Check Point Email Security | Blog

What to Do After You Have Fallen Victim to a Phishing Attack

Written by Yoav Nathaniel | September 28, 2017

Even if you could block 100% of malware and phishing, it is still possible to have a compromised account: a lost post-it note, a massive Linkedin-type password breach, a re-used password - there are a number of ways that an attacker might gain access with even the best of security. It is good practice to monitor for failed login attempts and new devices, but these alerts often get lost in the noise of daily events. Even watching for remote international connections has become less effective now that many attacks proxy their attempts via free VPNs in your geography.

What is the risk? First any data within the compromised account is now lost. But more importantly, the hackers will now springboard from one compromised account to take over other accounts in your organizations and in your customers', partners, etc.

But why cloud based solutions - SaaS or IaaS, are more vulnerable? Because credentials are pretty much all that is needed to break in. There's nothing else. This is why among the endless attack vectors CISOs and CIOs need to prepare for, if you are using SaaS or IaaS then protecting from account takeovers should be a priority.

 

The Risk: Your Cloud is the New Target

In the last two years, as the majority of companies moved their email to Office 365 and Gmail, we've seen that company-targeted phishing attacks shifted away from the traditional "paypal-like" spoofing attacks, and are increasingly spoofing the most common SaaS services - Office 365, Gmail, Dropbox, etc. The attackers know what SaaS you use from simple crawling tools and can target any of your employees with phishing emails that look exactly like the standard messages from those services, leading to the same login screens that the end-users are used to pressing. There is very little to no difference between your end-users interaction with the real SaaS and the phishing attack. Multi-purpose suites, like Office 365 and G-Suite, are attractive targets as a single password grants access to multiple platforms, for example with Office 365: Share Point, One Drive, Outlook, Skype for business and Teams, and even possibly Azure. One key unlocks the entire castle.

What Hackers Do After They Break In?

As many of our customers called us after one of their accounts got breached, our security analysts have been 'fortunate' to be able to analyze the activities of hackers after an account is breached. We've noticed a few common traits:

Automated attack, manual compromise. Most attack do not start by targeting a specific company but are widespread and automated. Yet, once an account is breached most commonly the follow-on compromise is slower, very specific to the organization and done manually. For example, we have seen attackers sending additional malicious links from a compromised account to the employee's collegues, sometimes within the context of a live thread. In some cases, if the receiver has doubt and replies with "John Smith, is this email from you?", a human hacker would be there to respond with something like "Yes. This file summarizes our conversation on XYZ", where XYZ was the subject of their thread.

The Hackers Will Cover Their Tracks. We have seen attacks from a compromised account, where the first things the hacker does is make sure they go undiscovered. For example, they will start by creating inbox rules that delete their outbound attacks from Sent Items and route any replies to Deleted Items. Any email that might alert the user (i.e. with the subject "Your account has been hacked!" or "Change your password!" are deleted.) We have seen weeks of phishing conversations with other employees take place within a hidden folder, leaving no traces that the end-user can see in the sent or deleted items, and can only be analyzed through administrative logs. Attackers also tend to log in once and keep the connection alive to avoid multiple login events that might raise suspicion, and also, depending on the SaaS but for many even if they are found and the password is changed, existing logins might stay open.

Multi-vector Attack. The first compromise behavior might be low and slow, but then become more aggressive over time as the first methods fail or discovery becomes more likely. Often it will include a large exfiltration event or a large phishing blast that might lead to another, more promising account. So, in some attacks it happens as soon as the account is taken over and in others once the hackers moves to their violent mode, but in many cases at some point the hacker will start sending multiple emails with hunders of receipients to try and spread the compromise with and outside the organization.

Getting the Admin Rights. if the first compromised account has no administrative rights, the account will be used for further internal attacks that target specific users in the IT Department. The attacker will send specially crafted emails often in the context of a company wide project that the IT is conducting. For example, we have seen an attack where the organization was in the middle of a Windows-OS update, IT sent such email to the entire organization, and the hackers responded with a clever attack from a fake account that looks like it was coming from one of the IT admins to his boss, asking them to login to Office 365 and activate a task. What was interesting in this case was that the attackers did not use the real compromised account but phished the company from a fake external account but with completely genuine context, and therefore, even after they knew they have been infiltrated, they did not know which account it was that has been hacked because the original email basically went to everyone. Why do they want the admin account? Because then they see EVERYTHING - here's how: 

The Hackers' Holy Grail: Malicious Apps

We have found that many recent attacks are ultimately looking for users with adminisrative rights or, at least, the ability to install third-party apps across the entire end-user accounts. They are hoping to connect to your SaaS via an API token, authorized by someone with global permissions. In the same way that you might grant permission to LinkedIn to access your Gmail contacts, an attacker might gain permanent, invisible, automated access to your SaaS via a one-time authentication request that they authorize with the admin credentials they harvest. The most highly profile attack of this sort that happened this year was the Google Docs attack in May of 2017.

API connections, once authorized, are not logged in the same way as a user account. There are no 'login' events and while they might be able to upload and download files or send and recieve emails, they are invisible to the user. Even if the user changes their password, the API token remains active. In both G-Suite and Office 365, most admins will struggle to find what apps are installed, understand who installed them and figure out what purpose they serve.

What Can Be Done?

In the same way that your desktop malware tools look for suspicious function calls, network connections, or memory writes, Avanan monitors every cloud event to identify compromised accounts.

Based on the many breaches we analyzed, Avanan developed a machine learning algorithm that detects anomalous and suspicious behavior. Here are some of the behaviors that our algorithm will monitor and flag:

  • Multi-BCC emails, emails with malicious content, deleted sent messages, etc.
  • Email rules that demonstrate embed behavior,
  • New API connections, especially to new or untrustworthy apps
  • Connection of shared services, public folders, etc.
  • By correlating between the different behaviors, we build a full picture assessing what damage was done and what vulnerabilities now exist.
  • Deviation for the user's standard behavior profile - devices, geos, time-of-day, etc

As soon as we are deployed, we scan the historical data in the logs to quickly report on accounts that are suspected to be copmromised. Should a user lose their credentials, we can identify the compromised account and respond immediately with remediation actions. 

What Remediation Options Are Available?

Avanan's API connection to the SaaS infrastructure provides both the comprehensive visibility to recognize a hijacked account as well as the control required to block the malicious behavior. We can trigger multi-factor authentication, help you create a workflow that requires 2nd approval for installing 3rd-party apps or other company-wide configurations, auto-delete malicious apps, and disconnect embed connections. 

Your cloud users generate hundreds of thousands of events each day, making it easy for an attacker to hide their behavior. Avanan analyzes this stream of information to find and automatically respond to threats so you don't have to.