Types of attacks
In this case, a valid communication between an organization and a customer is intercepted and the attacker sends the bank account details of his own account to the customer (masquerading as the organization) and receives the payment in his account.
In this case, an external sender having a name same as an important person in your company sends an email to another person in your organization requesting for transfer of money to an account. The victim, without checking the actual email id and relying on the display name, makes the money transfer.
Mail from external senders with malware is opened and infected files downloaded to the machine. These files spread to other computers on the network and encrypt data or lock access to the computer. To unlock or decrypt the files, the attackers demand money, usually in bitcoins as they cannot be traced.
Safety measures to be taken
To protect your organization from such attacks, we urge you to do the following without any delay:
- Educate users to pay close attention to email details.
- Check the display name and the email id for all mails concerning financial transactions
- Check the display name and email ids of all emails before opening any attachments
- Exercise caution while clicking on any images/links
- Do not reply to a mail without verifying the source
- Make a habit of continuously educating users. Have mock drills to check whether users are still following old habits.
- Enable spoof check in SpamTitan by adding user policies for critical users.
ANTISPOOF_NAME: this test provides impersonation protection. Impersonation is when spam is sent using the name of a high profile person in a company, e.g. the CEO. This test is automatically enabled when a full name is entered for a user on their user policy. A full name is at least two words (usually first name and last name), e.g. John Smith. Go to Anti-Spam Engine > User Policies to add or edit a user policy.
- Enable the following on your SkyConnect domains:
- Password complexity - Make sure users are using complex passwords, do not allow them to specify simple hackable passwords
- Password expiry - Passwords should not be valid for more than a month and this can be controlled by the password expiry feature.
- Password history - Having a minimum of 3 previous passwords maintained in history ensures that older passwords are not used for a minimum time period.
- Access control - Using access control, you can limit the access from known IP address ranges, limiting hackers access to your accounts.
- Use secure ports only for access - Use secure ports such as https, POPS, IMAPS and SMTP over TLS when configuring access to accounts.
- Use PGP encryption for critical mail flow
- Enable SPF, DKIM check for incoming mails from external domains (Impact is in absence of this your valid mails will get rejected)
- Confirm your DNS records are intact with proper/valid SPF, DKIM, DMARC entries
- Review your DLP configurations
- Make sure your desktops and networks are secure
- Confirm antivirus, anti-ransomware, anti-malware, anti-spyware is enabled on desktops and is regularly getting updated
- Confirm intrusion detection is enabled on your firewall
- Implement VPN access for users connecting from outside
- Make sure all important server and endpoint data are backed up to external or cloud storage.