Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
FRENCH SUPERVISORY AUTHORITY: Three-months breaches: messaging service attacks

FRENCH SUPERVISORY AUTHORITY: Three-months breaches: messaging service attacks

The “three-months breach” is a periodical cyber event which details a security accident. In this information paper, the CNIL is arguing some attacks to messaging services and provide recommendations on how prevent them.

A lot of recent attacks have permitted to hackers to penetrate in an email system.

Even if origin of these attacks can be different, all the organizations are interested, wherever is their dimension or the activity sector. It is necessary applying basically security measures (the usage of strong password, security updates, etc.,) and also make employees aware of the problem, because these attacks arise from a general phishing or spear phishing email.

So, how to face them?

Breach of the quarter
Attacks on the messaging applications

  1. The attacker compromises the online messaging via a phishing email leading the user to re-authenticate and then retrieves the username and password.
  2. The attacker executes email data to collect information about employees and/or their clients to launch a targeted phishing email campaign.

Alternative:
Identity theft which may lead to:

  • general phishing e-mails to the address book or
  • false transfer orders or fraud to the President.

The initial compromission of the online email

The initial compromission of an email system is probably that is the result of the usage of a weak password or that a password which has been already used on another online service which is already compromised.

This compromission can occur when a phishing email invite you to click on a link and authenticate to the email: it can be a “false website” disguised as a real email, created by a hacker who is trying to restore the login and password.

Possible exploit

There a lot of ways to exploit this type of attack, among which:

Exfiltration of messaging data

This may, for example, allow the attacker to blackmail or learn more about the links between employees and/or their clients, and then attack them through a targeted phishing email campaign.

Identity theft

which may result in:

  • the use of the address book to send general phishing emails, which will be more likely to succeed if they come from a source known to the recipients;
  • fraud against the president or a false transfer order. This identity theft may allow to issue, in place of an internal manager, the validation email necessary to execute a false transfer order, for example.

It is also possible for the hacker to exploit the functionality of the clint’s email which permit the creation of automatically rules in order to create fraudulent rules in order to, for example,

  • Send emails to an email box elected by them and to restore sensitive data without the acknowledge of the data subject;
  • Delete specific messages (like warning email of the IT team of the organization);
  • Hide the tracks of the attack (for example by putting some messages into the mailbox as “unread” o by creating a specific box in which all the messages for the hacker will be moved or deleted).

In the majority of cases, the hacker sets rules in order to detect if the object of the email includes specific keywords, like “payment”, “invoice” or “bank”. The hacker shall only look for email and see if there are high value transfers and can, for example, continue the attack with a fraud against the president.

How to prevent these attacks?

By making aware users of the usage of the email:

There is a need to regularly educate users about the risks and good practices of messaging services:

  • do not open attachments or click on links in emails that are unreliable (especially when attachments have a suspicious extension such as .scr, .cab, etc.);
  • do not install any application or program whose origin is unknown;
  • avoid unsafe or illicit sites;
  • check the domain names of the emails received (is the name or extension correct and do they match the company’s official website?);
  • contact by telephone or in person the contacts known to the company making the request and not those mentioned in the email sent, in order to obtain confirmation of this request for payment or modification of bank details, including when the message is marked as “urgent” (President’s Fraud or FOVI);
  • maintain a list of contacts (suppliers and customers);
  • in order to limit the specific case of the attack on the President, implement organizational measures;
  • regularly check the rules in email clients.

The awareness of the security teams as well as the administration teams of office environments is also paramount.

By implementing appropriate techniques:

To limit the risk of attacks on internal mail servers or on access to online mail, it is advisable to:

Keep informed and follow the information disseminated by CERT-FR, including alerts and safety notices;

Update antivirus and mail servers:

  • as updates become available;
  • if the CERT-FR recalls the urgent reason for the implementation of security patches (e.g. vulnerabilities discovered on Microsoft Exchange servers in 2021);
  • via the official websites of software publishers.

In the absence of an immediate application of the Messaging Editor patches following a vulnerability, deploy interim workarounds proposed by the Editor, including:

  • block unaudited connections that can access email servers, or set up a VPN so that it is no longer directly exposed on the Internet;
  • restrict external access;

Implement solutions to verify the presence of compromise indicators (IoCs) related to the operating mode of the attacks and which can be downloaded on the CERT-FR website.

Set up a dedicated email address for internal use only, allowing employees to report emails they identify as malicious.

  • ask users to use different passwords with sufficient complexity;
  • establish procedures for the management of rights and their regular review:

Remove access when an employee leaves, disable messaging and associated email forwarding rules

favor the use of a user account on the workstations rather than the use of an administrator-type privileged account in order to limit the risk of propagation in the event of an attack;

Check external connections: make sure WiFi access points are protected.

What to do in case of attack?

Since the reaction time is essential in order to limit consequences of these attacks, it is necessary to create an adequate organization.

Understand the origin of the attack in order to limit the effects

When there is an attack, it is essential to communicate with different team, both internal and external, in order to manage the consequences of the attack.

Inform data subjects

In order to avoid that the attack is spreading and that recipient of messages face the same difficulties, it is necessary to inform them as soon as possible. In particular, people can:

  • Not taking into account the email previously received;
  • Implement all the necessary measures in case of response (change of password, opposition, etc.)

Document the breach and inform the CNIL

If the attack can bring a risk for rights and freedoms of the data subjects, the data controller shall:

  • Register the breach in its breach’s register
  • Notify the breach to the CNIL within 72 hours (article 33 of the GDPR).

If there is a high risk, the data controller shall also inform data subjects of possible consequences (phishing, reusage of their heading and contact details, etc.)

 SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FRANCIA – CNIL

Recommended to you

Advanced Research