Dodgy emails at work

[Alan Medic]

Quite a few people where I work have been receiving emails with attachments which almost appear to be business related but undoubtedly are not. Yesterday I even received one in the name of our MD though without an attachment.

The common theme suggests it is to either open an attachment or respond to the email, given it was a request for information or a confirmation of something.

Anyone knowledgeable enough to say what's going on here? We use the cloud based Office 365. I've been asked to see if I could find a solution even though I know next to nothing about the subject. I usually find there's no better place than the Forum for some enlightenment, so here I am. Help!

[Loz]

Often they want you to open an attachment - that generally introduces a virus or similar to your network. This can also be done via getting you to click on a link.

The other new one is 'spear phishing' - a social engineering attack where they get you to pay a bogus account.

http://www.bbc.co.uk/news/business-35250678

[Burbage]

Alan Medic Wrote:

-------------------------------------------------------

> I've been

> asked to see if I could find a solution even

> though I know next to nothing about the subject.

Loz has got the reasons right. But as for a solution, there isn't one, as such.

This is partly Microsoft's fault, as they make it very difficult for users to see exactly where an email has originated from. It's also not helped by the filtering options, and some other basic security measures, being premium-priced add-ons. Personally, I think selling basic security features as premium-priced 'enhancements' isn't so nice, but all the vendors do it and, as they've got billions that I haven't, are better placed than I to see the upsides of malicious complacency.

There are, however, partial solutions. Not all of them will suit, depending on what your office does, who it corresponds with and how the management responds to suggestions that they might find mildly inconvenient. But I reckon you could get a few bullet points for a powerpoint together, and that might be all you need, even if it is in the private sector.

The first thing to consider is rejecting all email where the 'From' address doesn't match the authorised server for that domain. This may already be happening, but won't reject much, as lots of companies have outsourced email to Microsoft, Google etc. so scammers only need to do the same and their stuff gets through. Moreover, this this suggests it's only an option on some contracts. Besides, not everyone you do business with will have bothered setting up their email servers correctly, so it's not always practicable.

The second is to ensure a degree of hygiene. Make sure email passwords are changed regularly, and strong passwords are used. Then ensure any obsolete accounts are either deleted or rerouted. Ensure, in addition, that any catch-all accounts are either regularly monitored or done away with. Some places do this already. But in others, where there are senior managers capable of reading their own email, the suggestion that they change their passwords regularly might be viewed as an act of North Korean diplomacy, and met it with either blank incomprehension or a P45. Tread carefully. You can only do your best.

The third is to ensure the server simply deletes any mis-addressed emails, rather than bouncing them, as that's easily exploited to find out, for example, what genuine email addresses still exist. As can out-of-office auto-replies, which are best done away with, though again, be careful as some will be using those as part of a delegation strategy.

The fourth is to consider some sort of whitelist (an 'allow list' in Microsoft-speak), whereby only email from specific domains is accepted. Again, this isn't much use if you're just looking at the 'From' field - as that can be easily spoofed. Some Exchange licences allow a bit better control, up to a point, through the Connection Filtering options, though they're not much fun to work with, and don't quite allow everything you'd want.

The fifth is to ensure there is some sort of spam filtering happening. MS does some by default, and there are all sorts of options you might usefully tweak for those, such as quarantining messages so users can make their own minds up. But that might depend on what sort of minds your colleagues are blessed with and your predicament suggests they're not at the pointy end of the pyramid (though, to be fair, they have noticed the dodgy emails, which puts them a few rungs above most).

The sixth, and best, solution is to hire people who do know what they're doing and train staff properly. The problem with that is that much of the training in IT is delivered by vendors who, for guessable reasons, tend not to see much difference between education and advertising and rather skimp on the difficult bits. But who doesn't?

Anyhow, that's all I can offer, so good luck with it.

[Alan Medic]

Thanks very much Burbage and Loz. I will need to spend more time reading your post Burbage to see what could be implemented.

Interestingly my work email address has been used to try and get at least two clients to alter the bank account into which they pay us. In one case it worked and having seen the emails from 'me' they were quite convincing. We reported it to Action Fraud who pass on details to the police if they think there is a case. They decided there wasn't enough to lead to a conviction. This puzzled me as the payment went from Poland to a NatWest account in Camberwell. I'd have thought with that detail there would be enough to pursue it. I've asked them to explain their decision. Any idea why they wouldn't?

[Burbage]

Alan Medic Wrote:

-------------------------------------------------------

> Interestingly my work email address has been used

> to try and get at least two clients to alter the

> bank account into which they pay us. In one case

> it worked and having seen the emails from 'me'

> they were quite convincing. We reported it to

> Action Fraud who pass on details to the police if

> they think there is a case. They decided there

> wasn't enough to lead to a conviction.

That suggests they've got into your system somehow. If it only affects one client, then it might have been at the other end, but with two it looks like they got in at this end. There are lots of ways of doing that, from using infected browsers (if you use webmail), phones or wifi/routers to synchronise email to their own machinery, or simply hacking having the time and patience to borrow passwords (the SWIFT hack was done, apparently, by hacking bank webcams and using them to spy staff entering passwords). It depends a bit on where they are - if they're in the same building (or office - there's never been a shortage of disgruntled employees or contractors), some methods will be easier, but it can be done from anywhere.

They then simply wait until something interesting goes out and then, when it does, swap or insert a message into the conversation. Having access to the server means they can perfectly spoof the message, so there's no clue as to who they are, or where they are. Given the likelihood that any available evidence will lead to the IP address of a hacked toaster of an innocent tailor in Venezuela (or similar), ActionFraud can't honestly recommend Plod spends much time on it, unless the fraud's of a size to interest Interpol.

The bank account is a clue, but it can be surprisingly difficult to prove who the beneficial owner of a bank account is, let alone that they knowingly received the proceeds of crime, especially if it's joint account, belongs to a trust or is registered to someone who's dead or offshore. So, unless there's a clear and consistent pattern of inflows, it's unlikely to get to court. Besides, the banks aren't always co-operative, being somewhat shy of attracting more fines for having laundering controls that don't work.

There are some protections against this sort of attack, but they're tricky and expensive, relying mostly on detecting intrusions and anomalous traffic, which takes specialist skills that even trained IT folk don't often have. Changing passwords regularly, and insisting on complex ones, is the easiest, but that won't always work. The only other way is not to rely on email alone for transactions, insisting on phone (or post) confirmation before money's transferred. But that requires the co-operation of clients, suppliers etc., which won't always happen.

[Loz]

Burbage Wrote:

-------------------------------------------------------

> Changing passwords regularly, and insisting on complex

> ones, is the easiest, but that won't always work.

Mainly because it results in post-it notes with the new, hard-to-remember password plastered somewhere.

There are lots of studies into passwords. None of them seem to come up with many useful conclusions. But there is a real move away from regularly changing passwords.

Personally, I think two-factor authentication - especially for remote access - is the best. That's where you have a password ("something you know") and some other device ("something you have"). Banks use it these days in the form of card readers and pin-pads. Paypal uses your mobile phone - it sends you a text with a code when you log in.