Thought leadership. threat analysis, news and alerts.
Major Accounting Firm Deloitte Admits It Suffered Cyber Attack
Deloitte, one of the world’s “big four” accountancy firms, admitted that it suffered a cyber attack. The company, however, downplayed the cyber attack saying that "only very few clients were impacted" and "no disruption" to client businesses happened.
Deloitte’s clients include 80% of the Fortune 500 companies and more than 6,000 private and middle market companies.
British news outlet The Guardian and cyber security journalist Brian Krebs have come out with a different take on Deloitte’s cyber attack.
Sources told the British news outlet that an estimated 5 million emails have been accessed by the hackers in the Deloitte cyber attack. A source close to the Deloitte cyber attack investigation, meanwhile, told Krebs that the Deloitte hacking incident involved the compromise of all administrator accounts at the company as well as the company’s entire internal email system.
“In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information,” Nick Hopkins of The Guardian wrote. “Some emails had attachments with sensitive security and design details.”
The Guardian reported that Deloitte discovered the hack in March of this year but the hackers may have had access to the company’s systems since October or November 2016. This hacking period was confirmed by Krebs who said that the Deloitte hacking dates back to at least the fall of 2016.
“Deloitte has sought to downplay the incident, saying it impacted ‘very few’ clients,” Brian Krebs wrote. “But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.”
“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators,” Deloitte said in a statement. “The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.
A source told Krebs that Deloitte “does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.”
Cause of the Cyber Attack
Sometime in October 2016, Deloitte may have sense that something was wrong as the company sent out an email to all its employees in the US calling for a mandatory password reset. The notice includes an advice to pick complex passwords and a warning that employees who fail to change their passwords or personal identification numbers (PINs) by Oct. 17, 2016 wouldn’t be able to access email or other Deloitte applications.
According to The Guardian, Deloitte’s global email server was compromised through an “administrator’s account” – an account that has unrestricted access to all aspects of the email server. The administrator’s account required only a single password and didn’t have 2-step verification, sources of The Guardian said.
By relying only on a password – single factor authentication, Deloitte’s email system became highly vulnerable to cyber attack.
Hackers nowadays find is easy to hack emails using only a single factor of authentication or a password due to the following reasons:
Prior to the massive hack at Equifax where personal identifiable information like names, Social Security numbers, birth dates, addresses of 143 million Americans, 100,000 Canadians and 400,000 UK residents were stolen, Equifax was a victim of an earlier hacking incident.
On May 15 of this year, the Counsel for TALX Corporation – a wholly owned subsidiary of Equifax – informed the Attorney General of New Hampshire about a hacking incident that harvested W-2 tax forms of the employees of the corporate clients of TALX. According to the Counsel for TALX, hackers gained access to the website of TALX and harvested W-2 tax forms of customers by successfully answering personal questions used to reset “PlNs” or passwords to access the website.
“Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected,” the Counsel for TALX said.
“It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN,” Avivah Litan, a fraud analyst with Gartner, told Krebs, in reaction to the TALX-Equifax data breach. “That’s so 1990s.”
What is a 2-Step Verification
Many companies like Google, Facebook and Apple have adopted the 2-step verification, also known as two-factor authentication.
The 2-step verification is one of the security measures to help keep bad guys out. An example of the 2-step verification is that of Gmail where you'll be asked to enter your password as usual. In addition to the password, you'll be asked for something else. A code will be sent to your smartphone via text, voice call or mobile app. You can sign in using this code. You can also sign in using a USB security key – a small device that connects to your computer.
Can the 2-step verification totally keep the bad guys away? The two-factor authentication offers more protection than logging into an email account without it. This added layer of security can stop certain group of hackers. It can’t, however, stop other sophisticated cyber attacks.
The USB security key is considered as more secure compared to the code sent via smartphone. There’s, however, the danger of this device being lost or stolen. Cyber criminals, in the past, have infected mobile devices to steal 2-step verification security codes.
Your organization’s entire internal email system could be full of sensitive information. Protecting your company’s email system goes beyond a password – single factor authentication. Email security also goes beyond the two-factor authentication.
