It is alarming how clever bad actors are at gaining access to executives’ email systems. In the construction industry specifically, executives are being tricked into entering their email credentials into websites that not only capture and steal their credentials but also steal their MFA tokens and redirect their MFA to the bad actor’s system, giving them full access to the executives’ mailboxes. Yes, they are defeating MFA. Easily. Let me explain how this is happening, why it is important, and how you can prevent your people and construction firms from becoming victims.
Alfie, What is this all about?
It is about DOLLARS. MONEY. Plain and simple. You have it. They want it. They may target your construction business or someone in your firm to wire them money. They may simply harvest the information available to them once they are in your email system to sell contact information and credentials on the dark web. The list of ways bad actors can steal and extort money once they gain access is a mile long. They are clever, and they act fast once they gain access.
How does it happen? Why does it work?
The most recent attacks invite people to request a document–like an invitation to bid. When the recipient clicks on the link, they are sent to a website that looks professional, perhaps even exactly like the website they previously used for bid requests, and are asked to “log in” to gain access. This is where using single sign-on can be dangerous. Single sign-on allows you to sign in on time and be granted access to multiple systems and services without needing to authenticate to each one. Such sites rely on third-party credentials to allow access to their systems or data, but HOW they accomplish this is an opportunity for the bad actors.
Be wary when a site asks you to enter your Microsoft credentials (username and password). In one attack we encountered, as soon as the victim entered their username and password, the website took advantage of a Chrome browser vulnerability to capture a copy of the session token. Then, it used that token to immediately log into Microsoft 365 and add its own MFA setup. Once in, the culprits had scripts that gathered information and collected contacts from the user’s system and then sent the same attack email to all of the victim’s contacts. This put all of the victim’s contacts in danger of falling victim to the same attack.
Sometimes, the bad actors spend hours, days, or weeks watching and reading emails to identify targets and opportunities. The longer they wait to act, the more opportunity we, the victim firm, and the IT providers have to stop the attack and shut off access. The time period between the attack, identification, and action taken to remediate or prevent it is known as the dwell time. Shockingly, the average dwell time is 120 days! This is where we excel. We stop such attacks typically within 30 minutes of identifying them and work quickly to block unauthorized access to the account, change passwords, and identify the root cause of the breach.
In one case, we did not know until the company started getting phone calls from all their customers and subcontractors about the suspicious email the victim had sent. In another, we worked with an account when the company’s owner identified that they had wired $80,000 to the wrong account or entity.
So what are we to do?
If the Chrome browser had been up-to-date, it could have prevented the attack on the construction firm. We automate the patching and deploy patches to web browsers as they become available. Still, if users do not leave their computers on and available during the patch window, they can miss the patch process and remain vulnerable. The user could have prevented the attack if they had been vigilant and cautious about clicking on the link and their assistant had verified the bid request or website instead of clicking on the link.
When the other account wired funds to the incorrect person, one of the account executives fell victim to MFA fatigue. This was a “brute force” attack in which the bad actors repeatedly sent malicious MFA requests to the recipient, hoping they would get careless or tired of receiving the emails and accept one of the requests as valid. This MFA fatigue is why Microsoft recommends that people DO NOT rely on authentication applications that allow swipe-only approvals.
Instead, Microsoft suggests using an application that requires you to receive a numerical code and enter it into the site. It is just too easy or convenient for people to swipe “allow” and give the bad actors access. By requiring them to take the time to enter the numerical data, they found people are less likely to approve access inappropriately.
Your people are the answer.
Educate your staff. No matter how good our software controls, firewalls, and intrusion detection systems are, you will still be at risk if your people continue to click on links or approve inappropriate MFA requests. The attacks and tools to attack continue to advance. Vulnerabilities continue to be found and attacked. Train your staff to be skeptical, vigilant, and notify you immediately if they realize they may have done something that may put them or your construction firm at risk. If they notify you, and you promptly notify us, it significantly increases our chances of blocking the attack before any damage is done. This is absolutely crucial. I like to explain it this way: all employees have a fiduciary responsibility to notify management of a possible misstep or security issue immediately because if they do not, they are limiting your ability, and our ability, to take action and protect you and your assets efficiently—time matters.
- Patch your software.
- Run state-of-the-art endpoint protection.
- Use a quality firewall.
- Implement Zero trust.
- Have an immutable backup.
Focus on your people and your processes. Control the pieces you can control with workflows, communication, and training. And finally, work with a quality IT Management firm. An IT Management firm that focuses on cyber security and takes the right steps to keep you protected and cyber resilient.
To learn more about Business Email Compromise and cyber security, see other blog articles at rosects.com, or request a copy of the book I co-authored, 16 Ways to Protect Your Business from Cyber Security Attacks.