While phishing has long been recognized as a significant security issue, Kroll’s investigations show that it is evolving to become an even greater and more personal threat. In recent engagements of Kroll’s Digital Forensics and Incident Response services, our experts have identified threat actors leveraging phishing attacks to gain access to key email and administrative level accounts, exfiltrate hundreds of gigabytes (GBs) of data, and then initiate high-pressure extortion initiatives involving clients, colleagues, senior executives, and even family members.
Recent insurance claims reveal increasing numbers of phishing attacks undertaken with the aim of extorting payments from the legitimate email accountholders.
Threat actors are increasingly evolving beyond network intrusions and ransomware attacks and building upon the financial “successes” of their criminal activity. Kroll has observed a growing trend in which threat actors are focused on attacking other platforms of data storage (cloud-connected network storage devices, cloud file sharing accounts, email accounts connected to document libraries, etc.) in which they gain access, steal (download) the data and leverage the stolen data for extortion tactics just like the history of ransomware within business networks has taught them to do.
A Novel Pattern of Behavior
In this new approach, malicious actors collect credentials through a phishing attack or buy previously compromised credentials from dark net and deep web marketplaces, giving them access to the user’s email platform, which is now commonly connected to several cloud repositories, allowing exfiltration of sensitive emails/attachments, as well as contact databases. The loss of this sensitive information is then used to demand payment.
In Kroll’s experience, this new behavior generally follows a common pattern:
This is even more concerning in light of the recent Kroll threat intelligence data that shows that phishing attacks increased by 122% from January 2022 to February 2022.
The change in behavior is an evolution of the double extortion method employed by ransomware actors, where attackers encrypt systems and exfiltrate data to pressure victims into paying but skip the technical challenges of encryption. This attack pattern benefits from the extensive use of cloud platforms, which are all mostly connected under a single set of credentials, and is yet another reminder of the crucial need for multifactor authentication (MFA) and strong identity and access management (IAM) controls.
From Mining Information to Extortion
Phishing attacks are a long-established facet of cybercrime, with attackers targeting email accounts for key information that they can mine and monetize. As malicious actors continue to refine how they access email accounts, their approaches have grown more complex and sophisticated.
This technique has now advanced beyond mining the content within the email accounts to using them to access online banking (potentially issuing fraudulent wire transfers), payroll systems (for direct deposit manipulation or W-2 theft for identity fraud), and investment and crypto trading platforms, as well as social media accounts (which could inflict severe reputational damage).
In one example of this type of attack, several GBs of data along with their entire contact database was stolen from a victim’s email and cloud repositories connected to their professional and personal accounts. As part of their extortion efforts, the threat actors targeted the victim’s extended family, including minors, with threats to expose sensitive information about their relative.
The Rise of Cloud and Its Impact on Tactics
This development in behavior is partially fueled by the way in which organizations manage their data, specifically, their increased reliance on cloud storage solutions. Such solutions are typically available via single sign-on (SSO), so users only have to log in once and are then given access to a variety of systems under the same set of credentials. The increase in SSO usage has raised the value of business account credentials, which grant wide access to attackers when compromised.
It is also a significant shift because phishing attacks against cloud-based email systems represent a challenge for most anti-virus and endpoint protection software. Cloud systems require a different set of security controls, and there’s some confusion around the responsibilities of the client organization and those of the cloud providers. Once stolen, credentials may lead to successful authentication in the eyes of most security controls, even though the new login may come from an entirely different country.
Invisible Extortion Attacks: Challenges Ahead
However, this new exploit highlights the need for additional security in email platforms and cloud solutions and the crucial role of MFA and IAM. Organizations must layer protections around their credentials by leveraging token- or hardware-based authentication. Additionally, beyond identifying whether a login used correct credentials and authentication code, organizations must have the ability to pinpoint when users commonly working from one country in normal work hours log in from the opposite side of the world during unusual hours.
Below are ways to improve email hygiene to soften the blow:
- Archive emails every three to six months if allowable for your business needs
- Utilize password managers
- Enable MFA
- Use secure methods for sharing information and credentials
- Manage privilege access and disable legacy protocols as needed
- Provide security training to identify and report suspicious activity
Due to the slow adoption of MFA and IAM controls and the rapid adoption of cloud-based systems, Kroll anticipates an increase in the frequency and severity of these types of aggressive extortion attacks in which no encryption occurs. They require much less technical prowess from attackers and can still generate significant payouts due to the amount of and sensitivity of the data exfiltrated. While the change is concerning, there are steps that organizations can take now to mitigate some of the risks of this new pattern of behavior, starting with a re-evaluation of 10 essential cyber security controls and considering the deployment of more robust cloud security controls as part of a managed detection and response solution.