In partnership with Abnormal Security - Assurance IT’s new email security partner - we reviewed the largest cyber-attacks over the last year.

We zeroed in on 5 high-profile attacks including LastPass, Reddit and DropBox because we think these attacks could have been avoided.

‍

In this article, we explore what happened, diagnose the attack, and discuss how we think these attacks could have been prevented.

‍

If you’re genuinely interested in email security, join the smart IT leaders who receive a monthly email about email security.

‍

By sharing these newsletters, we can reach more people and help others from becoming a statistic. Like this post and share it with your network.

‍

1.USA City lost $1.3 Million in Cybercrime

The city of Eagle Mountain in Utah lost $1.3 million when a cybercriminal posed as one of their vendors. The hackers sent an invoice to Eagle Mountain city staff and requested immediate payment. The hefty sum was paid in full, through one transaction, to the hacker’s account. (deseret)

Diagnosis: This is a case of payment fraud. The cybercriminals pose as an actual vendor of the organization. The hackers send an invoice to be paid by the organization.

How to avoid a similar cyber-attack?  In the case of Eagle Mountain, there is clearly a lack of policies in place. Finance departments are usually obligated to review each other’s work. They are also usually supposed to get sign-off on invoices. Did anyone review the invoice? Who signed off on the invoice? Did several people miss the signs of the fraud? If so, how? And how can it be avoided in the future? Additionally, the city doesn’t seem to have an email security solution.

Let’s review why traditional email security controls wouldn’t work for this type of fraud.

From an Abnormal point of view:

Vendor Email Compromise/ Invoice Fraud is one of the most prominent modern email attacks that we see in today’s email threat landscape. We now see threat actors that are compromising legitimate email domains from a trusted vendor in the organization’s network and exploiting pre-existing relationships to build trust and ultimately persuade some form of payment.

The reasons why these attacks are so successful is partly due to human-error (as referenced above) but primarily due to the fact that most traditional email security controls weren’t designed to stop this type of attack.

Traditional Secure Email Gateways that sit at the perimeter of the environment were designed to stop attacks that have “bad-signals” (bad sender domain, malicious URL/ Attachment) that they latch onto in order to determine whether an email is malicious or benign.

Additionally, since they sit on the perimeter of the network, they lack visibility and remediation efforts when analyzing “east/west” traffic or communication between trusted sends.

From an Abnormal point of view, this invoice fraud could have been prevented. Based on our ability to detect deviation/ abnormalities from the “healthy/ known-good” behavior.

Abnormal may have detected and remediated this attack by determining that…

• This vendor contact has never signed in from the sender location/ device before
• The vendor contact has never previously corresponded with the City of Eagle Mountain contact by email
• City of Eagle Mountain has never sent money to the bank account/ routing number on the invoice
• The compromise vendor contact is using “urgent” and “financial” sentiment in the body of the message

We analyze over 45K signals together in order to determine whether an email is good/bad which is a significantly more effective approach as opposed to relying on signature, heuristics, or traditional threat intelligence.

2.Chick-fil-A customers get hacked

Hackers used credential stuffing to access 71,473 accounts of Chick-fil-A customers. As a result, Chick-fil-A did not get hacked. Hackers gained access to customer information by using their own compromised credentials. In a likely scenario, the hackers probably bought a list of personal data on the dark web. Then they used the same credentials in Chick-fil-A’s loyalty program. (Hackers know people reuse passwords). The hackers accessed and sold the accounts full of loyalty points. (bleepingcomputer)

Diagnosis: Credential stuffing. Stealing credentials in one cyber-attack and reusing the credentials in hopes that the user reuses credentials.

How to avoid a similar cyber-attack? This is a reminder to use DIFFERENT passwords across all your accounts. Using a password management system can help with the burden of remembering so many passwords. Use solutions like 1Password and BitWarden. We do not recommend using LastPass, as you will see in the next story.

3.Update on LastPass data breach

LastPass was hacked last August. It shocked many that a password management platform could get hacked. Initially, the company said it wasn’t a big deal and no information was stolen. Their story soon changed to “data was compromised” but claimed that user passwords were not part of the data breach. Then they admitted that the hackers obtained a backup of customer vault data. In other words, if the hackers guess your main password that opens the vault, they gain access to all your passwords. But then, it got worse.

The hackers in the initial attack stole the credentials from a senior DevOps engineer. They accessed the LastPass data vault giving the hacker access to a “shared cloud-storage environment that contained the encryption keys for customer vault backups stored in Amazon S3 buckets.” This employee was one of four people with access to this information. (arstechnica)

Diagnosis: LastPass was breached 3 times in 6 months. Let’s focus on the latest breach – credential stuffing. The hackers steal real credentials of an employee and then use those credentials to cause more damage.

How to avoid a similar cyber-attack? This is another case of missing policies. After getting breached, every employee should be required to change all their passwords.

Additionally, LastPass clearly didn’t have any solution set up to identify email account takeover.

‍

From an Abnormal point of view:

Account compromise/ Account takeovers are becoming one of the biggest threats that organizations face today. Threat actors typically lever business email compromise attacks requesting that an unsuspecting user enters their legitimate credentials. Threat actors now have tactics they leverage to bypass MFA and the end result is they now have legitimate access to the organization environment.

The reason why these attacks, from an email perspective, are so difficult to detect and prevent is primarily due to lack of visibility into “East/West” traffic and understanding of the user by traditional email security controls. Typically, when a user’s credentials are stolen, threat actors will remain dormant until they determine the right opportunity to strike.

From an Abnormal point of view, this Account Takeover (ATO) attack could have been prevented based on our ability to detect deviation/ abnormalities from the “healthy/ known-good” behavior that we learned about the compromised individual by integrating directly into the cloud environment.

