back to article Baddies just need one email account with clout to unleash phishing hell

A single account compromise at an unnamed "major university" in the UK led to a large-scale phishing attack against third parties, according to data protection outfit Barracuda Networks. With one account in their pocket, the attackers used it to compromise modest numbers at the same institution, after which they were turned …

  1. Anonymous Coward
    Anonymous Coward

    blockchain email ?

    There's always the possibility of setting up a blockchain to propagate email. You'd need to pay to do it, but ISPs could oversee the system and allow users a set amount of "free" emails before you need to actually fork out the dosh.

    Might prevent mass-spamming.

    Never happen, of course. But the fact there are ways of dealing with the problem, and the continued existence of the problem suggests there's something else going on.

    1. Charles 9 Silver badge

      Re: blockchain email ?

      Nope, because what's happening is account hijacking. Who cares about e-mail costs when you're using someone else's account (and thus someone else's dime)? As the article notes, it's hard to guard against sufficiently-disguised impersonators.

  2. Anonymous Coward
    Anonymous Coward

    UK Unis are an easy target. None of them use 2FA

    1. Alan Brown Silver badge

      "UK Unis are an easy target. None of them use 2FA"

      A lot of the attacks I see "from" UK Unis are spoofed, not hacked.

      The difference being that they don't come from the account they say they come from.

      1. john.jones.name

        outsourced...

        the problem is that some UK uni's have outsourced lock stock their mail to microsoft and google etc so dont really have control...

        if they retained their MX then they would have the ability to implement DNSSEC and DMARC to not only DENY but RECORD who is spoofing them

        ironically Microsoft consume dmarc but dont send it out... you know its good when Microsoft will use it for their domain microsoft.com domain but refuse to help others...

        DNSSEC would prevent DNS spoofing and combined with DMARC it gives a nice authenticated trail which you can still use outlook and gmail with... you just have to control the incoming...

    2. navidier

      N-1 UK Unis don't use 2FA

      > UK Unis are an easy target. None of them use 2FA

      Mine does; I'm told it works pretty well.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: N-1 UK Unis don't use 2FA

        Which uni is that?

        1. navidier

          Re: N-1 UK Unis don't use 2FA

          > Which uni is that?

          OK, I'm giving myself away here...

          Brunel University London -- we have some very paranoid^Wprofessional IT security personnel.

    3. Chris King

      Quite a few do, and more are considering it.

  3. Anonymous Coward
    Anonymous Coward

    In my experience...

    "The incident contains a curious irony: third parties seem to have recognised the malicious campaign before the infected organisation, or at least before it reacted to block it."

    From what I have seen for multinational companies, the attacks deliberately occurred outside the victims working day (i.e. between 1AM-5AM in the victims time zones) to allow as much mayhem as possible.

    While we were able to detect the issue relatively quickly (within 60 minutes of the initial compromise), we weren't lucky to have vigilant third parties - convincing the third parties we were part of the affected company (inspite of providing multiple forms of ID) was significantly harder than using the initial online tools and "telephone verification" that the third party used to allow the initial changes (i.e. reset account password, update primary account owner details to new e-mail address/contact name, third party used new contact phone number to verify changes were valid...) and then cause mischief from there.

    I would imagine that an organisation that doesn't typically provide 24/7 support to users would take longer to notice in similar conditions.

    Real 2FA would have addressed the initial entry point for the attacks as it was done via clever (but not hard to reproduce) spearfishing.

    TL;DR? If you depend on e-mail and on-line services for your business, make sure you have strong authentication. i.e. real 2FA

    1. Anonymous Coward
      Anonymous Coward

      Re: In my experience...

      Hate to think, though, what would happen if someone important LOSES their second factor in a critical time. I mean, I know people who routinely lose their keys...

      1. DropBear

        Re: In my experience...

        "Hate to think, though, what would happen if someone important LOSES their second factor in a critical time."

        With something like TOTP at least it should be trivial to re-comission any available piece of hardware as a clone of the original, assuming the original commissioning secret was kept safe somewhere. This of course leaves open the non-trivial questions of what happens if said VIP is not within assistance range of their IT department at that time, and also who exactly has access to said archived seed secret..

    2. Mattknz1
      Pint

      Re: In my experience...

      From my experience most phishing attacks happen afer 7pm on a Friday, when everyone is out drinking and not paying proper attention to what links they're tapping on their phones :-)

  4. This post has been deleted by its author

  5. AustinTX
    Facepalm

    Joys of Using 3rd Party SMTP Server

    I use Mailgun for some community/volunteer organizations. We can send enough emails free for our purposes (newsletter, forum activity) or pay very little for a few additional thousands now and then.

    When you sign up for Mailgun's services, you are assigned one of their half-dozen or so SMTP servers. We use Mailgun only to send out email, and not to receive it, but we are still tied to a fixed SMTP server at a particular IP address, as it is the one we must send out through. Since it is our "relay" or "gateway" address, Postfix considers that IP to be a "trusted" peer "within our network", but worse, it is treated as "trusted" mail which does not get filtered. Email is still received from that address, which is normal because most customers use it for mail both ways.

