It’s Not Just Phishing – Other Ways Email Is Exploited – Part 2

On Monday we investigated five ways that your email account can be used to initiate an cyber-attack against you.  Today we finish up this article with another five email attack vectors.

  • Clickjacking – In traditional click-jacking, a malicious email link actually direct you to a malicious or impostor site.  A new version places something that looks like a dirt spot or hair on the web page and when the user tries to wipe it off the screen, the hyperlink is activated and you are take to the targeted malicious or impostor site.  This of course only works on touch screens, but there are more of them as time goes by.
    • Solution – Be aware of these touchscreen attacks, and educate your staff to the new threat.
  • Rerouting – This is a more complex attack that requires the attacker’s ability to change the target’s DNS records, or poison the routing cache in DNS servers.  This can be done to re-rote email and prevent email from received or sent.  The email is intercepted by the attacker in most cases, and used for reconnaissance or extortion purposes.
    • Solution – Freeze your DNS record with your DNS registrar.  Usually this is the company you pay for your domain name and web site hosting.  Set-up automatic notification of changes to DNS information.  Again, using MFA can short-circuit attempts to login to your DNS records account.
  • Beaconing or tracking – Using an invisible 1 pixel by 1 pixel image, and attacker can track an email user.  The tiny image usually links back to a command and control server, and the exploit can be used to determine if you received, read, deleted, or forwarded an email, collect both yours and your contacts email address, computer operating system, browser, and software versions.
    • Solution – Use an email client that allows you to configure anti-tracking capabilities, or read emails in text-only versions.
  • Long Con Social Engineering – There are threat actors who will engage in extended long-term social engineering campaigns to build a friendship and establish trust with their victim, often by being helpful and asking for nothing in return.  Often they will use PGP and digital signatures to “prove” their identity.  Once trust is established, the attacker can more easily convince the target to accept the scam.
    • Solution – Realize that you can’t really know someone by email alone.  Try to verify this person through third party sources.  When presented with a digital certificate, confirm it’s authenticity.
  • Mailbox Rules –  An attacker may be able to compromise one or more email accounts if they have access to the mail server.  Through the creation of malicious mailbox rules, rogue forms and configuration settings, they may be able to take over accounts undetected.
    • Solution – Again, 2FA or MFA can block the attacker from gaining access to the mail server and prevent this exploit from working.

It is important to be aware that phishing is not the only game when it comes to leveraging email for malicious purposes.  Solution presented included longer passwords and multi-factor authentication.  The best defense may be cybersecurity awareness training for your employees.  If this is something your organization already does, it is important to keep the content current, adding in sections to include the information provided in this article, for example.

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.