The following is a true story, involving a company we know. The names and certain identifying details have been changed, but the other details are accurate. They serve as an important cautionary tale for companies that believe their email systems are sufficiently secure, or that online fraud is a problem that only affects ‘other people.’
For the sake of the tale, let’s say this is a car dealership. The business is strong, well respected, and it has never previously had a problem with fraud.
The problem comes to light one mid-morning when Sue, the business owner’s PA enters his office with a smile and a brief announcement: “It’s alright, Brian,” she says. “I’ve made the payment on the BMW.”
Brian frowns. “What BMW?” He’s certain that no such car has been ordered. “The 3 Series.” Sue seems calm and certain of herself. “The one you just asked me to buy.”
“What?” Brian’s frown deepens. “I didn’t ask you to buy a 3 Series. I never have.” Sue grins, suspecting a joke. “Of course you did. You and Mike have been exchanging emails about it all week.”
“No. We really haven’t.” He rises from his desk. “I think you’d better show me.”
What Brian sees next is both worrying and perplexing. There, on Sue’s screen is the top of a very long email exchange that seems to have gone back and forth for more than a week. More worryingly still, about half of these emails appear to have come from him. Most of the rest come from Mike in Purchasing, and he’s quite sure that Mike knows nothing about this either. When Mike is summoned in, he’s clearly as baffled as anyone.
Looking more closely at the message trail, it starts with a mention of a BMW in an otherwise authentic-looking email. The rest of the message is about subjects that the owner recognises. Whoever faked this message certainly seemed to know what was going on in the business.
After that come messages in his name, which he knows he never wrote. Here’s one in which he and Mike ask Sue to make the purchase, and then another, just a minute or two later, asking her to hold off on the paperwork because Mike thinks he can get the price down even further.
The fictional exchange goes on, over a period of many days until, just this morning, Brian supposedly writes to Sue and asks her to make the purchase. His final email has a sense of urgency about it. It says “Sue, please pay this invoice NOW. We won’t get a better price than this.” There is a final amount and an attachment with some bank transfer details.
Realising that a hoax has been committed, Sue now looks as worried as the rest. She authorised the transfer just a few minutes ago. That was the point at which she came into Brian’s office to relay the good news.
Except that it’s clearly not good news at all…
Fortunately, the client was able to stop the transfer in time and lost nothing, but any slight delay could have seen the money gone from the company account. It was at this point that the company called in AMP to figure out what had gone wrong.
An Unfortunate Series of Events
We began by scrutinising the email chain. Brian, the business owner was certain that the emails had been faked and somehow slipped in from the outside, but we were able to show that they had all originated from his genuine email account. The digital signatures and other data proved it. What that meant was that someone had managed to get full access to his account. They had his user name and password, so our first, immediate action was to change his login details so as to prevent further attacks.
Further investigation revealed that Brian had used his email password as the password for at least one other website, and one of those websites had evidently been hacked. His email details had then been harvested.
Once an attacker has an email address, it isn’t hard to determine where that email account is hosted, and by using automated bots, the attacker had been able to match the address with the password and thereby access the business owner’s Office 365 account. From this point he/she could send and receive emails at will. Importantly, he/she could also read the owner’s previous emails, which meant that he/she could then refer to people, purchases and other things that made the faked messages sound completely authentic.
Furthermore, Brian had previously set the Office 365 access permissions such that he could send and receive emails in the name of other key staff, including Mike in Purchasing. As a result, the hacker had been able to create a false trail of believable-sounding messages between ‘Mike’ and the owner, into which he or she eventually copied the unfortunate Sue.
By the time Sue joined in the conversation, there appeared to be several days’ worth of messages about an unmissable deal on a BMW. Even when she began to engage in the conversation herself, the fraud wasn’t spotted because the fraudster was still able to reply via the owner’s legitimate email account. Having managed to get access to the owner’s email account and password, the fraudster might just as well have been sitting at the owner’s desk.
It is important to note that, in other respects, the company was well protected. It had all the necessary firewall and anti-virus protection, and its software was kept up to date with all the latest patches etc. However, this threat bypassed these protections because the first part of the attack had involved a third party website, and the second part involved simple human behaviour.
There are some important lessons to be learned from this story.
- Don’t use passwords for more than one website or service (especially email passwords)
- Change passwords regularly
- Never share passwords with anyone
- Be cautious when setting user access permissions; don’t allow anyone to pose as anyone else unless it’s absolutely necessary. When it isn’t necessary, disable those permissions.
When AMP was called in, we acted quickly to identify the problem but the story could easily have had a different outcome. Had the company adhered to the three rules listed above, the problem would not have occurred, but there are other ways that imposters can infiltrate a system, as we’ll discuss in a separate post.
One final point is that two-stage verification should now be standard practice for all systems that a company wishes to keep secure.
This is simply a two-stage process that requires the user to use two separate authentication methods to prove their identity. For example, he or she might have to enter a username and password on their PC, and then they have to reply to an SMS message sent to their phone. It’s an easy safeguard to set up, and in the example above, it would have prevented the attack altogether. As soon as the hacker had tried to access the owner’s Office 365 account, he/she would have come up against a second obstacle that would have prevented further progress. What’s more, Brian would have received an alert on his phone and known that someone (not him) was trying to enter the system.
Companies often choose not to adopt 2-stage verification because it means taking an extra step before logging into the protected system. However, the ‘nuisance’ value is actually very small and the added protection can be invaluable. Set against the risks of imposter attacks, it’s a measure that we at AMP would always recommend. It’s for precisely that reason that all our own systems are protected with multi-stage verification.
You can set your own 2-factor verification with your Microsoft Account
If you would like further information about cyber security, please call us on 0800 368 7730.