Page 77 - Cyber Defense eMagazine - October 2017
P. 77

When Phishing Succeeds:The Alternate Inbox Method

               By Michael Landewe, Co-founder, Avanan

               Before you continue reading, you should check to see if your email address is one of
               millions that has already been compromised: HaveIBeenPwned.com. An attacker could
               have your account password without sending you a single piece or malware or phishing
               email.

               What does a hacker do once they have access to a your account?


               As a security platform, learning about hacker behavior is a significant part of what we
               do. When we deploy in a new customer’s environment, we go back in time to analyze
               months  worth  of  event  behavior  that  might  include  previous  attacks  and  currently
               compromised accounts. What we have  found is that the initial phish is often only the
               beginning, and the real attack takes place over a much longer period of time.

               Our  last  blog  post,  Post-Breach  Protection:  What  to  Do  When  You're  Already
               Compromised, gives an overview of some of this behavior and how to recognize it, but
               we think it is vital we provide a much deeper explanation of some of these methods.
               This the first in a series of blogs about each of the post-breach behaviors that we use
               identify a compromised account. Because we assume that we may not see the actual
               compromise event (a user loses their password in a third-party breach, for example), we
               identify insider threats by both anomalous behavior and common attack behaviors.

               The Alternate Inbox Method
               Most  attackers  seek  to  take  over  a  user’s  email  account  in  order  to  perform
               reconnaissance and  compromise  additional users,  sending  and  receiving  emails from
               the victim’s account in a way that avoids detection. One method is the “Alternate Inbox”.

               The “Alternate Inbox” method describes the tactic of using an email folder, usually the
               trash folder, within a compromised email account in order to send and receive emails in
               way that is invisible to the owner.

               How does it work?
               Once the hacker has gained access to an email account, they create inbox routing rules
               to move or delete emails with specific terms. A term might be the subject of an email
               they send to coworkers:

               If subject = “Can you do me a favor?,”: move to trash


               When the hacker sends emails with the subject “Can you do me a favor?” the original
               email  will  be  deleted  along  with  replies.  The  hacker  can  carry  on  a  complete
               conversation from within the trash folder.



                    77   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   72   73   74   75   76   77   78   79   80   81   82