Handling Email Inquiries

Almost all businesses expect inquiries online. In this article from databreachtoday, that expectation was exploited by a cybercrime gang known as FIN7. On Aug 1, the Justice Department held a press conference to describe the allegations in an unsealed indictment, including that the group had targeted over 150 companies in the US and around the world.

Internet handshake

Catering companies have come to expect email orders, which often contain an attachment with order details. This situation makes the catering industry the perfect target for phishing attacks. Often, the cybercriminal would call the catering point of contact and discuss the order. Then he/she would follow up with the email attachment. The attachment contained malware that allowed the group to gain access to the company’s network, resulting in theft of payment card information.

Setting up the above scenario meant that the email attachment was indeed expected. And expected emails get opened. (This is similar to HR departments who must review candidate resumes and have often been hit with malware laden attachments.) Businesses need to respond in order to make sales and not opening email attachments is not a reasonable solution. So what can you do when the standard user education doesn’t help prevent this type of social engineering?

Layered defenses:

  • Segment machines that receive inquiries from the payment network.
  • Implement policies that prohibit receiving orders by email and instead direct people to attach them on a website hosted/sandboxed on a different network.
  • Enable 2FA on important accounts.
  • Detect unusual movement within or access from outside your network.
  • Detect data exfiltration.
  • Block known phishing domains.
  • Install antivirus on machines where email is opened.

This is easier said than done. After all, layered defenses mean additional costs that a business may be unable to afford.

Is training pointless?

No, of course not. An aware user is better than an ignorant user. Aware users know that they should report suspicious activity or when something seems “off” about their computer. Additionally, providing the “why we do it this way” to those on the front line will reinforce the importance of following procedure versus circumventing security controls.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s