Account takeovers spreading, becoming big threat to corporate security

Employees must learn to think before clicking to ward off brute force attacks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The DocuSign mal­ware attack that occurred in mid-May is note­wor­thy because it high­lights a go-to tac­tic pop­u­lar with cyber crim­i­nals at the moment: account takeovers.

Attack­ers will first steal email data or cre­den­tials and then use them to launch high­ly tar­get­ed phish­ing cam­paigns. The one-two punch tar­gets any­one with an email address and is becom­ing increas­ing­ly common.

DocuSign con­firmed on May 15 that a spate of mal­ware phish­ing attacks was the result of email address­es and account logins stolen by hack­ers. DocuSign, a major provider of elec­tron­ic sig­na­ture tech­nol­o­gy, stressed that stolen data was lim­it­ed to cus­tomer and user email address­es. But this made the attack all the more dan­ger­ous as it tar­get­ed users who would be expect­ing to click on links sent by the com­pa­ny. Any­one and every­one with an email address is a target.

Relat­ed sto­ry: Look to human nature for con­tin­ued suc­cess of phish­ing attacks

The San Fran­cis­co-based start­up had been track­ing a mali­cious email cam­paign as ear­ly as May 9. But at that time, the com­pa­ny said that the mali­cious emails—which linked to a down­load­able Microsoft Word doc­u­ment har­bor­ing malware—were not asso­ci­at­ed with DocuSign. Then, on Mon­day, May 15, DocuSign con­firmed that hack­ers were able to send the emails because they had hacked and stolen the company’s list of users.

Steve Mal­one, Mime­cast direc­tor of secu­ri­ty prod­uct management

Accord­ing to Steve Mal­one, direc­tor of secu­ri­ty prod­uct man­age­ment at Mime­cast, a cloud-based email secu­ri­ty provider, the attack fol­lowed a clas­sic pat­tern. Sev­er­al com­mon phish­ing tac­tics were used, includ­ing spoofed domains visu­al­ly sim­i­lar to the orig­i­nal, a seem­ing­ly harm­less doc­u­ment, and social engi­neer­ing to per­suade the vic­tim to down­load and open the file.

Two-pronged attack

What made the attack dif­fer­ent, how­ev­er, was that the phish result­ed from the theft of a list of DocuSign users. This allowed the hack­er to specif­i­cal­ly tar­get peo­ple who are famil­iar with the ser­vice and thus more like­ly to open the file. This formed step one of a two-step attack.

The sec­ond step was to tar­get those users with the aim of installing infor­ma­tion-steal­ing mal­ware on their devices. Secu­ri­ty & Com­pli­ance Offi­cer Rahul Iyer of cloud-based email secu­ri­ty firm The Email Laun­dry, believes the Word doc­u­ment installs the Hanci­tor down­load. The Hanci­tor down­load will then down­load cred­it-steal­ing mal­ware. Reports sug­gest that Pony, EvilPony and ZLoader mal­ware are being used.

No end in sight

Direct­ly after the ini­tial wave of attacks, Mime­cast not­ed that key ele­ments of the phish­ing email began to change. Small iter­a­tions, like chang­ing the sub­ject line, ensure suc­cess­ful hits for hack­ers. And attacks, part of a bil­lion-dol­lar indus­try, show no sign of stop­ping any­time soon.

Iyer advis­es orga­ni­za­tions to take email secu­ri­ty seri­ous­ly, if they aren’t already. The pri­ma­ry con­cern for users is that their email address­es are now “in the wild” and will be used for oth­er phishing/spam cam­paigns. “So, any­one who received one of these DocuSign phish­ing mails should be alert for oth­er phish­ing emails,” he says.

Attack­ers change tactics

The breach is part of a grow­ing trend of cyber crim­i­nals shift­ing from data theft to account takeovers. It’s not just access to data that hack­ers get. It’s a way into a com­pa­ny. Mal­one describes a sce­nario where gain­ing access to a cor­po­rate web­mail sys­tem allows hack­ers to send phish­ing emails lit­er­al­ly inside an orga­ni­za­tion. Users are much more like­ly to open some­thing they see a col­league has sent, so the like­li­hood of infec­tion increases.

Brute force attacks are on the rise, too. Dis­til Net­works, a cyber­se­cu­ri­ty ven­dor that mon­i­tors bot traf­fic, iden­ti­fied over 567 bil­lion mali­cious bot requests in 2016. Part of that was a sig­nif­i­cant spike in attempts to break into online accounts. Hack­ers are com­bin­ing the brute force nature of bots with mil­lions of stolen user­names and pass­words to see what works. Even if no one act­ed on your data stolen sev­er­al years ago, you are still at risk. A bot even­tu­al­ly will find it, and if you share a pass­word between sev­er­al web­sites, hack­ers may be able to force their way into your account.

Edu­ca­tion best defense

One of the rea­sons such attacks are so suc­cess­ful is that they are able to bypass stan­dard cyber­se­cu­ri­ty defens­es. Only users could have pre­vent­ed attacks by refrain­ing from down­load­ing the file. “Mali­cious email attach­ments are a crit­i­cal threat as they can eas­i­ly bypass tra­di­tion­al defens­es as part of sophis­ti­cat­ed spear-phish­ing attacks. All DocuSign cus­tomers need to edu­cate users to be extra vig­i­lant when open­ing any doc­u­ments pur­port­ing to be from their ser­vice,” Mal­one says.

Whether your com­pa­ny has been caught in the DocuSign attacks or not, it is rec­om­mend­ed your orga­ni­za­tion and employ­ees fol­low cyber­se­cu­ri­ty best prac­tices. These include nev­er send­ing your per­son­al infor­ma­tion from an unse­cured email, chang­ing pass­words fre­quent­ly, ensur­ing employ­ees are prop­er­ly trained, and enlist­ing the help of a cyber­se­cu­ri­ty provider.

In the end, a lit­tle para­noia goes a long way. Mal­one advis­es users to ver­i­fy with the sender before open­ing any doc­u­ments or click­ing on any links. “Crim­i­nals will try all man­ner of ways to trick employ­ees into enabling macros in weaponized email attach­ments. So, users should think twice before they click.”

More sto­ries relat­ed to cor­po­rate cybersecurity:
Effec­tive employ­ee train­ing helps take human fac­tor out of cyber breaches
Sophis­ti­cat­ed email mon­i­tor­ing can help com­pa­nies detect insid­er threats
Wake up and avoid a ‘breach fatigue’ nightmare


Posted in Best Practices, Cybersecurity, Data breaches, Featured Story, Fresh vulnerabilities