In the past year and most recently this week, news of cybercriminals attempting to extort money from companies in exchange for not publicly releasing their intellectual property  or customer data  has made headlines. And although these types of extortion schemes tend to be the ones getting ink, there are other types of digital extortion which can be just as damaging and yet involve much less effort by the online criminal.
For the last month, James Bettke and I have been investigating a threat actor who was attempting to commit Business Email Compromise (BEC) fraud against a mid-size manufacturing company. The cybercriminal had successfully compromised the organization's email system and was just on the verge of successfully defrauding it out of tens of thousands of dollars when we discovered the scheme. We were able to quickly alert bank authorities, get the bank account shut down and prevent the cybercriminal from receiving the hijacked funds. Having foiled the hacker's plan in midstream, seemingly frustrated, he decided to try a new tactic. He sent the following message in an email to the company's executives (paraphrased) “I need money, and I have access to all of your corporate email, and if you don't pay me $10,000, then I am going to wreak havoc on your company.”
Unfortunately, the threat actor did have access to several corporate email accounts at the company, and sadly, it was all too easy for him to obtain. As in many business email compromise situations, he simply sent a phishing email to several of the company's employees, posing as a notice of an overdue invoice and attached in the email a malicious file, (poorly) disguised as a PDF, which in reality contained a simple Remote Access Trojan (RAT). The employee, falling for the email, clicked on the attachment and within seconds, the RAT was loaded onto his corporate computer. From there, the hacker began to automatically pull all mail from the account to a secret account where he could sift through the messages, looking for unpaid invoices or pending transactions he could hijack.
Even though this threat actor is far from being technically sophisticated, he was easily able to gain access to a company's accounts receivable inboxes, where transactions for six and seven figures are constantly being handled without any real verification of who is actually sending the payment details.
What's worse, if a more advanced hacker with more sinister goals uses the same playbook, they could frequently leverage the remote access to a single workstation to obtain administrator privileges over the entire corporate network, using tools like Mimikatz, that abuse the trust that Windows domains require for ease of administration along with poor practices on the part of Windows administrators. Once they have control of the entire network and all data it contains, we've seen that the price of the extortion demand quickly rises, often into the millions.
So how does an organization combat these cyber threats and ensure that their supply chain is doing the same? Here are some of imperative security steps for an organization to consider no matter the size or industry, if conducting business in today's digital world. Organizations should consider taking action whether it is concerned about protecting their intellectual property, its client and employee data, bank accounts or simply ensuring that it doesn't get locked out of their corporate email.
Tips to Guarding against Online Extortion
- Implement Two-Factor Authentication around all of your key computer systems and files: including email, customer databases, intellectual property, etc. This provides a second layer of security to prevent intrusions in the event system credentials are compromised.
- Regularly Backup all critical files/databases, etc. (and test them) with "cold" offline backup media. Backups to locally connected, network-attached, or cloud-based storage are not sufficient because many different families of ransomware encrypt these files along with those found on the system drive.
- Make sure all of your organization's software is always patched and updated. Patch management is key. It is critical that as soon as patches become available you install updates for your applications and your computer operating system, this includes ensuring that your anti-virus vendor has signatures for detecting the latest malware and that you have the most up-to-date anti-virus protections installed.
- Advanced malware protection (i.e. not signature-based) with sandboxing capabilities are effective tools to help in preventing infection. Blocking email attachments and link, until they have been inspected, will help defend against this infection method.
- Educate employees to thoroughly check email addresses for accuracy and watch for small changes that mimic legitimate addresses, such as the addition, removal, substitution, or duplication of single characters in the address or hostname (e.g., [email protected] versus [email protected], or [email protected] versus username@ examp1e.com).
- For organizations that use intrusion detection and intrusion prevention systems (IDS/IPS), create rules that flag emails with extensions that are similar to company email extensions (e.g., abc_company versus abc-company).
- Limit the information that employees post to social media and to the company website, especially information about job duties and descriptions, management hierarchy, and out-of-office details.
- Educate employees to be aware of cyber security risks such as social engineering tactics via spearphishing, phone callers impersonating clients (vishing), malicious email attachments and links, etc., downloading free music, software, etc. When it comes to attachments and links, even if an employee recognizes the sender, they should confirm that the sender has sent the specific email to them before clicking on any links or attachments.
- Inspect the corporate email control panel for suspicious redirect rules. An unexplained redirect rule that sends incoming email from specific addresses to third-party systems could indicate compromise and should trigger an organization's incident response process.
- Regularly audit email server logs for IMAP/POP access from well-known webmail provider IP addresses such as Gmail, Yahoo and Mail.com. At the very least, it may be a policy violation on the part of the employee, but at the worst, it could be a fraudster collecting all incoming emails to an aggregating webmail account.