Story image

Cybercriminals taking over email accounts and scamming contacts

04 May 18

A method of cybercrime that is becoming more and more popular of late is to take over a victim’s email account and attack their contacts.

That’s according to Barracuda VP email security Asaf Cidon, who says it’s simple – you’d be more inclined to open and act on an email from a colleague, friend, or at the very least someone you know as opposed to someone you don’t.

“Cybercriminals take over user accounts and send fake emails to the users’ colleagues and contacts. The emails sent contain fake links, including a fake OneDrive share link that is used to steal credentials and take over more accounts,” says Cidon.

Barracuda have provided an example of how criminals took over an account of a finance employee – most likely by following a phishing link from the attackers, which prompted them to enter their credentials into a fake Outlook sign-in page.

Once the criminals had the victim’s credentials, they then sent out emails to more than a dozen members of the finance team from the compromised account, with the goal being to steal additional credentials. Here’s the message that was sent:

The message seems quite innocent on its own, but Cidon says if the recipients click on the link they’ll be taken to a fake Office 365 sign-in where they’ll be asked to enter their credentials – if they do, then their accounts will be taken over by the criminals as well.

“On their own, stolen credentials of a reputable organisation are worth a handsome sum in the dark web. They can be sold to launch additional phishing campaigns, which will have a high chance of success since it would be coming from a high-reputation domain,” says Cidon.

“In addition, these stolen credentials can be used to conduct spear phishing, or CEO fraud attacks. In these attacks, the hackers send an email from the compromised account with the goal of tricking the recipient (who is usually in the finance department) to send a wire transfer to a bank account owned by the attacker.”

Cidon says there are a number of variants of emails that cybercriminals use to steal credentials – Barracuda have provided an example where the phishing email was sent out to users including a OneDrive share link in the body.

“Similar to what we saw in the first example, a user’s email account was also taken over; however, this time the criminals took a different approach with the included link. They included a OneDrive share link that when clicked, will lead to a fake sign-in page used to steal credentials,” says Cidon.

“In this particular attack, the criminals logged in multiple times to the user’s account, gathered targets from the user’s address book, and sent out hundreds of emails to both employees and external contacts.”

It’s clear that as soon as criminals have credentials the attacks are able to snowball rapidly. Cidon says what’s really scary is that standard email security solutions won’t detect these types of attacks because they originate from internal emails.

To recap, the techniques used in these attacks are:

Phishing: Emails are sent out to users to initiate the attack to steal their credentials.
Impersonation: Criminals impersonate colleagues or contacts to get users to act on their requests.

Barracuda recommends investing in email security solutions and enforcing user training and awareness.

AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.