A notorious BEC scam has been declared that has netted cybercriminals at least $15 million by exploiting Office 365 services, as reported by Forbes. The primary concern is that a threat actor chose to use Office 365 in order to improve the likelihood of a successful attack.
To gain an insight into the issue, Digital Journal caught up with Will Lasala, Security Evangelist and Senior Director of Global Security Solutions, OneSpan.
Lasala begins by looking at the main form of attack: “Social engineering is a major concern in many different industries. Often these social engineering attacks are used to gather the credentials of enterprise users with administrative access to systems, and then sell those credentials on the black market.”
He adds that: “Attacks like this often occur without anyone even knowing, and then sleeper accounts are created in systems and sold on the black market for large sums. The practice of using an SMS OTP (one-time password) as a security component for administrative accounts should be stopped immediately because SMS is not secure. Instead, using push technologies with context describing what action is being taken and why, is now essential when it comes to combating the rise in phishing attacks.”
In terms of the specific nature of the attack, Lasala states: “With push notifications and context (meaning the user knows what they are doing and why), if a hacker is able to socially engineer someone into giving up their username and password, when they attempt to log into the user’s account a secure push notification would be sent to the owner’s mobile device.”
In terms of corrective actions, the analyst says: “The notification would state that a new request is coming from an unknown location and is trying to access a sensitive server. This should alert the user and the access can be blocked. The time to implement these solutions is now because the technology already exists, and hackers have moved past simple SMS OTP
