It’s Not Just Phishing – Other Ways Email Is Exploited – Part 2

On Monday we investigated five ways that your email account can be used to initiate an cyber-attack against you.  Today we finish up this article with another five email attack vectors.

  • Clickjacking – In traditional click-jacking, a malicious email link actually direct you to a malicious or impostor site.  A new version places something that looks like a dirt spot or hair on the web page and when the user tries to wipe it off the screen, the hyperlink is activated and you are take to the targeted malicious or impostor site.  This of course only works on touch screens, but there are more of them as time goes by.
    • Solution – Be aware of these touchscreen attacks, and educate your staff to the new threat.
  • Rerouting – This is a more complex attack that requires the attacker’s ability to change the target’s DNS records, or poison the routing cache in DNS servers.  This can be done to re-rote email and prevent email from received or sent.  The email is intercepted by the attacker in most cases, and used for reconnaissance or extortion purposes.
    • Solution – Freeze your DNS record with your DNS registrar.  Usually this is the company you pay for your domain name and web site hosting.  Set-up automatic notification of changes to DNS information.  Again, using MFA can short-circuit attempts to login to your DNS records account.
  • Beaconing or tracking – Using an invisible 1 pixel by 1 pixel image, and attacker can track an email user.  The tiny image usually links back to a command and control server, and the exploit can be used to determine if you received, read, deleted, or forwarded an email, collect both yours and your contacts email address, computer operating system, browser, and software versions.
    • Solution – Use an email client that allows you to configure anti-tracking capabilities, or read emails in text-only versions.
  • Long Con Social Engineering – There are threat actors who will engage in extended long-term social engineering campaigns to build a friendship and establish trust with their victim, often by being helpful and asking for nothing in return.  Often they will use PGP and digital signatures to “prove” their identity.  Once trust is established, the attacker can more easily convince the target to accept the scam.
    • Solution – Realize that you can’t really know someone by email alone.  Try to verify this person through third party sources.  When presented with a digital certificate, confirm it’s authenticity.
  • Mailbox Rules –  An attacker may be able to compromise one or more email accounts if they have access to the mail server.  Through the creation of malicious mailbox rules, rogue forms and configuration settings, they may be able to take over accounts undetected.
    • Solution – Again, 2FA or MFA can block the attacker from gaining access to the mail server and prevent this exploit from working.

It is important to be aware that phishing is not the only game when it comes to leveraging email for malicious purposes.  Solution presented included longer passwords and multi-factor authentication.  The best defense may be cybersecurity awareness training for your employees.  If this is something your organization already does, it is important to keep the content current, adding in sections to include the information provided in this article, for example.

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.