back to article Baddies just need one email account with clout to unleash phishing hell

A single account compromise at an unnamed "major university" in the UK led to a large-scale phishing attack against third parties, according to data protection outfit Barracuda Networks. With one account in their pocket, the attackers used it to compromise modest numbers at the same institution, after which they were turned …

  1. Anonymous Coward
    Anonymous Coward

    blockchain email ?

    There's always the possibility of setting up a blockchain to propagate email. You'd need to pay to do it, but ISPs could oversee the system and allow users a set amount of "free" emails before you need to actually fork out the dosh.

    Might prevent mass-spamming.

    Never happen, of course. But the fact there are ways of dealing with the problem, and the continued existence of the problem suggests there's something else going on.

    1. Charles 9

      Re: blockchain email ?

      Nope, because what's happening is account hijacking. Who cares about e-mail costs when you're using someone else's account (and thus someone else's dime)? As the article notes, it's hard to guard against sufficiently-disguised impersonators.

  2. Anonymous Coward
    Anonymous Coward

    UK Unis are an easy target. None of them use 2FA

    1. Alan Brown Silver badge

      "UK Unis are an easy target. None of them use 2FA"

      A lot of the attacks I see "from" UK Unis are spoofed, not hacked.

      The difference being that they don't come from the account they say they come from.

      1. john.jones.name

        outsourced...

        the problem is that some UK uni's have outsourced lock stock their mail to microsoft and google etc so dont really have control...

        if they retained their MX then they would have the ability to implement DNSSEC and DMARC to not only DENY but RECORD who is spoofing them

        ironically Microsoft consume dmarc but dont send it out... you know its good when Microsoft will use it for their domain microsoft.com domain but refuse to help others...

        DNSSEC would prevent DNS spoofing and combined with DMARC it gives a nice authenticated trail which you can still use outlook and gmail with... you just have to control the incoming...

    2. navidier

      N-1 UK Unis don't use 2FA

      > UK Unis are an easy target. None of them use 2FA

      Mine does; I'm told it works pretty well.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: N-1 UK Unis don't use 2FA

        Which uni is that?

        1. navidier

          Re: N-1 UK Unis don't use 2FA

          > Which uni is that?

          OK, I'm giving myself away here...

          Brunel University London -- we have some very paranoid^Wprofessional IT security personnel.

    3. Chris King

      Quite a few do, and more are considering it.

  3. Anonymous Coward
    Anonymous Coward

    In my experience...

    "The incident contains a curious irony: third parties seem to have recognised the malicious campaign before the infected organisation, or at least before it reacted to block it."

    From what I have seen for multinational companies, the attacks deliberately occurred outside the victims working day (i.e. between 1AM-5AM in the victims time zones) to allow as much mayhem as possible.

    While we were able to detect the issue relatively quickly (within 60 minutes of the initial compromise), we weren't lucky to have vigilant third parties - convincing the third parties we were part of the affected company (inspite of providing multiple forms of ID) was significantly harder than using the initial online tools and "telephone verification" that the third party used to allow the initial changes (i.e. reset account password, update primary account owner details to new e-mail address/contact name, third party used new contact phone number to verify changes were valid...) and then cause mischief from there.

    I would imagine that an organisation that doesn't typically provide 24/7 support to users would take longer to notice in similar conditions.

    Real 2FA would have addressed the initial entry point for the attacks as it was done via clever (but not hard to reproduce) spearfishing.

    TL;DR? If you depend on e-mail and on-line services for your business, make sure you have strong authentication. i.e. real 2FA

    1. Anonymous Coward
      Anonymous Coward

      Re: In my experience...

      Hate to think, though, what would happen if someone important LOSES their second factor in a critical time. I mean, I know people who routinely lose their keys...

      1. DropBear

        Re: In my experience...

        "Hate to think, though, what would happen if someone important LOSES their second factor in a critical time."

        With something like TOTP at least it should be trivial to re-comission any available piece of hardware as a clone of the original, assuming the original commissioning secret was kept safe somewhere. This of course leaves open the non-trivial questions of what happens if said VIP is not within assistance range of their IT department at that time, and also who exactly has access to said archived seed secret..

