It’s a sad reality that phishing attacks are taking impersonation to all new levels, and criminals are constantly evolving their techniques to try and evade detection.
In 2019, we have seen phishing attacks reach new levels of creativity and sophistication in order to capture important personal information or business data.
With more and more businesses moving to Office 365, this is now becoming a common subject matter for phishing emails to be used by criminals.
There are many types of email that allow these people to target and compromise user credentials. One set of these is collectively known as ‘Man in the Middle attacks’.
What is a Man-in-the-Middle Attack?
A ‘Man-In-The-Middle’ is a third party, who intercepts communication between two systems.
In the context of business email use, this can happen in a number of ways.
What is the starting point?
The first stage is the compromise of a user’s credentials.
This can occur through malware on their machine, or as the result of a phishing email. The email contains a malicious URL that takes the end user to a fake login page, whereby their details are requested.
If the end user enters their credentials; these are then used to gain access to their corporate email system and the attack gets underway.
Once the cyber-criminal has access to the corporate email system, rules are often created to forward copies of all emails received to a third party. This allows the attacker to monitor email traffic between the victim and their contacts.
A domain name very similar to the legitimate business domain will be registered and an email account configured. By doing so, the attacker can then imitate the victim by appearing to legitimately send emails that appear to be from them.
How the crime is completed:
Once the attacker discovers an email thread with a third party or finance provider, they spring into action…
Inbound emails are deleted from the victim’s compromised mailbox so that they are not aware of the malicious activity taking place; only the attacker can see the email communication.
Emails are then sent to the third party from the attacker (via the newly registered domain) asking them to change payment details to another bank account controlled by the attacker.
The criminal intends to create a situation where legitimate funds will be transferred into their own bank account, completing a theft. In most cases the victim is not aware until well after this is completed, and these attacks can be very challenging to investigate and prosecute.
How can you protect yourself and your business from these attacks?
There are a range of options to better protect yourself, including:
- Multi Factor Authentication – Removes a lot of the risk of compromised credentials
- Conditional Access
- Alerts setup when email forwarding rules are created
- End User Education
- Phishing Testing
- Email Encryption with critical suppliers/third parties
- Robust business processes
We hope this insightful blog prompts you to review your security arrangements, and empowers you to be better protected as a result.
If you would like some help, or recognise that this sort of advice and awareness is more critical than ever, please do get in touch. We’ll be pleased to chat through your needs and offer some advice.
At Tribeca, we have over 13 years of cyber security experience and are Cyber Essentials accredited. Our technical team can provide the exact support you need throughout your entire cloud security journey.
We look forward to hearing from you.
Tel +44 (0)203 475 8732