    The problem is that we share that SMTP server with many other Mailgun users, and some of those other users are spammers.

    Imagine my joy upon finding one day that the server was spooling a enormous amount of email, OUTGOING email, and none at all was being delivered... We had used up our free 10k ration at Mailgun somehow, which was refusing to deliver for the rest of the month!

    I tracked the problem down to a small number of incoming emails, each with hundreds of "To:" recipients coming FROM mailgun, through our system, and then going back out through Mailgun, but thereby using our allotment and reputation.

    I don't know how the spammers matched our domain with that particular SMTP server, but it probably isn't too hard for spammers to apply for multiple accounts on Mailgun until they have one with each of the available servers. Then, they just work through a long list of domain names until they find one which accepts relay. I could do the very same, and masquerade as any other Mailgun users if I shared their SMTP gateway. Using the email deliveries they were paying for after i'd burned through their free quota. I just need to know which SMTP gateway they were assigned, and exploit it. Anyone could grep their own server logs for email coming from Mailgun and collect a valid domain and SMTP gateway. It's practically a password to use someone else's account!

    Sadly, Mailgun Support was no help, and blamed ME for the loophole. They wouldn't even investigate whom among their other users was sending spam through me, which should be a trivial task. They essentially defended the spammer and scolded me for running an open relay. But it's not an open relay. My local SMTP server rejects relay and blacklist email all day long. But it just CAN'T reject email from that particular Mailgun SMTP server, by design of Postfix!

    I never found any proper solution to configuring Postfix, and had to resort to a firewall rule blocking all incoming traffic from our own SMTP relay server. We continue to accept email directly from the senders (except for China, Russia and all the other squirrely sources that hit our local blocklists).

  6. J. Cook Silver badge
    Boffin

    2FA won't save you, nor will Cloud services...

    For now, the only alternative is layers of unpopular and expensive authentication to protect accounts or signing up for Office 365...

    The past couple spear phishing attempts we've seen at [RedactedCo] came from O365 clients and compromised accounts.

  7. Anonymous Coward
    Anonymous Coward

    Unnamed University

    > A single account compromise at an unnamed "major university" in the UK

    That would be Southampton.

    1. phuzz Silver badge

      Re: Unnamed University

      I felt sure that someone would have named the victim in the comments, I doubt there's a single UK uni IT department that doesn't have at least one elReg reader in it.

  8. Pascal Monett Silver badge

    Only alternative ?

    Should it not be possible to configure the mailserver to count the number of outgoing emails and block with an alert when a limit is reached ?

    If your org generally sends a few emails a day, you would set the limit at, say, 50. If you get a message that said limit has been reached, you have time to check the how and why and correct things before resetting the message count (larger organizations could also evaluate their mail sending habits, but I suspect they'll have more powerful tools at their disposition).

    That should be rather simple to implement, no ?

    1. Charles 9 Silver badge

      Re: Only alternative ?

      But lockouts can still be abused to create DoS attacks, especially if the intruder is patient enough to use one account as a springboard to hijack other accounts, and then use all of them at once, either to smurf under the limit or to go whole hog and block a whole bunch of them at once.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Google said to be taking steps to keep political campaign emails out of Gmail spam bin
    Just after Big Tech comes under fire for left and right-leaning message filters

    Google has reportedly asked the US Federal Election Commission for its blessing to exempt political campaign solicitations from spam filtering.

    The elections watchdog declined to confirm receiving the supposed Google filing, obtained by Axios, though a spokesperson said the FEC can be expected to publish an advisory opinion upon review if Google made such a submission.

    Google did not immediately respond to a request for comment. If the web giant's alleged plan gets approved, political campaign emails that aren't deemed malicious or illegal will arrive in Gmail users' inboxes with a notice asking recipients to approve continued delivery.

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • Thunderbird is coming to Android – in K-9 Mail form
    Rumble heard as two faithful friends merge into lycanthropic chimæra

    The cross platform email client Thunderbird is to launch an Android version, which will be based on the existing K-9 app.

    A month after Thunderbird's product manager, Ryan Lee Sipes, tweeted that a mobile version of the email client was "coming soon", the project has announced how it will do it.

    It has acquired the FOSS Android email client and one-time Register app of the week K-9 Mail, which will become Thunderbird for Android.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Heineken says there’s no free beer, warns of phishing scam
    WhatsApp messages possibly the worst Father's Day present in the world

    There's no such thing as free beer for Father's Day — at least not from Heineken. The brewing giant confirmed that a contest circulating on WhatsApp, which promises a chance to win one of 5,000 coolers full of green-bottled lager, is a frothy fraud.

    "This is a scam. Thank you for highlighting it to us. Please don't click on links or forward any messages. Many thanks," the beermaker said in a tweet.

    The phony WhatsApp giveaway includes an image of a cooler of 18 Heinekens and a link to a website purporting to run the giveaway. That page asks visitors vying to bag free booze for their personal information, such as names, email addresses, and phone numbers, which is all collected by miscreants.

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading

Biting the hand that feeds IT © 1998–2022