Business Email Compromise (BEC): Hidden Danger in Legacy Protocols

Attempts to compromise business email accounts are much more common than you might think, and when they’re successful, criminals are able to make off with large sums of money. Typically they aim to gain control over the email account of an executive or administrative assistant with the authority to direct or execute financial transactions. They masquerade as that person and inject themselves into an email thread, to initiate a transaction or re-direct a transaction, tricking the business into moving the funds into a bank account controlled by the criminal.

We’ll describe how criminals often gain access to account credentials, and then explain how to close the vulnerability. But first, a few words about just how pervasive these account hijackings are. Proofpoint conducted a six-month study of this kind of attack and found that:

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted
  • Roughly 25% of Office 365 and G Suite tenants were breached as a result
  • Criminals achieved a 44% success rate in breaching an account at a targeted organization

Account Takeover Technique: IMAP Password Spraying

Email services typically enforce a lockout when a password is mis-entered multiple times, which is considered a telltale sign that some unauthorized person is trying to access the account. Password spraying is a brute-force technique that aims to get around the account lockout. Instead of focusing on a single account at a time with a large list of possible passwords, the criminal does the inverse. The attacker starts with a relatively short list of common passwords, and “sprays” them across multiple email accounts at multiple organizations, taking care that the attempts on each individual account and organization are spaced far enough apart that they don’t trigger a lockout. In fact, on the access logs, each attempt looks like a routine login failure rather than part of a coordinated attack.

Here’s the other important thing to know about these attacks. They commonly access the mail server using the Internet Mail Access Protocol (IMAP) — a standard that’s been around for more than 30 years. The criminals use this route because it’s enabled by default on most servers, it’s easy to write scripts for it that automate the attack, and most of all, it doesn’t support more secure methods of authentication beyond simple usernames and passwords.

Sprayproofing the Environment

Business email compromise (BEC) has become such a huge problem that we routinely recommend that every business that uses Office 365 or G Suite implement multi-factor authentication (MFA), and require it any time a user connects from a new location or device. Here’s the rub, though: the IMAP protocol doesn’t support MFA. When IMAP is enabled, it gives criminals a way to access the server that bypasses MFA, leaving it wide open for password-spraying.

So, we recommend disabling the IMAP protocol and its older cousin, post-office protocol (POP3). POP3 isn’t used as often for spraying attacks, but it has the same vulnerabilities as IMAP. Very few users should be using IMAP or POP3 to access their email. For those that do, we recommend they connect to Office 365 with Outlook Anywhere, which is more secure.

If you’re reluctant to disable IMAP and POP because it might inconvenience a few users, realize that both protocols are on the way out. For example, Microsoft has announced it will stop supporting simple username/password authentication for IMAP and POP3 in October 2020.

At FIT Solutions, we make it our business to stay on top of vulnerabilities like this to keep our clients’ businesses safe. It’s a great example of the value-add you get with our managed IT services. If you would like to know more, give us a call at 888-339-5694.

Outlook Security: Why You Should Deploy MFA for Office 365

Multi-factor authentication, or MFA (sometimes known as two-factor authentication, or 2FA), is recommended whenever basic usernames and passwords aren’t enough for protecting sensitive logins.

If you’ve ever been asked to confirm your identity by entering a code sent to your phone, you’ve used MFA. The method is widely used for online banking accounts, to bolster security when employees remotely access corporate sites, and to help satisfy HIPAA requirements. More and more, though, we’re advising its use to protect all access to Office 365.

We’re making this recommendation because of the experiences of some of our newer clients. It’s a sad fact that organizations often discover they need our security services only after they’ve been victimized. Several have turned to us after making tens of thousands of dollars in payments that were never received, because the money was sent to fraudulent bank accounts. That’s when they called us in to untangle what happened.

Who’s Reading My Emails?

We’ve found a new breed of criminals who specialize in hijacking email accounts. They’re very sophisticated, expert in covering their tracks, and victims are none the wiser — until it’s too late and the money’s gone.

It all starts with compromised login credentials that criminals use to gain access to one or more individuals’ email accounts. The perpetrator either tricks the individual into giving up the credentials with a phishing email, or simply purchases lists of stolen login credentials on the dark web. Once access is obtained, the criminal lurks and learns, watches and waits. The goal is to find out who moves the money and how. Who are the approvers? Who gives the instructions? Who executes the transactions?

Or Worse, Who’s Sending My Emails?

Less sophisticated criminals would be content to send a bogus invoice. This new sort is looking for legitimate transactions conducted in the normal course of business. They intercept those transactions by issuing instructions to send the money to different accounts, masquerading as the authorized worker. They’re sending these emails from the actual mailboxes, complete with signatures, so the communications look legitimate. Of course, because these are sent using the real email accounts, the compromised users would see the bogus messages in their outbox, or the inbox would contain replies to messages they never sent. To avoid detection, the criminal sets rules in the Outlook account to immediately delete the bogus messages based on the subject line.

Here’s an example of a sophisticated criminal attack; this happened to an engineering firm with about 20 employees. The criminal had the email credentials for the employee responsible for payroll, and also knew, from reading the emails, who the firm’s third-party payroll provider was. Trying the employee’s email credentials on the payroll account revealed that the employee used the same password in both places. Now it was simple to log in to the payroll provider and re-route all the direct deposits to accounts the criminal controlled.  An entire month’s payroll was lost before the theft was discovered.

Detection and Prevention

There are two approaches to dealing with these kinds of attacks. One is detection, through SOC monitoring. SOC monitoring issues alerts for suspicious email access, such as a user accessing from a different location or device, or a user simultaneously logged in from two locations or devices. Either of these is an indicator of unauthorized access of an email account.

Prevention is where MFA comes in. In addition to username and password (something the user knows), MFA adds an additional factor (something the user possesses). The additional factor is the user’s smartphone. Unless the criminal also steals the employee’s phone, the compromised login credentials are useless. There are several approaches to implementing MFA:

  1. Some third-party applications that do single sign-on have MFA capabilities. Examples include Okta and Duo. Microsoft Azure also supports MFA.
  2. Office 365 has the ability to natively enable MFA through the Microsoft Authenticator application. However, some companies have issues with mandating that employees install specific applications on their personal smartphones. If the company doesn’t reimburse employees for their phone use, this becomes a concern for the HR department.
  3. Office 365 also supports native MFA by sending a one-time passcode to the employee’s phone via a text message. This gets around the reimbursement issue because it doesn’t require loading a specific application on the phone. Plus, the simplicity of the approach allows employees to self-enroll through an eight-step process that requires less than two minutes to complete. The impact on the employee is minimal, because the one-time passcode is required only when the employee is logging in from an unknown location or device.

At FIT Solutions, our managed IT services include implementing the multiple forms of MFA. We also perform SOC monitoring through our cybersecurity offering, SOCBOX. You can learn more about FIT Solutions managed IT services, or better yet, call us at (888) 339-5694.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!