A few weeks ago a client who runs a local business suspected their email address could be compromised, and asked us to investigate. The suspicions were correct, a trojan had been downloaded.
“A Trojan horse, or Trojan, is a type of malicious code or software that looks legitimate but can take control of the computer it is introduced to. A Trojan is designed to damage, disrupt, steal, or in general inflict some other harmful action on the host data or network. A Trojan acts like a bona fide application or file to trick the less suspecting users. It seeks to deceive users into loading and executing the malware on their device. Once installed, a Trojan can perform the action it was designed for.” 
The whole attack started off when the client received an email from a known contact advising him to click on a link to download an attachment. This was the first part of the attack – the “social engineering”. This technique allows the perpetrator of the attack to play on the fact that if someone receives an email from a known associate, the chance are that one would on face value trust that person. This element of trust would down play your suspicions and motivate you to download the attachment. Once the user clicks on the link, the Trojan Horse is immediately installed.
In this case, once the Trojan was installed it started doing what it was designed to do. It passed back to the attacker the users email address and password which were stored within the laptop. It then used these every day to automatically log into the email address, example when opening outlook.
Next, the attacker targeted the bank details. Keeping in mind that attackers seek to re-enact the social engineering attack, now between the user and their bank allowing them to pass instructions to the bank to their benefit.
At this point the attacker has full access to the email account and set up on this account hidden email rules to hide communication between the Bank and the actual user. They did this simply by using mailbox rules which are an integral part of the email solution. By doing this, the attacker can look and act as the actual user and try to have the bank transfer funds, to the attackers select bank. In doing this the entire attack would be completed and funds extracted from the target’s bank account. Often attacker’s would use another hijacked account/s to receive the funds and with draw funds from these accounts.
Caught in the Act.
At this point things are looking bleak for the target victim. The user had no clue that the email had been compromised and the installed Anti-Virus protection did not detected anything suspicious. This lack of warning further complicated matters by giving all a false sense of security.
The good news is Banks have invested considerably in developing internal systems and protocols to combat such attacks. Their staff are especially are well trained and ready to handle and catch these types of attacks. In this particular case, the breach was first reported by the client’s Bank contact who detected what they felt was a suspicious email sent to the Bank requesting a Balance for an account which did not exist. This brought on further investigation into the login locations and access to specific mailboxes that had been carried out. This investigation confirmed suspicious login locations had been found on the basis of the IP address lookups which showed that logins were made from VPN servers directing to UK, USA.
Once it was clear that the email account had been compromised, as a precaution all email accounts had been put into lockdown. This denied any further access ensuring that each account could be reviewed in detail and validated. As a further precaution all user passwords has been reset ensuring strong password selection for all accounts. After the password resets, the system showed various Failed login attempts on the system as the attackers tried to re-engage with the system. As part of the re-commissioning of the email accounts it was important to review and check the webmail options in the rules configuration. If these are not adjusted carefully, the compromised rules settings could still provide the attackers with a backdoor to the system. To eliminate this possibility, all current rules were removed, cleaned up and the relevant configurations set anew.
Increase Security – Stronger passwords and use of Multi-Factor Authentication.
It’s clear that anyone can be at risk and it only takes a momentary lapse of concentration to click on a suspect file and allow such an attack. A few things can be done to further protect against such an attack. Basic password rules:
- Make your password at least 10 characters long, the longer the better. Instead of a word try using a phrase, this will naturally have more than 10 characters and probably easier to remember.
- Include both upper and lower case letters
- Include numbers
- Include punctuation symbols i.e. @!”£$()
- Use a digital password safe for storing passwords of important accounts
As much as a good password is a starting point, this is not the end of the road. With reference to Office 365 but not exclusive to it, the setting per user of a mutli-factor authentication or MFA is strongly recommended. An MFA basically provides an additional security layer to the particular system. After a user inputs a username/email and password, this second layer would include the use of a randomly generated unique code sent to a secondary device, generally, a mobile device or dedicated key. This second factor adds a second layer as prove that the user logging in is who they say they are.
“If a hacker did manage to guess a password they wouldn’t get any
further as they don’t have the second authentication method. The additional
advantage is that the actual owner of the account being hacked would get a 2FA
prompt on their phone, this will raise alarm bells that something isn’t right
and they can take action i.e. change their password.”