By Jeremy Fuchs, Cybersecurity Researcher/Analyst at Check Point Software
One of the key capabilities of an email security solution is the ability to detect anomalies. When something happens that’s out of the ordinary, it can be a sign that malicious behaviour is afoot.
RELATED: Check Point Software releases 2023 Security Report Highlighting rise in cyberattacks and disruptive malware
It’s key because it happens a lot. In one study, Javelin Research found that account takeover increased by a whopping 90% in 2021. These losses totalled $11.4 billion, making up nearly a quarter of all identity fraud losses in 2021.
This correlates with the data that HEC researchers see. In March alone, we saw 1,345 unique compromised accounts. Of those, 783 began sending out phishing or spam messages. That’s a 179% increase from the previous month.
Hackers can take over an account in many ways, and they can do many things once they are there.
One of the most classic examples is the Direct Deposit change.
In this attack brief, Check Point Harmony Email researchers will discuss how hackers use compromised accounts to switch banking information.
In this attack, hackers are taking over legitimate email accounts and then using it to ask finance or HR to change banking information on payroll to that of the hacker.
- Vector: Email
- Type: Account Takeover
- Techniques: Social Engineering, Financial Fraud
- Target: Any end-user
In this attack, a hacker has taken over someone’s email address. how did that happen? Tough to say. Although phishing messages are the most common way for hackers to gain access to an account, they are far from the only method. Large, third-party data leaks like Yahoo and LinkedIn have created a market for hackers to exchange stolen passwords. A breach might include passwords for one service that employees have re-used on corporate accounts. Even a breach that doesn’t include raw credentials might include the personal information (street address, high school, mother’s maiden name) that makes it possible for attackers to gain temporary access by requesting a password change.
However it happens, it’s dangerous. In this case, the hacker did something common afterward–the direct deposit ask.
It’s not crazy for someone to email HR or finance and ask for their pay checks to be deposited somewhere else. People change banks all the time; sometimes people want the money split into multiple accounts. Whatever it is, it’s not unusual to receive this sort of request.
So in this case, when a hacker does it, the idea is for the company to deposit the next pay period into their account, not the actual employee’s. At some point, the actual employee is going to realize that their pay didn’t reach their account. But, for at least one pay period, the hacker might be able to get away with it.
An organization can monitor for warning signs that an employee’s account has been compromised. Some key indicators include:
- Failed Logins: Account takeover attacks that attempt to guess or stuff credentials on online portals can generate a large number of failed detections. Monitoring for these failed login attempts can help with detecting some types of account takeover threats.
- User Analytics: Users typically have certain patterns of behaviour, logging in at certain times from specific places, etc. Access attempts that break these patterns of behaviour can be warning signs of a compromised account.
- Insecure Configurations: Cybercriminals will commonly disable security controls and set up unusual configurations such as mail filtering and forwarding. These types of changes may indicate that a user account has been compromised.
It’s imperative to monitor these–and many more.
But monitoring is tough, because employees may take action quickly. Think about the above email. If you’re in finance or HR and you receive that email, would you think it’s suspicious? Everything about the email is clean. It comes from the actual email address of the employee. There are no links or malware embedded. It looks perfectly fine and the setup is plausible, too. You can’t confirm that the bank information they are requesting is actually theirs.
So yes, Implementing account takeover in email is key. Another key? Real-time abilities. Finding out that an account was taken over immediately after the malicious login is critical to prevent the hackers from gaining access to what they shouldn’t see or using the account as a jump-board to launch additional attacks.
So, now that you have accurate detection in real-time, what next?
Automation is important because you often don’t have time to wait for someone to review every event. It is vital to revoke the hacker’s access to the account immediately before any damage is done. Otherwise, your organization could be in a world of trouble
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Implement security that uses AI to look at multiple indicators of account compromise
- Implement security that allows for the automatic blocking of compromised accounts
- Consider implementing stricter policies for submitting direct deposit or any other HR-related changes
COVER IMAGE: Wallarm