A Real Case of Identity Theft with Multiple Stages

Recently an enterprise in manufacturing business in Africa was hit by a wave of identity theft incidents. The enterprise is a subscriber of  Microsoft Office 356.

The security vendor of the customer noticed a surge in detected phishing events. Approximately 8,000 rogue mails were out from 2 mailboxes inside the organization. Yes, I am saying these mails were from the fellows who work in the company. The body of the mail looks like this.

An innocent notification from IT Helpdesk. We often see them lying in our Inbox. Boring but we still have to do something per the instructions in the notification.

What happened at all in this incident? According to the analysts of the security vendor, it might have started with one phishing email to a privilege account. A phishing mail in disguise lured the guy to click the link and provided his/her secret to the dude in the shadow.

In the old days, a malware only needs to burst out SPAM to the Internet from internal networks. This doesn’t really generate much profit. By manually exporting the directory of the organization, hackers now have higher chance to gain a big return. Using the compromised account, bad guys sent another wave of phishing mails to the names in the directory.

Too bad. Now everyone inside the company has the chance to see a sophisticated phishing mail, including the management team. This is even worse than the first wave – this second wave is actually from the outbox of the privileged account!

The CFO has higher possibility to click the links in the phishing mail. The sender, the IT expert inside the organization, has endorsed the phishing mail.

Once the CFO turns in his/her secret, it comes the scene that we’re familiar. Bad guys send out instructions using CFO’s mailbox. They can do whatever they want.

Rewinding to the beginning, it’s clear that the first wave should have been stopped to avoid the catastrophe. Even you have purchased Office 365 protection plan, it’s still worth having an extra layer as a fail-safe plan.

Don’t be the next fraud victim. Install Mr. Post on Microsoft AppSource at zero cost!

GET PROTECTED NOW

Reference:

[1] Photo by Stefano Pollio on Unsplash

2019-03-27T03:05:01+08:00August 29th, 2018|Insight|