Battling Phishing and Business Email Compromise Attacks
It’s time to go beyond multifactor authentication (MFA). Here’s how public key infrastructure (PKI) and other solutions can help.
While MFA remains an essential pillar in identity security, Mrugesh Chandarana of HID discusses why additional measures are required to defend against multi-phase adversary-in-the-middle (AiTM) phishing attacks, which tamper with MFA to circumvent it and make way for a BEC (business email compromise) attack.
Microsoft recently suggested in its threat intelligence blog that banking and financial services organizations should complement MFA with other measures. Several proven options include Public Key Infrastructure (PKI) digital certificates, message encryption to prevent tampering at rest or in-transit, and using a hardware-based USB token or smart card for authenticating with either the PKI certificate or Fast Identity Online (FIDO).
A Complex Threat
Microsoft’s post revealed the complexity of today’s AiTM phishing and follow-on BEC attacks. These scams abuse trusted relationships between vendors, suppliers and other partner organizations and circumvent poorly configured MFA policies with the intent of committing financial fraud.
Attackers have many ways to fool employees into providing them with money or information. This might be done with a “false invoice” scam, in which the attacker poses as a vendor and emails a request for wire transfers to fraudulent accounts. Alternatively, the bad actor might attempt to compromise credentials from employees, or at least spoof an email address that looks nearly identical to the vendor’s information.
A cybercriminal might also spoof or steal the CEO’s identity and then request credentials or payment. The same approach might be taken with a member of the IT team or other department with the authority to acquire credentials from high-level executives and other employees to execute these multi-phase scams.
Hackers often trick users into clicking on malware links by using realistic-looking emails from known service providers such as Microsoft Outlook or Adobe. Whichever approach the hacker takes, there is a high degree of social engineering and much more professionalism than was employed in the past when poor English and unrealistic requests made scams easy to spot.
More and more BEC attacks occur each day. The FBI publishes its Internet Crime Report (IC3) annually and, in 2019, said that it had received 23,775 BEC/email account compromise (EAC) complaints with adjusted losses of over $1.7 billion. The number of BEC/EAC incidents has dropped some since then, but adjusted losses have risen significantly to more than $2.7 billion by the 2022 report. Organizations are more aware of BEC attacks now, but when one BEC method becomes too well-known, scammers quickly shift targets and seem to be getting better at squeezing the most value out of each attack. Vigilance and a solid defense are critical.
See More: Why Security Logs Are Key in the New SEC Regulations
How BEC Works
BEC scammers use several common techniques. One that has been especially costly for public and private organizations is the “false invoices” scam. Scammers pose as vendors requesting money be wired to their fraudulent accounts. In some cases, these scammers will work to compromise the credentials of the vendor’s genuine professionals or at least spoof an email address that looks nearly identical to the vendor’s information.
There is a similar approach in the “CEO fraud” scam. Criminals email employees using their CEO’s spoofed or stolen identity, requesting credentials or payment. These bad actors may also pose as a member of the IT team or other departments with the authority to request credentials from high-level executives and other professionals.
A third approach is to create realistic-looking emails from known service providers (such as Outlook or Adobe), in which the scammer requests credentials or urges users to click on malware-ridden links. These and other scams share a common goal: convince employees to send money or information or perhaps click on a link that will compromise their network.
Mounting a Defense
One of the biggest vulnerabilities BEC attacks exploit is passwords, and one of the most effective defenses is to eliminate them. This also eliminates the unintended consequences of secure password policies that can be so stringent that users resort to writing hard-to-remember alphanumeric strings down on a sticky note. These notes are often displayed in plain sight, which is handy during login.
To eliminate this vulnerability, organizations are replacing passwords with public key infrastructure (PKI) digital certificates that are issued to users. These secure personal certificates are trusted across operating systems, virtual private networks (VPN), business applications and browsers, and are employed as a factor in MFA or two-factor authentication (2FA).
Digital certificates can also encrypt the message itself while enabling digital signing. These secure/multipurpose internet mail extensions (S/MIME) certificates enhance security within an organization’s email client, enabling users to determine whether an email is from a trusted sender. S/MIME certificates also preserve the integrity of message content by locking it down. A combination of digital signing and messaging encryption ensures that even an intercepted email cannot be read, tampered with, or falsified and that message content is restricted to authorized viewers.
Thanks to digital certificates’ strong encryption functionality and ease of use, it is now much simpler and safer to digitally sign documents or email. Digital signing with certificates also offers non-repudiation functionality and greater auditability, easing the compliance and administrative burden. These features are helpful and mission-critical for regulated industries and government organizations.
In addition to adopting PKI digital certificates with encryption and digital signing capabilities, organizations can further strengthen security by using a hardware-based USB token or smart card for authentication. The user’s personal digital certificate is contained in this token or smart card, which is also protected with a PIN. An impersonator would need to physically obtain this token or smart card to gain access to the legitimate user’s mailbox.
To simplify the deployment of this hardware-based approach, organizations can use a PKI-as-a-Service and cred management system to implement and automate the credential lifecycle management process quickly. Alternatively, the hardware-based approach can be deployed with FIDO, which also leverages PKI and adds the benefit of being able to store keys on Android and iOS devices. In either case, logins are fast and secure using cryptographic credentials that never leave the user’s hardware authenticator device.
The Stakes Continue to Rise
Instances of BEC continue to proliferate as criminals target organizations of all sizes from all industry verticals, both public and private. Their scams are much tougher to execute where PKI digital certificates have been deployed. This is especially true when these certificates have encryption and digital signing capabilities and are contained in a token or smart card that is protected with a PIN.
Properly deployed, PKI digital certificates make it very difficult to spoof someone’s identity when sending a fraudulent email. They protect communication within an organization, provide assured identities for both senders and receivers and prevent impersonators from reading or – worse – tampering with or falsifying emails with malicious intent.
What solutions are you using beyond MFA and PKI to protect against phishing and email compromise attacks? Share with us on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON PHISHING
