Dangers of the Supply Chain - Zero Trust Mindset

Dangers of the Supply Chain - Zero Trust Mindset

Description of zero-trust phishing attacks

In recent weeks, the Information Security Team have noted a significant increase in email supply chain attacks targeting the University.

These attacks are a dangerous form of phishing whereby an attacker will either impersonate or compromise the email account of a known supplier or associate.

For example, you receive an email from a known service provider with the usual invoice attached. However, the account has been compromised and the invoice has been edited with fraudulent payment details.

In addition to financial fraud, the goal of these attacks can include account theft, unauthorised access to data, or deployment of ransomware.

The consequences to organisations and individuals can be devastating.

Below we explore some of the techniques used by attackers and what you can do to help stop them.

 How the attack works:

Email supply chain attacks are generally carried out in one of two ways:

  • Impersonation – The attacker conducts research on the target organisation to identify relationships between business or individuals.

These can be relationships with suppliers or internal relationships such as employee/line manager or members of the same team.

Once a relationship is identified, the attacker will create a free email account, set the display name to match the person they are impersonating, and email the target. The content of the initial email will usually be vague, such as asking if the recipient is free.

If a response is received, the attacker knows the recipient has not noticed the spoof and can now conduct their attack.

This type of attack is known as “Spoofing”. You can read more on this in our previous article here. 

  • Account Compromise – Exploiting compromised accounts belonging to smaller businesses or individuals (who may not have the budget or ability to use advanced cyber defence tools), can allow attackers to circumvent the defences of larger organisations.

The attacker may not immediately have a plan for the compromised account, however, once inside they can access all historical email conversations and related attachments. This allows them to research any significant email chains.

In particular, they will be looking for anything related to payments or billing, potentially with attached invoices. Once an appropriate email chain is found, they can amend payment details on genuine invoices and reply directly to existing email chains, as a known and trusted previous contact of the recipient.

This trust can also be exploited in other ways, such as convincing the recipient to provide information/data or to download malware.

Attackers will hide their presence in the compromised mailbox by creating inbox rules to hide any replies from the genuine mailbox owner. 

How you can help prevent an attack: 

  • Trust no one!
    • Be extremely cautious of any emails requesting payments of any kind, even if they are from colleagues or other previous contacts.
    • Be particularly wary if the sender tries to create a sense of urgency, even if the email is from an authority figure.
    • Look out for any old email conversations being resurrected, this may be an attempt to abuse trust. 
  • Use the official Microsoft Authenticator App for MFA:
    • Several 2nd factor authentication methods are available, including phone call and SMS message codes. However, using the official Microsoft Authenticator app affords greater protection by providing detailed information on the person attempting to access your account, including location. This allows account owners to verify or deny login attempts with greater confidence.
    • It also provides number matching, which requires you to enter a number displayed on the login screen into the application. This helps to prevent attackers exploiting MFA fatigue.
    • Never accept an unexpected MFA prompt. 
  • Report any suspected compromise immediately:
    • This will help us prevent the situation escalating further. 

See out previous article on the Anatomy of a Phish, detailing a successful phishing attack against the University.

For further guidance, see our previous news bulletins on Phishing, Social Engineering, Malware, and Passwords.

 

Search News

Browse by Month

2024

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May There are no items to show for May 2024
  6. Jun There are no items to show for June 2024
  7. Jul There are no items to show for July 2024
  8. Aug There are no items to show for August 2024
  9. Sep There are no items to show for September 2024
  10. Oct There are no items to show for October 2024
  11. Nov There are no items to show for November 2024
  12. Dec There are no items to show for December 2024

2013

  1. Jan There are no items to show for January 2013
  2. Feb There are no items to show for February 2013
  3. Mar
  4. Apr
  5. May
  6. Jun
  7. Jul
  8. Aug
  9. Sep
  10. Oct
  11. Nov
  12. Dec