Contact us today if you need further protection for your organization’s internal email system.
Canadian University Loses $11.8 Million to BEC Scammers
An Edmonton, Alberta-based university publicly acknowledged that it was a victim of a recent cyber attack.
According to the Alberta-based university, a series of bogus emails tricked university staff into changing the electronic banking information for one of the university’s major supplier. This resulted in the money transfer worth $11.8 million to a bank account that the university staff believed belonged to the supplier.
The university traced over $11.4 million of the money to bank accounts in Canada and Hong Kong. According to the university, the traced bank accounts have been frozen and the university is working with its legal counsel in Montreal and Hong Kong to pursue civil action to recover the money. The remaining balance of these accounts is, however, unknown at this time.
“There is never a good time for something like this to happen but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident,” the university spokesperson said.
The incident that occurred at the Alberta-based university is an example of the cyber attack called business email compromise (BEC).
What is a Business Email Compromise (BEC)
BEC is a cyber attack that targets organizations that have regular dealings with foreign suppliers and regularly perform wire transfer payments.
According to the FBI’s Internet Crime Complaint Center (IC3), from October 2013 to December 2016, a total of 40,203 BEC incidents were reported worldwide, with the total financial loss amounting to $5.3 billion. The IC3 said that the scam has been reported in 131 countries, with victims ranging from non-profit organizations to small businesses and large corporations. These businesses offer a variety of goods and services, signifying that no specific sector is targeted more than another. Tech giants Google and Facebook succumbed to BEC scams.
"Ransomware has been drawing much of the attention in the security world lately,” Cisco 2017 Midyear Cybersecurity Report (PDF) said. “However, a threat that’s not nearly as high-profile is raking in far more for its creators than ransomware: Business email compromise, or BEC."
According to the FBI’s Internet Crime Complaint Center, some of the organizations affected by BEC reported being a victim of ransomware attack before the BEC incident.
How BEC Works
BEC is an elaborate deception scheme.
First, attackers study the organization they want to target.
Attackers spend weeks and even months to study the organization’s suppliers, billing systems, top executive or CEO’s writing style and his or her travel schedule.
Attackers get the above-mentioned information from public online resources such as social media accounts and by using malicious software that’s capable of infiltrating the organization’s networks, gain access to passwords, financial account information and email threads relating to billing and invoices.
Second, attackers establish a relationship with a target employee.
When the time is right, for instance, when the CEO isn’t in his or her office, BEC scammers contact a specific employee – bookkeeper, accountant, controller or chief financial officer – in an organization who’s responsible for directly transferring money to suppliers.
Attackers exploit the target employee through email spoofing, phishing email and telephone calls.
A spoofing tool is also used by the attackers to direct email replies to a different account that the attackers control. At this stage, the target employee is tricked into thinking that he or she is corresponding with the organization’s CEO.
Third, attackers send instructions for money transfer.
For this third stage, attackers further deceive the target employee, for instance, by convincing the employee that the supplier has a new bank account number and instruct the employee to send payment to this new account. Attackers may also send a bogus email from a CEO to release the money to the new bank account.
Fourth, money sent is drained to different accounts.
In this fourth stage, money is sent to “money mules” in different parts of the world. Some of these accounts are difficult to trace. If the scam isn’t uncovered in time, it may be hard to recover the money.
How to Prevent BEC Scams
Here are some of the ways to prevent BEC scams:
1. Verify the authenticity of the money transfer request.
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone,” said FBI Special Agent Martin Licciardo.
Also, confirm the money transfer request by calling the supplier with the previously known company numbers, not the one provided in the email request. In the case of the Alberta-based university, based on the preliminary assessment of the university’s internal audit group, the BEC scammers were able to succeed in deceiving the university staff as “controls around the process of changing vendor banking information were inadequate”.
2. Use an email intrusion detection system.
This automated system can flag emails with extensions that are similar to your organization’s email. For example, an intrusion detection system for legitimate email of xyz-corporation.com can flag bogus emails from xyz_corporation.com.
