Types of attacks
In this case, a valid communication between an organization and a customer is intercepted and the attacker sends the bank account details of his own account to the customer (masquerading as the organization) and receives the payment in his account.
In this case, an external sender having a name same as an important person in your company sends an email to another person in your organization requesting for transfer of money to an account. The victim, without checking the actual email id and relying on the display name, makes the money transfer.
Mail from external senders with malware is opened and infected files downloaded to the machine. These files spread to other computers on the network and encrypt data or lock access to the computer. To unlock or decrypt the files, the attackers demand money, usually in bitcoins as they cannot be traced.
Safety measures to be taken
To protect your organization from such attacks, we urge you to do the following without any delay:
- Educate users to check the display name and the email id for all mails concerning financial transactions
- Educate users to check the display name and email ids of all emails before opening any attachments
- Instruct the Mithi team to add a warning to ALL Mail coming from outside.
- Make a habit of continuously educating users. Have mock drills to check whether users are still following old habits.
- Enable the following on your SkyConnect domains:
- Password complexity - Make sure users are using complex passwords, do not allow them to specify simple hackable passwords
- Password expiry - Passwords should not be valid for more than a month and this can be controlled by the password expiry feature.
- Password history - Having a minimum of 3 previous passwords maintained in history ensures that older passwords are not used for a minimum time period.
- Account lockout - To prevent brute force attacks to get a user password can be foiled by enabling the account lockout feature. This will foil attacks from HTTP, pop, IMAP and SMTP.
- Access control - Using access control, you can limit the access from known IP address ranges, limiting hackers access to your accounts.
- Use secure ports only for access - Use secure ports such as https, POPS, IMAPS and SMTP over TLS when configuring access to accounts.
- Use PGP encryption for critical mail flow
- Enable SPF, DKIM check for incoming mails from external domains (Impact is in absence of this your valid mails will get rejected)
- Confirm your DNS records are intact with proper/valid SPF, DKIM, DMARC entries
- Review your DLP configurations
- Make sure your desktops and networks are secure
- Confirm antivirus, anti-ransomware, anti-malware, anti-spyware is enabled on desktops and is regularly getting updated
- Confirm intrusion detection is enabled on your firewall
- Implement VPN access for users connecting from outside
- Make sure all important server and endpoint data are backed up to external or cloud storage.
Important Reference Links
- Email Phishing – How humans are the weakest link
- Preventing email fraud, email spoofing, email phishing and impersonation with SPF, DKIM, DMARC, and other security controls
- Security Framework for Mithi’s Digital Collaboration Framework