds are immediately diverted to different banks from where it is withdrawn and siphoned off.
Type 2 – Spoofing the identity of the organization
The email sender impersonates an executive at another company. The spoofed sender info uses look-alike domain names that closely resemble the corporate domain names of the organization being impersonated. The spoofed sender appears to be with an actual reseller or distributor with a pre-existing corporate relationship with the targeted organization. The body of the email instructs the target to pay all new or outstanding invoices via wire transfer to a new bank account. Attached to the email is a PDF containing wire-transfer instructions, including a bank name and account number.
The biggest source of mail ID’s and other information is from professional and other social media websites such as Naukri, LinkedIn etc.
There are multiple steps organizations need to take to protect their businesses from email compromises –
- It is important for an organization to sensitize their employees on these scams to ensure that any suspicious mail / activity is reported to the IT Team
- Organizations should take care to integrate Two Factor Authentication with their mail exchange servers. It was kind of impossible in the past since using a VPN and publishing the mail server behind it used to be the only solution. This severely impacted the functionality of downloading mails on Outlook or phone. However, with the latest technology bought about by AuthShield labs, it is now possible to integrate mail clients such as Outlook, Thunderbird and protocols such as POP / IMAP or MAPI directly with Two Factor Authentication making it extremely convenient for a user to secure his credentials
- As a last step, users can use Digital signatures on their mails to validate the authenticity of the mails.
The writer is a consultant for AuthShield Labs, India’s premier authentication Security organization leading in using NFC and OTP for Authentications security of users
Authored by: Tarun Wig, Co-Founder, Innefu Labs
