New Attack Trend: Account Takeovers via Phishing

So, we’ve been seeing a lot of activity this week, particularly within the education sector, in relation to account takeover (ATO) attacks (where a cyber-criminal gains access to or control of your online accounts).

Generally starting from phishing attempts which then lead to the victim handing over their credentials to the attacker through a page or prompt designed to look like the real deal.

With a working set of pilfered credentials, an attacker can simply log in as you, from wherever they are.  Once logged in to your systems any number of malicious tactics can be employed.

1. An attacker can forward copies of all emails sent to you so another mailbox is under their sole control. They then use these emails to gather sufficient information to enable further nefarious acts such as invoice fraud and CEO fraud, both of which will clearly result in immediate financial gain for the attacker.

2. In the worst cases, we’re looking at a Ransomware attack.  Such a cyber-criminal will use their newly gained access to become entrenched and difficult to detect or remove, before spending days, weeks, and often months:

• Stealing your organisations critical and/or sensitive data.
• Poisoning your backups so you have no ability to recover when they eventually drop their ransomware payload, crippling your organisation’s ability to operate.
• Demanding a huge sum of money on the promise of returning your data to you.
  

The sad reality is, even if you pay the ransom, which itself may cripple you financially, the stats show:

1. The same attacker may only return some of your data before then demanding more money to release the remainder.
   
2. You’ll likely still lose around 35% of your data, if you get anything back at all.
   
3. In other cases, they simply return and reinfect you again at a later date.
   
4. Alternatively, access to your network may even be sold onto additional criminal parties who will themselves seek to hold your data to ransom at some point.
   

It’s a nasty business all around really so, we’ve put together some tips to help our fellow SMEs and our hard-working educators better protect themselves against such threats.

1. Log into ALL your important accounts and enable 2FA/MFA everywhere it’s available.
   
   1. NOTE: If you have more than a handful of staff, this really should be enforced at the system policy level, otherwise it’s simply too easy to circumvent.
      
2. While you’re in there, change your password so it’s no longer a variation of one of those 2 or 3 passwords you’ve been using all over the place, for years!
   
3. The UK’s NCSC recommends using the ‘Three Random Words’ formula to produce strong passwords which we wholeheartedly support.  Much stronger than simply substituting a few letters for numbers or symbols.
   
   1. A ‘proper’ password manager (not one that came free with your anti-virus product) will help you generate, store and retrieve unique, strong passwords which you then don’t even need to commit to memory.
      
   2. Bolster your email security and train your staff to recognise potentially malicious messages, whatever form they take (email, SMS, phone), and encourage them to report potential incidents, even if they’ve inadvertently fallen for them.
      
      1. Remember, these guys are pro’s and spend their ‘working days’ coming up with ways to both dupe your users and then evade your technical defences.
         
      2. Staff can’t reasonably be expected to successfully identify and mitigate all such attempts.
         
         

Look out for the next blog where we’ll deal with some of the technical controls you can implement to defend yourself from these and other attack vectors.

#Phishing #AccountTakeover #ATO #Passwords #CredentialCompromise #BusinessEmailCompromise #BEC