Security bulletin regarding e-mail accounts using cloud computing

September 2018

A sharp increase in incidents

Experts with Forensik are concerned about a rise in cybercriminal activities targeting business webmail accounts such as Office 365 and Gmail (but not restricted to these). Our teams have noticed that very well-organized, patient hackers are succeeding in diverting electronic payments, in some cases amounting to hundreds of thousands of dollars or more.

Modus operandi

The criminals compromise multiple mail accounts belonging to a business by reusing identification information from well-known breaches of public data to guess employees’ passwords. These unauthorized access attempts are carried out very surreptitiously, and the criminals are very careful at first only to look for the operating procedures of financial transactions from the targeted business.

For example, they gain access to an account that provides them with information on the identity of clients, how they pay, how often, their most recent purchases and the information emailed to them for electronic payment. Accounts may be accessed repeatedly over a number of weeks or even months before funds are diverted.

The criminals then use multiple hacked accounts to commit fund transfer frauds by notifying clients, from the hacked accounts, of a change in the business’s bank account, and providing them with new, fraudulent bank information. Since they have gained access to a number of different accounts, they are able to intercept requests for confirmation of the requested changes. As a result, everything looks perfectly legitimate for the targeted payments. The hackers destroy the emails received and sent virtually in real time, so that the affected employees have no reason to suspect anything.

Unfortunately, these incidents of unauthorized access are usually detected too late, weeks after the funds have been diverted.

The problem detected

  1. Our recent experience shows that businesses that have not implemented a strong password policy on their email accounts are at greater risk, but that even a policy requiring complex passwords is often not sufficient to prevent these attacks.
  2. Business emails are a goldmine of confidential information – generally unencrypted – covering all the information the company has and shares. Of course, this includes the list and completed electronic payment forms of all your clients.

What you can do to ensure that you are protected

A number of things may need to be improved, depending on your situation:

Firstly, multi-factor authentication may improve the security of webmail accounts by requiring an additional verification step for every external connection to a mail account (such as a code generated by a mobile application or by an SMS message).

Most mail systems offer multi-factor authentication functions and allow users to determine “trusted devices,” reducing the annoyance of constantly having to enter a code for every connection.

In view of the current situation, Forensik therefore recommends that all its clients immediately implement multi-factor authentication to improve the security of their email systems.

It is also essential for IT administrators to ensure that proper event logging is activated in your systems and put monitoring measures in place. In the event that an inbox is compromised, this will help determine whether private data is vulnerable.

When configured correctly, mail systems such as Office 365 even allow you to set up alerts when certain security conditions are met, and this can be an enormous help in detecting when email accounts have been compromised.

Finally, we strongly recommend the use of encryption for certain types of information, such as completed forms and contracts. Today this type of communication can easily be sent using a wide array of technology.

Get more information

If you are using Office 365 or Gmail for your business, you can find more information on activating multi-factor authentication free of charge on Microsoft and Google websites. Also, you can learn more about how to activate and monitor mailbox auditing in Office 365 and Gmail. Finally, Office 365 has a page that allows you to assess the security of your configuration, called Safenote.

If you think your systems could be vulnerable or if you have any questions, contact our teams immediately at 514-312-1990 or by email.