Overview:
A sophisticated new supply chain attack, dubbed PoisonSeed, is systematically compromising customer relationship management (CRM) and bulk email providers to execute cryptocurrency theft at-scale.
Business Impact:
The campaign targets the very infrastructure that organizations rely on for customer communications, creating significant organizational risk.
Once cyber criminals obtain delivery system access, they start sending out malicious emails with a given company’s branding.
In the absence of strong email security, recipients will not immediately know that they are receiving an illegitimate, compromised communication.
In turn, customers, partners and others who regularly receive communications from a given enterprise may endure negative externalities, like contending with an influx of convincing scams directed at employees.
Several major internet infrastructure providers have already fallen victim to this attack. Their email accounts have been used to distribute fraudulent cryptocurrency communications, in turn triggering forensic investigations and remediation efforts – at significant cost.
Attack Methodology:
The threat actors behind PoisonSeed first deploy convincing phishing pages that mimic login portals of major CRM platforms, as to harvest administrator credentials.
After harvesting the credentials and gaining account access, the threat actors establish new API keys, enabling them to maintain persistence even after password resets.
They then export the organization’s contact databases and email lists in order to obtain access to thousands of potential victims.
Using the compromised platform, the criminals send out emails, en masse, that appear to come from the trusted organization. The emails typically contain cryptocurrency related messages. They urge individuals to set up new wallets or to migrate existing ones.
The emails provide victims with specially crafted “seed phrases” that victims are instructed to use when configuring their cryptocurrency wallets.
Victims create wallets using the provided seed phrases while unaware of the fact that anyone who knows a wallet’s seed phrase has complete access to it.
The attackers patiently wait until a significant amount of money has been deposited into these wallets. When the time is right, attackers use the seed phrases that they provided victims with and they drain the wallets in entirety.
By the time that victims recognize the issue, the funds have vanished, and the organization whose email was compromised will suffer from reputational damage, regulatory investigations, fines and the like.
PoisonSeed’s delayed approach is what makes it a dangerous beast. Victims do not immediately know that they have been compromised, enabling attackers to maximize their gains while obscuring their footprints.
Key Takeaways:
Protecting an organization requires a multi-layered prevention and defense strategy. Implement rigorous monitoring of all CRM and email platform API access patterns. Pay attention to bulk data exports and new API key creation.
Establish strict governance controls for email service provider access. This can include multi-factor authentication and IP restrictions.
Deploy comprehensive email authentication through DMARC, SPF and DKIM. Enforcement policies should be set to reject. Regular security assessments of all email service providers should also be incorporated into your third-party risk management program.
Harmony Email & Collaboration:
Tools like Check Point’s Harmony Email & Collaboration are specifically designed to counter sophisticated supply chain email threats, like PoisonSeed. With Harmony Email & Collaboration, advanced AI engines can stop phishing attempts that originate from legitimate, yet compromised, accounts within your supply chain.
For comprehensive protection against evolving email threats, contact Check Point’s security experts or get a product demo here.