Read Time: 3 Minutes
While becoming more and more of a commodity, email scams are simultaneously getting more advanced. And if you thought cybercriminals were only after the big and influential Sonys of this world, you are way off. Yes, there are groups like the Dukes, who have really carefully picked their targets. However, anyone can be a target, and here we share a case of how a startup in Finland was attacked.
The company in question is a Finland-based financial technology startup that operates across the EU. While not an especially big player, the company however operates in an industry – banking and finance – which is highly interesting to cybercriminals. It also has an established clientele of other businesses, so recently, their CEO received a phishing email. The email looked legitimate enough, with a Google logo and a linked item talking about investment/payment documents, but contained links to a non-Google login page.
Luckily, the attack was discovered before anyone fell victim to it. Being a security-conscious organization they knew to be on the alert: this was the second similar attack targeting them. The first time, they were targeted through a partner organization, which is a very usual way to try and enter a company’s network. Also then the attack was noticed before anyone fell victim to it.
Henri Lindberg, Director from F-Secure Cyber Security Business Line explains:
This is how startups are targeted in Finland (and most likely elsewhere) – it is an ongoing phenomenon with several known cases. The last time the attacker was using the identity of a smaller venture capital investor, which actually had been in discussions with the company in question, making the phishing attack look quite legitimate. We’ve seen this before, but nevertheless, it is quite a good trick.
According to Henri, the attackers are after Google credentials – two-factor authentication is not enforced by Google and therefore its adoption is not universal. Once the attacker gets access to Google credentials, and if two-factor authentication is not enabled, they might set up mail forwarding while going through the inbox, targeting other users, and requesting access to other systems. Our consultants have seen plenty of this type of attacks in the wild.
Other ways to create a backdoor would be to add application credentials, activate IMAP/POP, share files from Drive etc. It’s surprisingly difficult to go through dozens or even hundreds of Google accounts in a centralized fashion. At least it is without third-party tools or custom scripts, which is what makes account backdooring so effective.
The beauty of this attack is that once you hit a user with a “default” password (typical organization password), or someone who shares their credentials between exposed services, the sky is the limit.
In our experience, early employees in startups are especially devastating targets, as they usually have access everywhere.
How to protect yourself
- Be vigilant when entering your password anywhere
- Enable two-factor authentication
- Use Google’s built-in Security Checkup and Privacy Checkup tools
- Periodically review forwarding and mail filter settings, Connected apps & sites, Devices and Activities, shared files
- Disable POP and IMAP access if you don’t need them for a desktop or mobile client