Adam Eaton: Cyber-security
As owner and Managing Director of Nimoveri; Adam has spent the last 20 years in IT, most recently at one of the UK’s leading cloud and managed service providers. Adam spends much of his time working with UK based mid-market organizations advising on how to balance the use of IT to enable revenue generation whilst ensuring cyber and other risks are minimized.
As well as running Nimoveri, Adam has 2 young boys that keep him on his toes. In his spare time, Adam plays hockey for Haslemere HC, coaches junior cricket and enjoys keeping fit.
This week I am going to keep the focus on security. We had another email incident this week where a customer had an account takeover. I thought I would share with you the email response from my technical team as it sheds an interesting light on what the attacker attempted to do.
I can confirm the email John received from Sarah had in fact originated from Sarah’s account due to her email account being compromised. The attacker had managed to login to Sarah’s mailbox via the web portal and from there send the email. They also created a rule on her account to move any emails from @abcltd.co.uk in to the “RSS feeds” folder. This then meant the when Sarah checked her sent items, they didn’t show up as they were automatically moved by the rule thus making detection difficult. Since Sarah’s password was reset this morning, there have been no further signs of any rogue or malicious activity on his account. Sarah has deleted the malicious emails and the rule has been removed from the account. We have also recommended Sarah keeps a periodic check on her rules, as attackers often create rules to mask their actions when they compromise an account.
Regarding the second issue reported where there was an email showing as from you to John, this is a spoofed email and the real sender has been added to the blacklist. This email did in fact get blocked by Barracuda due to the sender not being authorised to send from @abcltd.co.uk Although we cannot see any evidence of Barracuda delivering the email despite being blocked, or even reaching your office 365 environment, you have still somehow obtained the email. What we believe may have happened is as follows: The spammer has spoofed the email to appear to come from your email address, when the spammer sent the email and Barracuda blocked it, the senders email server then triggered a bounce back stating that the email could not be delivered. As they changed the email headers to appear from you instead of them, you received the bounce back email and the spam email was attached to the bounce back.
From our investigation, the only breach of security was Sarah’s account being compromised. She has done a virus scan on her computer and no threats were found so this must have been that either they knew her password, or they managed to brute force their way in and guess it. To minimise the chance of this happening again, we can setup something called Two Factor Authentication (2FA). 2FA basically add an extra security layer where users will have to authorise a sign in on their phone, as well as enter the usual username and password. This therefore means that if someone does manage to get a username and password for a user, they still won’t be able to login without access to the user’s mobile phone too.
As you can see, a complex but fairly standard hack. Nimoveri is a provider of best of breed IT services and Barracuda is the email protection tool we use to protect users. Barracuda offers two key products, one to protect against malicious email bourne attacks and the other for anti-phishing. We highly recommend Barracuda’s advance threat protection service and the majority of our O365 customers utilise this. Anti phishing is provided by the Sentinel product but often this is more relevant for Enterprise clients. The best protection the small business can have is a process that ensure anyone who pays the bills confirm verbally with the requester prior to sending. In large businesses where email processes dominate it is not always practical to verbally approve so Sentinel makes more sense. We also highly recommend 2FA and are rolling this out for a number of clients at present.
This week I also met with a contact where homeworking was discussed at length and the impact it can have on mental health, so next week I promise to start the working from home discussion.