One of the most frequent concerns I hear from IT security practitioners and CISOs is the rise of phishing attacks coming from compromised trusted partners and contractors. The attackers use the initial victim’s real email account and existing long-established relationships with years of built up trust to as a way to more easily compromise additional victims.
How do you protect your organization when the phish is coming from someone you trust?
A lot of the traditional anti-phishing advice fails. The common recommendation of “Don’t click on links coming from strange email addresses” doesn’t work. This article will cover how third-party compromises often happen and what you need to do to better protect your organization against trusted third-party attacks.
How Trusted Third-Party Attacks Occur
It all starts with a trusted third party’s email account being compromised. In order for a third party’s email account to be taken over and abused by attackers, the attackers must first gain control. It can happen a variety of different ways, including:
- Stolen email credentials
- Compromised workstation
- Compromised email server
- Compromised admin credentials
By far, the two most common ways out of the list above are compromised email account credentials or a compromised workstation that contains an already working email client. Login credentials, which are often identical to a victim’s email credentials, are all over the Internet. There are literally over 10B previously stolen login credentials sitting in a few files on the Internet or dark web waiting for some hacker to attempt to exploit them.
It’s even more common for people to lose their current active login credentials to social engineering attacks. In fact, 70% to 90% of all malicious breaches are due to social engineering.
Once a victim’s email login credentials have been obtained, hackers have a variety of methods to manipulate a user’s email and email client remotely. There are a handful of hacker tools, most notably Empire PowerShell Post-Exploitation Toolkit, XRulez, and SensePost Ruler, which will allow a hacker to maliciously modify Microsoft Outlook, the Apple Mail app, and using regular scripted command-line options with Linux’s Mozilla Thunderbird, so that malicious emails can easily be sent remotely without a hacker ever being present on the involved computer containing the email client.
It is even more common for hackers to have access to a victim’s previously compromised computer. They don’t even need admin/root access to configure the victim’s email client, create malicious rules, or send new emails. If a hacker has admin access to an email server/service, they can do the same to the email server(s)/service on behalf of any email user the server(s)/services manage.
Phishers will comb through a victim’s Inbox and Sent items email folders to look for promising third-party receivers and scenarios to which the victim routinely corresponds. They are particular interested in compromising the email of people who send and receive payments (e.g., accounts payable, billing, payroll, department managers, etc.). Then they will send an email which looks roughly similar to something the victim has sent the trusted third party before, but with some sort of catch. The email will send a new invoice, request a bill paying detail update (e.g., such as sending payments to a new bank account, etc.), or update a payroll processing detail so the hacker gets a person’s paycheck sent to them. If they can find a way to scam money, they will. The hacker will usually create a new email rule that looks for incoming emails coming back from the third-party victim, forwards it to hacker, and deletes it from the legitimate receiver. Sometimes they will get a copy of all emails sent to the original victim so they can be on the lookout for when they finally get discovered.
Many times, the hacker will create an email rule that gives them a “backdoor” into the user’s system and all the hacker has to do is send an email with a “trigger keyword” in the email (e.g., Fr0g) that a malicious incoming email rule looks for to then take some malicious action. Some keywords may allow the hacker back into the system, others will send emails onto further victims, and others might end up causing an emergency wipe/format of the system in case the hacker gets discovered. Rules stay with email clients so even if the victim changes their passwords or gets an entirely new computer, the email rules don’t care about the password change or just automatically replicate to the new device.
The normal defenses apply: Use MFA if you can, use strong passwords, change them at least once a year, and don’t share passwords between different sites and services. It also can’t hurt to periodically check to see if your passwords have been exposed in a known breach. Don’t let hackers be the only ones that check.
If the user has an Open Authorization-enabled logon account, as most of us do, a victim can be tricked into providing a hacker with overly permissive OAuth permissions. OAuth phishing involves sending a potential victim a document, which when they download, can ask the user to approve a permissions request from a phisher. All the user has to do to become a victim is hit Enter or click on the Allow button. I cover OAuth permission phishing attacks in detail in a previous blog post.
No matter how someone’s email account and client are compromised, once done, an attacker can start sending phishing emails to other trusted receivers. Hackers love that most people aren’t aware of the popularity of trusted third-party phishing scams. They have been used millions of times and are far more successful for a phisher than a regular phishing or spear phishing campaign. And the hacker’s bounty is far higher per victim. All of this means that third-party phishes are going to continue to rise in popularity. If you haven’t seen one used against your organization, yet, you probably will. Be ready!
Defending Against Trusted Third-Party Phishes
Defending against trusted third-party phishes takes all the regular security awareness training you can give plus a few extras; designed distinctly to fight threats coming directly from legitimate, trusted partners. They include:
1. Make Everyone Aware of Trusted Third-Party Phishes
First, and foremost, simply making people aware of the growing threat of trusted third-party phishing is job number one! People can’t fight and defend against a threat they don’t know about. It’s like if you don’t know, like most of us already know, that Microsoft doesn’t proactively call you to help you with a computer virus, you are more likely to fall for the phone scam when it comes. When you know that Microsoft NEVER does that, it’s far easier to put down the scam immediately. You can chuckle in the caller’s face as you hang up the phone.
When you make people aware of trusted third-party phishing attacks and how they must be skeptical of even emails (and social media requests) coming from current business partners and friends, they can begin to better defend themselves. Make sure you include current examples of real-world, trusted third-party phishing scams and educate them about OAuth exploits. Overall, you must give them the relevant facts so they can begin a new way of thinking to fight all phishing.