Abnormal may have detected and remediated this attack by determining that the…

• Compromised user was signing in from locations that he’s never signed into before.
• Threat actor was adding “reply-to” changes in the inbox
• Compromised user was adding high-risk applications to the cloud environment
• Compromised user was altering/ changing user privileges within Active Directory.

Abnormal not only has the ability to detect and remediate account takeover attacks, but we also have the ability to either feed this telemetry in 3rd party security tools (SOAR/ XDR/ SIEM) or allow the security team to take action directly from the Abnormal platform (force password reset, logout of all current sessions, block account access).

‍

4.Reddit's Phishing Attack

Reddit was the target of a “highly sophisticated phishing” scam that prompted employees to click a link and redirect to their intranet. The hackers stole credentials and two factor-authentication tokens to access internal documents, code, and some unspecified business systems.

There is no indication that any personal information was stolen. Interestingly, the “phished” employee self-reported the hack. (thehackernews)

Diagnosis: Phishing attack. An attack meant to deceive people into revealing sensitive information or installing malware.

How to avoid a similar cyber-attack? There are always options to train employees about how to spot phishing emails. Businesses can encourage employees to identify suspicious looking emails and businesses can hire an employee to monitor email activity. However, phishing emails are getting tough to identify. Let’s go into more detail next.

‍

From an Abnormal point of view:

‍

Advanced phishing attacks is the number one attack type that we see organizations deal with on a day-to-day basis. Threat actors are now changing their approach from sending malware/ ransomware in the email to requesting users to take some form of action - whether that be entering credentials, providing information, buying gift cards, or submitting payment for fake invoices.

‍

The reason why these modern phishing attacks are so successful is because they are typically coming from legitimate email domains (i.e., @ gmail.com) that are impersonating a legitimate user and they are oftentimes text only. Traditional email gateways struggle to prevent these attacks since they rely heavily on signatures, threat intel, and heuristics.

‍

From an Abnormal point of view, this credential phishing attack could have been prevented based on our ability to detect deviation/ abnormalities from the “healthy/ known-good” behavior that we learned about each individual user within the organization by integrating directly into the cloud environment.

‍

Abnormal may have detected and remediated this attack by determining that the…

• Sender domain may have been spoofed
• Email authentication is failing when the sender is sending from a company domain
• Sender domain does not match any domains found in body links
• Body of the message includes credential requests (via natural language processing).
• ‍

Abnormal will analyze over 45K signals holistically to ultimately determine whether an email is benign or malicious.  

‍

‍

5.DropBox Employees Fell for a Phishing Attack

‍

Another cloud company attacked through phishing. DropBox employees were sent a “sophisticated” email mimicking the software development platform CircleCI. The landing page was an identical replication of their landing page where they asked users to put in their credentials.

Hackers did not access the credentials of their 200 million users. Instead, they accessed and copied 130 DropBox code repositories stored on GitHub. This included internal prototypes, personal information of thousands of current and former employees and sales leads and vendors. (bankofinfosecurity)

Diagnosis: Phishing attack. An attack meant to deceive people into revealing sensitive information or installing malware.

How to avoid a similar cyber-attack? This attack is very similar to the Reddit attack. If it can happen to two huge companies, it can happen to anyone.

Why should you care about email security?

‍

With losses related to Business Email Compromise now equating to over $2.7B in 2022 and set to exceed that amount in 2023, it is more important than ever for organizations to review their existing email security controls to ensure they have the proper protection layers in place to mitigate email security risk and optimize operational efficiency.

Here are Assurance IT’s key questions to consider when reviewing your existing email security controls:

1. Does my existing email security controls have the ability to detect and remediate text-only, never-before-seen email attacks such as business email compromise, supply chain fraud, and internal account takeover?
2. Does my existing email security tools have the ability to analyze all of the emails in my environment including “internal-to-internal” communication?
3. How much time does my Security team spend managing, configuring, and tuning the email security platform?
4. How much time does my Security team spend reacting and triaging phishing related incidents?
5. Do I have the necessary visibility and detection capabilities to determine whether a trusted vendor is showing signs of compromise?

‍

‍

Our recommendation: Abnormal Security

At Assurance IT, we recognize that the services and solutions that we provide to our valued customers need to evolve at the same pace in which the threat landscape evolves.

That is why we are incredibly excited to announce our partnership with Abnormal Security, a cloud-native email security platform that leverages behavioral data science to stop modern email attacks that are bypassing traditional forms of protection.

Here are some of the primary reasons why we ultimately decided to onboard Abnormal Security as our dedicated cloud email security solution for our customers:

1. Integrates via API which allows them to analyze both north/south and east/west traffic
2. Automatically learns “know-good” behavior for each identity within the cloud environment and convicts modern email threats based on devastations from that known-good behavior that has been baselined.
3. Identifies any risk associated with trusted 3rd party vendors and has the ability to detect and remediate vendor email compromise attacks
4. Automates SOC workflows around analyzing and responding to user-submitted phishing emails
5. Applies the same behavioral learning to automate how “graymail” is handled by end-user preference.
6. Offers free Risk Assessment which allows organizations to identify the threats that have bypassed existing security controls
7. No risk to the production (read-only mode)
8. No effort required by IT to setup (3-click API integration)

Do what smart IT leaders do

‍

We’re excited to talk to you about how Abnormal Security can help mitigate email security risk and optimize operational efficiency. You can call me toll-free at 1 (877) 892-3399 if you are ready to protect your inboxes.

‍

If you’re not ready, I highly recommend signing up to get a monthly email about email security. Join the smart IT leaders here.

‍