    2. Mattknz1
      Pint

      Re: In my experience...

      From my experience most phishing attacks happen afer 7pm on a Friday, when everyone is out drinking and not paying proper attention to what links they're tapping on their phones :-)

  4. This post has been deleted by its author

  5. AustinTX
    Facepalm

    Joys of Using 3rd Party SMTP Server

    I use Mailgun for some community/volunteer organizations. We can send enough emails free for our purposes (newsletter, forum activity) or pay very little for a few additional thousands now and then.

    When you sign up for Mailgun's services, you are assigned one of their half-dozen or so SMTP servers. We use Mailgun only to send out email, and not to receive it, but we are still tied to a fixed SMTP server at a particular IP address, as it is the one we must send out through. Since it is our "relay" or "gateway" address, Postfix considers that IP to be a "trusted" peer "within our network", but worse, it is treated as "trusted" mail which does not get filtered. Email is still received from that address, which is normal because most customers use it for mail both ways.

    The problem is that we share that SMTP server with many other Mailgun users, and some of those other users are spammers.

    Imagine my joy upon finding one day that the server was spooling a enormous amount of email, OUTGOING email, and none at all was being delivered... We had used up our free 10k ration at Mailgun somehow, which was refusing to deliver for the rest of the month!

    I tracked the problem down to a small number of incoming emails, each with hundreds of "To:" recipients coming FROM mailgun, through our system, and then going back out through Mailgun, but thereby using our allotment and reputation.

    I don't know how the spammers matched our domain with that particular SMTP server, but it probably isn't too hard for spammers to apply for multiple accounts on Mailgun until they have one with each of the available servers. Then, they just work through a long list of domain names until they find one which accepts relay. I could do the very same, and masquerade as any other Mailgun users if I shared their SMTP gateway. Using the email deliveries they were paying for after i'd burned through their free quota. I just need to know which SMTP gateway they were assigned, and exploit it. Anyone could grep their own server logs for email coming from Mailgun and collect a valid domain and SMTP gateway. It's practically a password to use someone else's account!

    Sadly, Mailgun Support was no help, and blamed ME for the loophole. They wouldn't even investigate whom among their other users was sending spam through me, which should be a trivial task. They essentially defended the spammer and scolded me for running an open relay. But it's not an open relay. My local SMTP server rejects relay and blacklist email all day long. But it just CAN'T reject email from that particular Mailgun SMTP server, by design of Postfix!

    I never found any proper solution to configuring Postfix, and had to resort to a firewall rule blocking all incoming traffic from our own SMTP relay server. We continue to accept email directly from the senders (except for China, Russia and all the other squirrely sources that hit our local blocklists).

  6. J. Cook Silver badge
    Boffin

    2FA won't save you, nor will Cloud services...

    For now, the only alternative is layers of unpopular and expensive authentication to protect accounts or signing up for Office 365...

    The past couple spear phishing attempts we've seen at [RedactedCo] came from O365 clients and compromised accounts.

  7. Anonymous Coward
    Anonymous Coward

    Unnamed University

    > A single account compromise at an unnamed "major university" in the UK

    That would be Southampton.

    1. phuzz Silver badge

      Re: Unnamed University

      I felt sure that someone would have named the victim in the comments, I doubt there's a single UK uni IT department that doesn't have at least one elReg reader in it.

  8. Pascal Monett Silver badge

    Only alternative ?

    Should it not be possible to configure the mailserver to count the number of outgoing emails and block with an alert when a limit is reached ?

    If your org generally sends a few emails a day, you would set the limit at, say, 50. If you get a message that said limit has been reached, you have time to check the how and why and correct things before resetting the message count (larger organizations could also evaluate their mail sending habits, but I suspect they'll have more powerful tools at their disposition).

    That should be rather simple to implement, no ?

    1. Charles 9

      Re: Only alternative ?

      But lockouts can still be abused to create DoS attacks, especially if the intruder is patient enough to use one account as a springboard to hijack other accounts, and then use all of them at once, either to smurf under the limit or to go whole hog and block a whole bunch of them at once.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like