Email Sandboxing isn’t enough to secure data against a Phishing attack
In the on-going data security war our support team is in the front line, helping many new businesses recover from, and prevent security breaches, including Phishing attacks.
We’ve put this blog together as we feel that it is our responsibility to spread awareness of these evolving attacks, in addition to the proactive and reactive methods of prevention. Right now, some of the leading services we use daily to protect client data include Veeam Cloud Connect Backup and Replication and CloudCover 365.
As both the threat and awareness of Ransomware and Phishing spreads, businesses may be patching known vulnerabilities, but hackers are also busy evolving and implementing more complex and creative ways to exploit business data.
Phishing with a twist
The most common Phishing attack is a seemingly credible email from a known source which includes a link to a spoof website. For example, Amazon alerting you to a payment issue. When logging in to the account on the spoof website your information is delivered to hackers and your data security compromised. This practice can also be business targeted, with specific emails tailored to an organisation with spoof websites such as Xero and online banking services, with detrimental damage to organisations if a user inputs admin credentials.
How to identify a Phishing attack
Employee training is core to preventing both Ransomware and Phishing breaches. Training users to automatically check domain addresses, spelling and SSL certificates can go a long way and encouraging employees not to open unsolicited email attachments or click links should be standard practice. As well as education around these tell-tale signs, many organisations also opt for an email sandbox tool to scan and quarantine emails received by the organisation for any signs of threat.
Unfortunately, Hackers have now found a way around traditional sandboxing as the first line of defence, and at the end of the day, we’re all humans that make mistakes.
Another level of Phishing
Sandboxing tools typically scan the content and URLs enclosed on a top-level. They’ll scan any initial links embedded into the email and if they look legitimate, allow their delivery. Although this technology is a staple for most organisations, what the tools traditionally don’t do is scan the links that are attached to the initially scanned web page.
Our involvement with evolving Phishing attacks
It was this vulnerability that led to an organisation contacting us having fallen for one of these attacks. The business was using OneDrive to distribute files internally and externally and many of its employees received an email from OneDrive informing them a file had been shared with them from a colleague – a legitimate email.
Both the link and the email were from an official OneDrive domain and when clicking on it, it took the user to an official OneDrive link with the following content:
Automatically clicking ‘access document’, users understandably didn’t realise that the file was a publicly shared image open to anyone to access. When clicking the embedded link, the users were then sent to a Microsoft Login screen where they had to input their credentials to access the file.
At this point, employees were unknowingly inputting their details into a spoof Microsoft login page, which looked identical to the real Microsoft page, but data was screened and collected on entry. Although the URL clearly wasn’t an official Microsoft domain, to avoid SSL pop-ups, the hackers went so far as to host the webpage on a secure (probably also hacked), platform with a verified SSL key.
The user-name and password fields on this web page were fully working, however, the ‘create an account’ and ‘forgotten password’ links were pure text with no URL. Employees in a hurry could be forgiven for thinking that this is a legitimate download process for a file shared by a colleague.
Using the Microsoft credentials and information gathered, hackers have several ways to profit from the stolen data. They could scan and collect additional details, such as bank records and any valuable files from the user’s Microsoft account and they could even sell the email access back to a business if enough accounts were collected and compromised.
Unfortunately, the cycle doesn’t end with one set of user accounts and like before, the email address will then be used to forward on the exact same compromising email to the employee’s contacts in a continuous loop where the hackers collect more and more data.
All of this was the result of hackers taking advantage of a simple Sandboxing tool vulnerability. Thankfully, now the website has been reported and shut down, but would it would be simple for hackers to replicate this method of Phishing through another OneDrive account, combined with a new domain.
Protecting your business against Cyber-criminals
Preventing the sophisticated method above is reliant on proactive security, Sandboxing levels and training, but hackers are consistently evolving, and user error will always be the biggest vulnerability of all.
Although data loss was unavoidable in this situation, a comprehensive backup strategy, in addition to proactive security, offers a vital safety line should something slip through the net.
Ransomware can also be spread using a similar tactic to that described, with users tricked into downloading a virus, seemingly from a colleague. Once a system is encrypted, the company would have to pay a ransom to the hackers to access the information once more or revert to a clean backup.
You can read more about Ransomware and Ransomware as a Service attacks here.
If the worst should happen your business needs to get back up and running as quickly as possible. If you’ve been hit by Ransomware, we’ll always advise not to pay the Ransom as you’re not guaranteed to receive the encryption key even after payment, and it encourages repeat crimes.
Instead, if you have a robust backup strategy in place, you should be able to revert to before the attack to retrieve the data. With both Phishing attacks and Ransomware, we advise a full investigation to ensure that all vulnerabilities are patched, and further data loss is mitigated.
Having a robust recovery strategy in place is where we can help. If you’d like to speak to the team about the best way to protect your data, you can email enquiries@virtualDCS.co.uk, or call 03 453 888 327. You could even send us a Tweet! We’re more than happy to provide some advice on the best way forward for your business, with no obligations.
You can also claim a free 30 day trial of Veeam Cloud Connect Backup and Replication, one of our leading off-site data backup solutions.