Mailbox attack
In our article, we will present situations of an attack on the e-mail address of the President of the Management Board of an IT company. The first ‘symptom’ of any irregularities found was the appearance of e-mails in the electronic mail of the President’s account, informing about the inability to deliver the message to the indicated address. There were so many messages. Verified that the user was automatically blocked by the Microsoft Exchange server due to the detection of too many outgoing messages. Analysis of the Outlook program used by the account owner showed that about 1,900 e-mails were sent to various addresses within an hour on that day.
What could have caused the mail to be blocked?
If this is the case, we have several possible scenarios that could potentially cause problems:
- A technical failure may have occurred.
- There may have been a mistake in configuring the mail servers. Sometimes it happens that due to the problems of our contractors or clients, our domain is blacklisted by Microsoft and the system automatically blocks us.
- Unfortunately, there may also have been a cyber incident. And that’s what happened in this case…
Our experience in risk assessment for clients
For many years, it has been believed that insurers’ risk assessment surveys for technology companies do not need to be so thorough and meticulous because this industry is well-versed in cyber security and can protect itself properly. However, the statistics say otherwise. After several hundred audits of companies (including technology) and many conversations, we know that attacks on technology companies are just as massive and possible as in the case of companies from other industries. It all depends on the people who manage security in the organization. Even CEOs managing IT companies can mismanage password policies and be vulnerable to attack.
Password leakage is the main threat to the company
The basic area when verifying a company in terms of risk assessment is password leaks. Why? Well, one of the most dangerous situations is using an email address from a company domain when logging into other portals (domains, social media accounts, etc.). Many such portals are considered insecure and easy to surveil or even take over. In this case, there is a high probability that the machines that will allow the criminals to capture the e-mail with the password, and thanks to the algorithms, will be able to ‘crack’ the password. It often happens that when logging in to different places on the network, we use not only the company domain address but also the same password. In such a situation, when there is a data leak from one website, potential criminals can easily intercept the data and login, for example, to the company’s e-mail.
Taking over the box by unauthorized persons
The situation described above happened to one of our clients. By breaking the password, the President’s mailbox was taken over and used by the so-called vending machines. bot network that used this mailbox for a chain of massive spam attacks.
As it turned out, the President failed to adequately secure his access. He used a simple email password. He also used the same password to access other websites, etc. He hadn’t changed his password in years, even after moving to a new, more secure email server. Thanks to this, hackers easily took over access to e-mail and used it.
Responses to cyber attacks
The biggest problem with cyber attacks is the ignorance of what happened and what consequences it may have. Often having no experience in such situations, the attacked react badly or do not react at all. This threatens to exacerbate the problem or increase the losses that the criminals could have caused.
It is very important that in case of any suspicion that a cyber event may have occurred, react as soon as possible. In the absence of knowledge related to how to deal with such a specific example, you can contact specialists who can help solve such a problem.
How should the company and its president react in such a situation?
The best way to counter attacks in this situation is to maintain a password change policy. In this particular case, it was necessary to immediately change the password to the mailbox to a new, secure one: at least 15 characters, not dictionary words, so that the algorithm could not break such a password. In our case, this step worked, the bot stopped sending e-mails from the President’s mailbox.
To further secure the mailbox, MFA/2FA (multi-factor / two-factor authentication) had to be introduced for all email accounts in the organization. This is the simplest form of securing e-mail boxes, but also other accounts that we use, e.g. in social media.
A specialist firm employed by the CEO also verified that other boxes had not been seized. In addition, she secured and analyzed the available logs on the mail server to see and examine the activity of hackers on the taken-over mailbox – was it just a box taken over by a bot, or could there be something more? Logs are analyzed to understand attack vectors. Vectors can be narrow or already very wide, exposing the company to high costs. Therefore, the content of the intercepted mailbox is analyzed to check whether the mailbox contains data allowing for further attacks (e.g. access data to other systems), whether it contains personal data (especially sensitive data), whether it contains data whose disclosure would threaten the interests of the company or its contractors, etc. Depending on the results of the analysis, additional actions should be taken, i.e. a full post-hack analysis, notification to PUODO and notification of clients in the event of a personal data breach, law enforcement authorities with a notification of a crime, a full security audit of the organization to verify system breaches.
Potential consequences of the incident
It could happen that the President’s mailbox was hacked by criminals who copied and then analyzed the contents of the mailbox. What would be the consequences of doing so? Well, what is one of the greatest risks of such incidents is the disclosure of confidential information or data and exposure to claims for damages. This is the real fear of attacks for many customers.
Taking over other organization resources, including taking over the organization’s key box, makes hackers push further. They are looking for other mailboxes in the company’s domain or other systems to which the President logged in to take over. This is how attacks begin that aim to take control of the organization at all. These attacks often infect the network structure with malware.
Another threat is the use of contacts. Having access to sent e-mails, having access to the address box, they can be used in “simple” phishing attacks (extortion) against employees, contractors or family members. With a well-crafted, personalized e-mail sent to various organizations, companies, and employees with a well-constructed link, there is a high probability that a large percentage of people will click on the information contained, which may result in the infection of their network. This is how targeted personalized social engineering attacks are created for purposes such as extorting money or sending malware. Taking over the organization’s key case can have incredibly high consequences, not only financially but also for the image of the entire company.
How to easily increase data security in your organization
First of all, take care of the hygiene of your e-mail boxes. Enter strong, non-dictionary passwords, different for each account. Use MFA/2FA for email. Always use encryption to send information whose content, if it falls into the wrong hands, may harm the company, contractors or employees. Monitor data leaks concerning yourself and your organization. In the home office era, it is important to take care of the safety of home infrastructure, especially if it is used by children or elderly people who are not risk-oriented. And of course, share incidents with colleagues and family to raise awareness of the cyber threats around us.