2. Pay Attention to Action Requests More Than Email Addresses
Trusted third-party phishing means that receivers must be particularly skeptical of ANY request for an unusual or unexpected action, even when coming from a trusted business partner. Employees must be taught that any request that can manipulate financial transactions or confidential actions must be skeptically reviewed. Receivers need to ask themselves, “If I do this request and it’s rogue, can it possibly impact me or my organization?” If the answer is “Yes!”, then the receiver needs to figure out how they can verify the legitimacy of the request BEFORE performing it.
3. Make a Call
The quickest and simplest way to verify a request and avoid becoming a victim is to simply call the requester at a phone number that you already have or can easily look up and verify is related to the real organization requesting it. Do not verify a request by replying to the originator in email. Hackers often times have compromised the workstation or email client and intercepted verification emails back from the second victim. It happens all the time. It is how the scam works. And never call a phone number listed in the email requesting the action unless it is an already verified legitimate phone number. Hackers often change phone numbers in emails or the email signatures to point to their hard-to-trace voice-over-IP (e.g., Skype, etc.) phone numbers. I’ve heard good fake company phone numbers which include a human operator and “Please hold while I connect you” replies. They are really good at being imitated.
4. Look Out for Real Fake Companies
What I mean by this is that many of the most successful scam artists actually created real, incorporated companies which had names very similar to the real companies they were impersonating. They had articles of incorporation, bank accounts at legit real-world bank companies, invoicing, staff, payroll, and whatever else they needed to be seen as a real company. For example, the business email compromise (BEC) scam that took Facebook and Google for $100M involved a fake company.
Interestingly, the owners of these fake companies are more likely to be caught, arrested, and jailed when the scam comes falling down because they have a long legal paper trail that follows them. They know it, but it doesn’t seem to stop them from doing it. The key point here is that existence of a real, verified, company with a physical mailing address, an ongoing relationship, and so on, doesn’t mean the company is legit.
Upon reflection, usually there are multiple signs of a scam being committed. The scammer usually has to convince the existing victim’s staff to re-route existing and future payments to their new bank and bank accounts. Anytime anyone requests you or your staff to start sending payments to a new bank and bank account, be highly suspicious. Always call the legitimate company on a previously known valid phone number first to verify.
5. Watch Out for Long Setup Pretexting
Many of the more elaborate scams started out with seemingly innocent “pre-texting” conversations. For example, an email will arrive from a business partner letting you know they will be changing banks and updating routing registration information in a few days or next week. The idea is they want to lull the victim and prepare them for the coming real, bigger ask that comes later on. Most third-party phishing scams try to begin the penultimate part of the scam right in the first email. It’s immediate and obvious. But the bigger and most successful ones realize they can reduce suspicion by playing it a little slow at first.
On the same note, realize that the criminals behind these types of scams will go to great lengths to fool you. Dozens of emails, multiple phone calls, and lots of legal documents are often involved in these scams. The length of the scam and the multiple other forms of legitimate communication over time can lull the victim’s early suspicion. Scammers are even known to get local (to the victim) bank accounts and mailing addresses, even if the scammer is located in a different country.
For example, one foreign scammer used local “drop box” mailing addresses to appear as a legitimate nearby buyer seeking computer equipment from a reseller. They had asked for net 30 terms (pay 30 days after the receipt of the equipment) instead of the normal 100% pay in full ahead of the purchase terms. Had the victim fallen for the scam, he or she would have been responsible for the equipment they were shipping from Dell to the scammer. The involved company avoided becoming a victim by recognizing that it was strange that the people they had been talking and had foreign offices, claim to have a local mailing address which was a drop box postal office, and wanted net 30 payment terms. All together it was enough for them to pullback at the last minute and avoid a big scam bill.
6. Call Law Enforcement
Getting law enforcement involved rarely helps arrest the online scammer, especially if they are originating in another country. But often times, the long-term nature of these scams and the involved legitimate, legal paper trails can assist law enforcement with prosecutions. For those reasons, get your legal representatives to call the appropriate law enforcement agency. It can’t hurt. Although you must recognize that once you call law enforcement, they can start legal proceedings and obtain subpoenas that take any investigation out of your control. They can even remove your computer equipment and harm operations, so be aware that getting law enforcement involved can be a dual-edged sword. Most of the time that, doesn’t happen and law enforcement is more than willing to work with you to make sure your operations and interests are not harmed. And having your legal team involved from the beginning helps keep all communications from your company privileged, meaning less likely to be used against you in a court of law if it comes to that.
7. Warn the Original Victim Company
It goes without saying that you need to let the legitimate, involved partner know that they are compromised. If possible, do it in a phone call to a legitimate, known phone number. You don’t want to give scammers or hackers any warnings in case they are monitoring email, as they often do.
8. Don’t Become That Compromised Third Party
Make sure you and your organization don’t become that original, compromised party that then becomes used to compromise other partners. That not only means doing your normal defense-in-depth defenses, but also making sure to educate your employees and partners about the risks. For financial transactions, tell your partners to be skeptical of any sudden changes in invoicing or billing. Tell them to call you on a legitimate phone any time a change in financial information is requested. Make it a written, enforced policy that your staff do the same for requests from other companies. Make policies that make it hard for spear phishes to be successful. Send them this article.
Trusted third-party phishing is a growing risk to all organizations. Employees need to be made aware of such scams, given examples, and told how they can defeat them. Beyond general awareness, this means being super skeptical of any unexpected change in financial or billing information, regardless of whether the request comes from an existing person they already know and have business with (or not). Any changes should be confirmed using a phone call to a predefined, legitimate, known phone number before changing. Make it a habit. Make it a policy.