Trusted third-party Phish is the Catch of The Day
To prevent phishing, we warn users against clicking on suspicious email links and to not open any emails from unsolicited senders. Email security solutions include a filter that protects sender identity. What happens if a trusted sender’s account is compromised? Can an attacker use that access to send email as if they were that trusted sender.
According to Microsoft, this is exactly what happened in the latest round of attacks that were attributed to the Nobelium hacking organization. Researchers from Microsoft and Volexity discovered that Nobelium had gained access to Constant Contact’s user account and was able to use it to send phishing emails to more than 7,000 people.
The account that the intruders gained was a legitimate employee account of USAID, which is a US government agency that supports humanitarian efforts around the world. The attackers sent email links disguised by Constant Contact’s legitimate feature, which then redirect to malicious content from additional attacker infrastructure.
Market share, brand, and trust used to enhance attacks
We are seeing a threat actor use market penetration, reputation, and perception to increase the likelihood of future breaches for the second consecutive month. The legitimacy of USAID’s Nobelium gives email messages authenticity and credibility, which increases the chance that someone will open them.
Constant Contact is trusted by many well-known brands as an email sender. The email was sent from a USAID account which increased the chances that the recipients would open it. It was the group’s ambitions that hampered its campaign, as with other attacks. Although many messages were sent simultaneously in the most recent campaign, email security restrictions did not prevent delivery of some messages. However, the attacker had months to experiment before that.
It’s becoming more important to focus on gaining and maintaining customer trust as a competitive advantage. However, attackers can use trust to increase campaign success.
Email Trust Relationship Has To Change
Email’s ubiquity, and our unwillingness to trust it, are the biggest problems. Email is a ubiquitous medium that attackers can exploit. Many people have more than one email account. A person is more likely to open an email sent by a trusted sender if they receive it. These malicious emails could come from an IP and sending domain that is trusted by our email security software. If attackers make mistakes or get greedy, however, that’s a good thing.
We must realize that we are not only looking for known malicious actors. We are making ourselves vulnerable to attacks that target our trust by making our standard for blocking emails or making links in them unusable.
It doesn’t matter how much antiphishing training or external email banners, it won’t make someone recognize every malicious email that they receive. Even experienced security professionals cannot miss a phishing mail. Instead of trusting any external email that arrives in the inbox, security professionals should restrict how employees interact with it. This could include blocking unknown domains, using browser isolation technology to open URLs in a virtual environment, or blocking certain domains.
Organizations must also improve their security capabilities beyond traditional email and antivirus security technology. They also need to get rid of implicit confidence. To quickly detect and stop the inevitable breach, security professionals must apply Zero Trust to Email. This way we don’t rely on isolated pieces of security programs, technology or human. __S.29__
Third Party Email Senders Need to Secure What They Sell
A brand’s trustworthiness is a key factor in becoming a target for spearphishing campaigns. It’s difficult to stop breaches if an organization is just a target of opportunity. Being a priority target increases the stakes.
Companies looking to present a business case for product safety efforts should look at the past six months in B2B. Associating with a brand can cause significant damage. Think about the fact that the SolarWinds attack saw two security vendors mentioning being popped, and nine federal agencies were also affected. The attack is still known as the “SolarWinds” intrusion because it was the entry method.
It’s not only right to protect your revenue-generating products or services, but it’s also one of the best ways to avoid search engines listing details of the breach when someone queries your company.
Constant Contact was not compromised and the intruders only posed as legitimate users sending legitimate emails. However, the messages contained links to malicious materials that could exploit the recipient. Email marketing vendors must understand that product security includes securing messages and not distributing malicious material via their platforms. People will always blame the messenger.
Risk and Security Pros Need to Improve Their Assessment Of Third-Party Risk From Nontraditional Third Parties
Unbalanced third-party risk is a problem. While organizations have little or no control over the security of their applications or data, third-party partners are responsible for any fines, penalties and bad press that may result from a cyberattack by a third party.
Recent media attention about third-party cyberattacks highlights a well-kept secret: Many firms are poor at third-party risk management. The failure of TPRM programs to adapt to new risks is a sign that they are not adapting to them. These efforts are failing due to: 1) TPRM efforts struggle to keep pace with the growing third party ecosystem; 2) spend acts as a proxy of criticality; 3) Third-party risk assessment is considered “one-and-done” and does not continuously reassess risk.
Marketers and CISOs: Brand Stewardship is a Joint Responsibility
Security teams hated looking through all the questionnaires from vendors. Marketers would rather choose the partner that suits their needs best and move on. However, brand resilience is a shared goal and both sides have a stake and are affected when there is a high-profile incident.
This is why chief information security officers (CISOs), along with their teams, must meet directly with marketers to learn about the data flow and workflows involved in the creation, refinement and launch of campaigns. This includes the interactions expected with customers and the ecosystem of third- and fourth-party parties. Marketing uses customer data to personalize and provide contextual marketing to customers. These data, such as email accounts, should be protected.
Marketing and security should collaborate to create a campaign data journey roadmap. These flows need to be carefully evaluated for security and privacy issues. The organization can then ask targeted questions and demand specific controls from third-party marketers, including senders. This journey map can be used by marketers and CISOs to monitor third-party marketing resources at every stage of the lifecycle and to grant least-privilege access.
►►► ConnectPOS is a cloud-based POS software compatible with multiple platforms including Magento, Shopify & Shopify Plus, and BigCommerce.
►►► See our products: Magento Point of sale, Shopify Point of sale, BigCommerce Point of sale , Woocommerce point of sale, Multi source inventory management, Commercetools POS, Magento 2 POS, Netsuite point of sale and START A FREE TRIAL NOW !