Business Email Compromise (BEC): Hidden Danger in Legacy Protocols

Attempts to compromise business email accounts are much more common than you might think, and when they’re successful, criminals are able to make off with large sums of money. Typically they aim to gain control over the email account of an executive or administrative assistant with the authority to direct or execute financial transactions. They masquerade as that person and inject themselves into an email thread, to initiate a transaction or re-direct a transaction, tricking the business into moving the funds into a bank account controlled by the criminal.

We’ll describe how criminals often gain access to account credentials, and then explain how to close the vulnerability. But first, a few words about just how pervasive these account hijackings are. Proofpoint conducted a six-month study of this kind of attack and found that:

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted
  • Roughly 25% of Office 365 and G Suite tenants were breached as a result
  • Criminals achieved a 44% success rate in breaching an account at a targeted organization

Account Takeover Technique: IMAP Password Spraying

Email services typically enforce a lockout when a password is mis-entered multiple times, which is considered a telltale sign that some unauthorized person is trying to access the account. Password spraying is a brute-force technique that aims to get around the account lockout. Instead of focusing on a single account at a time with a large list of possible passwords, the criminal does the inverse. The attacker starts with a relatively short list of common passwords, and “sprays” them across multiple email accounts at multiple organizations, taking care that the attempts on each individual account and organization are spaced far enough apart that they don’t trigger a lockout. In fact, on the access logs, each attempt looks like a routine login failure rather than part of a coordinated attack.

Here’s the other important thing to know about these attacks. They commonly access the mail server using the Internet Mail Access Protocol (IMAP) — a standard that’s been around for more than 30 years. The criminals use this route because it’s enabled by default on most servers, it’s easy to write scripts for it that automate the attack, and most of all, it doesn’t support more secure methods of authentication beyond simple usernames and passwords.

Sprayproofing the Environment

Business email compromise (BEC) has become such a huge problem that we routinely recommend that every business that uses Office 365 or G Suite implement multi-factor authentication (MFA), and require it any time a user connects from a new location or device. Here’s the rub, though: the IMAP protocol doesn’t support MFA. When IMAP is enabled, it gives criminals a way to access the server that bypasses MFA, leaving it wide open for password-spraying.

So, we recommend disabling the IMAP protocol and its older cousin, post-office protocol (POP3). POP3 isn’t used as often for spraying attacks, but it has the same vulnerabilities as IMAP. Very few users should be using IMAP or POP3 to access their email. For those that do, we recommend they connect to Office 365 with Outlook Anywhere, which is more secure.

If you’re reluctant to disable IMAP and POP because it might inconvenience a few users, realize that both protocols are on the way out. For example, Microsoft has announced it will stop supporting simple username/password authentication for IMAP and POP3 in October 2020.

At FIT Solutions, we make it our business to stay on top of vulnerabilities like this to keep our clients’ businesses safe. It’s a great example of the value-add you get with our managed IT services. If you would like to know more, give us a call at 888-339-5694.

PointClickCare or MatrixCare: Which for Senior Care?

If you’re considering an electronic health records (EHR) system for your LTPAC or assisted living facility, our experience with senior care clients tells us that there are two popular choices: PointClickCare and MatrixCare.

Which should you choose for your facility? Well, it depends.

First, let’s get the basics out of the way. Both are built with a strong LTPAC focus, which separates them from EHR systems such as Epic or Cerner that are more often found in hospitals and integrated health systems. Both are strong on HIPAA security compliance. Both include electronic medication administration record (eMAR) functionality. Both are delivered through a software-as-a-service (SaaS) model, which means you don’t have to maintain an onsite server, and updates, patches and data backups are handled for you. In our experience, both companies offer great support.

They differ in a few ways as well, and while we can’t recommend one system over the other, we’ll share those differences. Which system you choose depends on which of these issues matters more to you.

  • Device support. MatrixCare is a Microsoft partner, and that’s reflected in the operating systems and devices it supports. The clinicians’ devices must run the Windows operating system and Internet Explorer. MatrixCare supports non-Windows client devices via either a Citrix virtualization client or Windows Terminal Services. While those scenarios are well-documented and supported, running the Citrix or Windows Terminal Server is the responsibility of your IT team. On the other hand, PointClickCare supports desktops, laptops, tablets and smartphones that run Windows, MacOS, ChromeOS or Android, and all of the popular web browsers (although not all modules support all combinations). If you want to run PointClickCare in a virtualized environment, it’s not technically supported by the company, but some facilities are doing so successfully.
  • User Interface. The MatrixCare user interface is sleeker and more modern, but in our opinion, this is mostly a matter of aesthetics. Both are equally functional.
  • Reporting and Analytics. PointClickCare offers reporting, but creating custom reports and analytics requires using a feature called Data Relay. It allows you to copy most of the data onto another server for running analytics. By contrast, MatrixCare has an Analytics Suite module that lets you make use of Microsoft Azure and PowerBI to develop analytics and create custom dashboards. Both of these scenarios require some degree of knowledge by your users and IT team.
  • Audit trails. Our clients report that MatrixCare is stronger in this area, particularly at survey time.
  • Redundancy. Both systems recommend that facilities have two Internet connections in case one connection goes down. However, in the event of an outage, PointClickCare suggests hourly backups of the eMAR records so clinicians can revert to paper charting. MatrixCare provides a mobile app that can work offline, and syncs the records back to the eMAR module once the connection becomes available again.

At FIT Solutions, we’re familiar with both of these senior-care EHR systems and our IT specialists are happy to support you, regardless of your choice. If you would like to know more, give us a call at 888-339-5694.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!