ADVISORY ON PHISHING WITH WORMS-EMAIL ACCOUNT TAKEOVER

BACKGROUND

The latest phishing attack has caused a wave of business email account takeovers.

Once an email account is compromised, the account credentials are sent to a remote bot which would then sign into the account and analyse recent emails. For each unique email thread, it would then reply to the most recent email, sending a link to a phishing page to capture credentials. Since the phishing emails are being sent as replies to genuine emails between suppliers, customers, and colleagues, this makes the emails appear trustworthy.

The theft of credentials which are not protected by Multi-Factor Authentication (MFA) allows the bot to propagate to other users through every compromised account. This causes an exponential growth and a mass number of accounts can be compromised within a few hours.

IMPACT

  • Leakage of login credentials, which can be sold over the Dark web.
  • Confidential information in emails may be compromised.


RECOMMENDATIONS

  • Enable Multi-Factor Authentication (MFA)
  • Use secure push or secure external One-time Password (OTP) via an app. If possible, use push OTP with context. so you know what the authentication request will be used for.
  • If you receive an email with a suspicious link, contact the sender to verify rather than just hitting reply, even if the email is from a trusted sender.
  • Watch out for URL redirects, where you're subtly sent to a different website with identical design.