Emergence of Business Email CompromiseInnefu's Tarun Wig on the Latest Phishing Schemes
Indian companies increasingly are victims of business e-email compromise, as hackers leverage social media networks and perform phishing attacks.
See Also: Why CASBs Matter to Cloud Security
"It's time CISOs of large Indian enterprises believed that their businesses could be a recipient of a compromised e-mail, leading to a scam. This is linked to many other forms of fraud," says Tarun Wig, co-founder of Delhi-based Innefu Labs, a research-oriented security group that has been working closely with medium and large enterprises.
"We find every second Indian organization, be it medium or large, is the victim of the email phishing attacks," he says
Wig says that over 39 percent of all hacks in India happen via phishing email. The victims are generally high-level executives at medium and large organizations.
In this interview with Information Security Media Group, Wig suggests a few essential steps for CISOs to maintain the hygiene factor in their organization. He also discusses:
- The aftermath of a breach;
- The categories of e-mail scams;
- Methods of protection.
Wig is an entrepreneur with a decade of outstanding work in building, growing and leading high-performing start-ups in India. Now, he is involved at Innefu Labs, which is a research-oriented information security group. Before Innefu, he co-founded two companies, Appin Knowledge Solutions and Appin Security Group that received a combined valuation of over INR 140 million by Valpro (a leading PE firm.) Wig created the entire framework for the "MASE - Information Security and Ethical Hacking" course launched by the Manipal Group.
Business Email Compromise
GEETHA NANDIKOTKUR: Of late, there have been many major business email compromises in the country. Is this the next challenge in terms of information security?
TARUN WIG: The business email compromise is a sophisticated scam targeting businesses working with foreign suppliers and businesses that regularly perform wire transfer payments. While this is second nature in today's digital world, because of all the inherent advantages it affords, it provides a dated written record which can be easily located and reviewed at any time. This single most important repository is the next challenge of information security, given that the hackers have realized that nothing can be extracted with perimeter security. The hackers understand that it is the weakest link in the large enterprises that can be attacked using the social media network and phishing email. It is said that about 39 percent of all hacking attacks in India happen via phishing email, which is a big concern for large enterprises.
The Aftermath of a Breach
NANDIKOTKUR: How and what happens when an email account is hacked?
WIG: The BEC is a global scam whose victims are spread across various geographies. It is not clear how the victims are selected. However, we do know that victims are monitored before the BEC scam is initiated.
The subjects are able to accurately identify the individuals and the protocol necessary to perform wire transfers within specific business environments. Generally, they target the heads or decision makers in large enterprises. Victims may first receive "phishing" e-mails requesting additional details of the business or individual being targeted. Some victims reported having various scareware or ransomware cyber intrusions, before a BEC scam.
In one instance, an Indian organization was working on a large project with a client in Canada. Since they were old partners, invoices were usually cleared within one month of delivery. However, in this particular case, an invoice of $ 1.5 million was not cleared in the stipulated time. On reminding the client, they were informed that the invoice had been cleared almost 15 days prior and told that the early payment was made on the behest of the organization.
The Canadian client showed bank deposit slips, the invoice and multiple mails coming from their email ID requesting for an early release. On investigating, a separate trail of mail showed requests for change of bank accounts for 'auditing' purposes. Though the emails had come from the same email ID, they did not originate from any of the organization's systems. One of their accounts had been hacked; the hacker had sent mails requesting a change in bank accounts and communicated with the client on the matter. These mails were then deleted from the inbox. So, a simple hack cost the company $ 1.5 million. In another case, the CEO of an organization was blackmailed into paying $40,000 to hackers who had found certain compromising pictures of the CEO in his email.
Such cases are just the tip of the iceberg. Email hacking is the latest and probably one of the biggest challenges of information security. It targets the weakest link in the IT Security landscape - a non-aware user. Most of the banks where these illegitimate funds are transferred are located in China and Hong Kong.
Email Scam Categories
NANDIKOTKUR: Where does India stand in this matter? Can you pinpoint any categories?
WIG: While the targets are usually high-level executives at medium and large-sized organizations, I have seen two types of business email compromise scams:
- Mail Compromise: Hackers hack into the mail ID's of those in the finance department via simple phishing scams wherein the victim is asked to change his username and password (from mails that pretend to originate from the IT department.)
- Spoofing: A hacker impersonates an executive from a company (a reseller or distributor) that has a pre-existing corporate relationship with the targeted organization. The spoofed sender information uses domain names that closely resemble the corporate domain names of the organization that is being impersonated
NANDIKOTKUR: How do CISOs tackle these email discrepancies and protect themselves from scams?
WIG: CISOs have a major responsibility to address this growing challenge. Key steps to follow to maintain hygiene in the organization and protect their businesses from email compromises are:
Sensitize employees to these scams and ensure that any suspicious mail or activity is reported to the IT Team.
Integrating a two-factor authentication with their mail exchange servers. This was difficult in the past as, using a VPN and publishing the mail server behind it was the only solution. This severely impacted the functionality of downloading mails on Outlook or on a phone. It is important to map the physical identity of the user to the server as a password can be compromised but this second factor of authentication cannot be accessed. Digital signatures can validate the authenticity of emails.
CISOs should be cautious about the sudden changes in business practices and the communication pattern of the top management.