Imagine you’ve just made a huge investment in your business after months of research and discussions. This year has been difficult financially with COVID, but you are pushing through with a will to succeed. You’re all set to make the funds transfer and have just pressed the ‘confirm’ button, yet something is bothering you about the last few emails with your investment company. Why did the investment company change their banking details at the last minute? And why have some of the key people in the deal not weighed in on those changes? The investment is a lot of money for you, and you’ve lost sleep over this.
The next day you review your emails with the investment company and everything looks fine, except for an old signature being used which catches your eye – a near-undetectable difference. Have you been hacked? Why did this happen?
You were hacked, and you were being watched for a long time. How did the hackers insert themselves into an email chain without being noticed? How did they know all the relevant names, places, and details going months back? They are incredibly skilled, and now you’ve wired a large sum of money to a stranger.
This exact scenario has happened to a client of ours, and unfortunately similar hacks happen far too often. Since COVID the number of hacks we deal with has grown by 75%. COVID is the perfect scenario for hackers as people are stressed, financially under pressure, and more vulnerable to scammers. Hackers prey on people during difficult times such as natural disasters and pandemics, and they often target the elderly or disadvantaged. Below is a story of a recent hack, how CROFTI helped the client, and how you can put the proper security procedures in place to prevent this happening to you.
At CROFTI we have helped many clients track down suspicious wire transfers. In one example recently, our client had nearly become the victim of a million-dollar wire transfer fraud scheme, and they only caught it at the last minute. Thankfully, they were able to contact their bank, report the fraud, and have the transfer cancelled. It took more than 48 agonising hours for the bank to confirm the cancellation and save their business from losing millions of dollars. It could have gone so wrong, and unfortunately in most cases people are unable to recover the money.
Our client wanted to know how they got hacked and scammed, so our investigation set about uncovering the truth. Not long before the hack, company staff had their Office365 accounts compromised. The hackers were able to successfully log onto the client’s Office365 account and set up forwarding rules that sent all received emails to Gmail accounts owned by the hackers. The forwarded messages on the clients Office365 accounts were then deleted to hide the any evidence this had ever happened.
All the hackers had to do was sit back and watch the Gmail account for discussions of contract negotiations and fund transfers. In our client’s case, the hacker had hit the jackpot with a million-dollar investment in the works. They created a new rule forwarding any emails about the wire transfer, applied this to multiple email accounts within the organisation, deleted evidence of the forward, and used previous email chains to write a fake response.
To the client, aside from the slight change in email signature, the forgery looked exactly like a reply to an ongoing email conversation they were expecting. The hacker wrote a convincing response about a last-minute change in banking details. While our client thought it was odd, they proceeded with the wire transfer. This is what hackers are waiting for, and their response with the change of banking details came less than 15 minutes after the last legitimate email.
Shortly after transferring the funds, our client realised something wasn’t right and contacted CROFTI to assist them. We started by investigating the situation and running tracers throughout Office365 to confirm the event happened. Once confirmed we reset all users Office365 passwords and removed all rules found within multiple user account inboxes.
We also ran a search through the DarkWeb and found 15 accounts that had been comprised over the year. We then used PowerShell to investigate the Office365 tenants and found multiple accounts had been hacked, watched and multiple inbox forwards were setup.
Next, we ran a message trace to all emails sent to the offending Gmail account and we hit reporting limitations for Office365. The offending Gmail account was reported to Google, Australia Government – Office of Australian Information Commissioner for the Notifiable Data Breaches scheme, and the client had to send out a notice to their entire customer database notifying them of the compromised mailbox and potential leaked information.
A hack like this can cost companies millions. There’s the hack itself, plus the down time required from internal staff members helping with the investigation, to the external resources required on the ground throughout the entire process. Not to mention the huge amount of stress it puts everyone under.
The moral of the story is to put preventative measures in place to protect yourself from hackers. Don’t let this happen to you!
How to Protect Your Business against Hackers
There are several security policies Office365 users can implement that prevent or limit damage from this type of compromise. We’ve outlined some of these strategies below (at different levels and price points) and recommend discussing which option is most suitable for your business.
Zero cost mitigation strategies:
- Enable two-factor authentication. This will strengthen your security as you will need a token and password to log into Office365. This requires periodic re-authentication so the token and token authentication on every web login remains secure.
- Disable forwarding rules on all company emails. This prevents compromised accounts from forwarding emails on autopilot outside the organisation.
- Implement complex and rotating passwords. Passwords that never change or are simple are easier to crack. Threats to email accounts are lessened if passwords go through more frequent rotations and have letters, numbers and symbols.
- Urge employees to conduct periodic reviews of mail rules and forwards. This encourages employees to be aware of their own settings and improves their ability to recognise if their account has been compromised.
Low cost mitigation strategies:
- Use advanced Threat Protection for Office365. This provides a layer of security from email spoofing and phishing scams, and discourages virus attacks resulting from email and wire transfer / social engineering fraud.
- Train employees on cybersecurity strategies. Knowledge about email, web, and computer security improves your ability to recognise anything unusual and reduces one of the most common cyber threats – employee-caused data breaches.
- DarkWeb monitoring. This allows for your email domain to be monitored on an ongoing basis to ensure your accounts and passwords haven’t been leaked into the DarkWeb.
High cost mitigation strategies:
- Upgrade to E5 Licensing. This Office365 feature provides behaviour analysis alerts and automatic actions. This includes automatic account lockouts, forced re-authentication for email, and geo-location login alerts. E5 licensing is recommended for high risk employees such as executive staff members, those in a finance role, executive assistants, or influencers in financial transactions.
- Office 365 and SharePoint Backup. This is not a prevention but rather a solution to keep your company running in the event you are hacked. Ensuring your Office365 and SharePoint data is backed up at all times allows you to quickly restore if required. This means minimal downtime for your business.
The threat to your business from data breaches is not going away. Hackers are only becoming more sophisticated. Whether through your email or a weak point in your network, hackers will find any vulnerability and try to exploit it. At CROFTI we can help you prepare for threats and put the proper tools and practices in place to prevent and limit the damage. We have a team of professional IT engineers ready to educate you and prevent these cyberattacks from happening to your company. Visit us at www.crofti.com.au, send us an email at firstname.lastname@example.org or give us a call at 07 3067 0001.