You have a backdoor to your business, and it's Email
Email is the most widely used form of business communication today. It’s inexpensive and fast. This form of communication, however, exposes businesses to cyber criminals.
Malicious cyber criminals consider the email as businesses’ backdoor – a vulnerable feature of a computer system that calls for exploitation. Failing to protect your business emails is like fortifying your house with the latest alarm systems and then leaving your backdoor wide open.
Symantec in its 2016 Internet Security Threat Report estimated that nearly 190 billion emails were in circulation each day in 2015 alone, with an average of 42 emails sent and received by each business user every day – a growing number of users reading their emails on their mobile devices.
Symantec reported that in 2015, email spam rate increased by 53%; phishing rate at one in 1,846 emails; and malware rate in one in 220 emails. “For cybercriminals who want to reach the largest number of people electronically, email is still the favored way to do it,” Symantec said.
3 Ways Cyber Criminals Exploit the Vulnerabilities of Emails
Cyber criminals exploit the vulnerabilities of emails in a number of ways. Here are 3 ways cyber criminals exploit emails:
1. Business Email Compromise (BEC) Scams
The cyber threat called business email compromise (BEC) relies on the oldest trick of con artists: deception. In BEC, con artists zero in employees who have access to company’s finances, deceiving them into making wire transfers to bank accounts thought to belong to business partners – when in fact, the money ends up in the accounts of cyber criminals.
BEC is one form of phishing – a form of identity theft that tricks people to reveal their Social Security numbers, bank account numbers and other valuable details – by making an email looks like it came from a legitimate source such as a bank, a partner company or government agency.
The Federal Bureau of Investigation (FBI) reported that since 2013, organized crime groups, employing the business email compromise scam, have targeted small and large organizations and companies in every U.S. state and more than 100 countries around the world. According to the FBI, since January 2015, there has been a 1,300 percent increase in BEC, with losses now totaling over $3 billion.
Tech giants such as Google and Facebook are not spared by BEC scammers. In March 2017, the FBI arrested Evaldas Rimasauskas for scamming multinational internet companies of over $100 million via email compromise scheme. While the FBI didn’t name the companies, a Fortune investigation revealed that the multinational internet companies referred by the FBI as victims of Rimasauskas were tech giants Google and Facebook. In the Rimasauskas case, Google and Facebook thought they were communicating via email with a legitimate staff of Quanta – supplier of the tech giants’ computer servers.
Business Email Compromise (BEC) Scams Prevention
BEC scams can be prevented in the following manner:
Phishing Scams Prevention
Here are some of the ways to prevent phishing scams in general:
2. Malware Spread
Email is one of the oldest ways to spread malware – short for “malicious software” – software designed to damage or infiltrate computers without the users’ consent. In May 2000, the malware called “ILOVEYOU” infiltrated millions of computers. The ILOVEYOU malware comes in a form of an email from someone the receiver know, with a subject "ILOVEYOU" and the body of the message reads "kindly check the attached LOVELETTER coming from me."
An enormous number of people – probably out of the universal need to be loved – opened the ILOVEYOU email and downloaded the attached file. Once run, the malware overwrites all computer files and then send an identical email to all the contacts of a victim's Outlook address book. As a result of the ILOVEYOU malware, a number of mail systems worldwide were overloaded causing a meltdown of electronic communication among businesses and governments.
Malware Spread Prevention
Here are some of the ways to combat the spread of malware sent via emails:
3. Denial of Service (DoS) Attack
A denial-of-service (DoS) attack is an attempt by cyber criminals to prevent legitimate users from accessing online services like email. Spam email messages can be used by attackers to prevent your customers from emailing your company.
Email accounts, whether supplied by a paid service or free services such as Yahoo or Gmail, are assigned a specific quota. This quota limits the number of emails that your business account can receive at a given period of time. When attackers bombard your business account with too many or large email messages, this can consume your quota and prevents your company from receiving legitimate messages.
DoS Attack Prevention
To prevent DoS attack.
When you have questions, connect with us and get the answers you need.
Steve E. Driz