A Stolen Phone Led to Phishing Attempts, an Email Investigation, and Improved Cyber Hygiene

CASE STUDY

OVERVIEW

Industry: Manufacturing

Incident: Office 365 Phishing Attack

After an executive’s lost an Apple iPhone X was stolen during a trip, vendors began to report sophisticated phishing emails. Insider information indicated someone was impersonating the Managing Director. Pragma was brought in to investigate and cut off the unauthorised access.

THE INCIDENT

SUMMARY

The Managing Director’s phone was lost stolen during a business trip to China in 2019.
The client took great initial containment steps that are available to most consumers.
Attackers targeted the client first and may have gained footholds in vendor systems.
Each fraud attempt was made using an edited version of a PDF requesting payment of an invoice.

The client is a large automotive and consumer electronics manufacturer, whom we refer to as ACE. They contacted Pragma after the Managing Director’s phone was stolen. Since its conception in 1998, ACE has become one of the leading names in automotive electronics manufacturing. ACE has its main headquarters in Korea and additional offices in Australia, Japan, Hong Kong and New Zealand.

ACE has been able to partner with high-profile international entities and imports products to Asia as well as the EU and the Gulf. Email phishing and phoney payments are a serious threat to the company’s reputation and integrity.

The Managing Director visited China during a business trip in June 2019. His phone was lost stolen on June 6th. Afterwards, the first fraudulent email was sent to a vendor on June 7th. Three further fraudulent emails were sent during the following eleven months, with the final message delivered in May 2020.

Each message was a phishing attempt using an amended PDF. The threat actors edited a PDF invoice and sent a message to Vendor 1 asking for payment. Subsequent emails were sent to three other vendors. Every message used some form of payment request based on a fraudulent PDF.

Pragma was contacted following the fourth fraudulent email and engaged to perform the following:

1) Determine whether an attacker has ongoing access to company email systems.
2) Contain and eradicate unauthorised access.
3) Review the MD’s email box for Personal Identifiable Information and advise whether a breach notification may be required.
4) Recommend security improvements to halt the ongoing attack and prevent future attacks.

THE RESPONSE

SUMMARY

Pragma determined the stolen phone was probably not the vector of infiltration.
Containment measures were taken such as remote sign-out from Office 365 accounts, password changes,and remote data deletion.
Pragma analysed the fraudulent email messages to compare attack profiles.

Pragma investigated each email incident separately to determine the attacker’s course of action. The four email messages had some things in common but also had key differences. The common points and differences revealed the attacker’s progress as well as the client’s continued exposure to attack.

All messages had ACE in common as a contact or reference and used some form of phishing with a PDF invoice. The first attack was the only one that originated from the Managing Director’s compromised email account. Subsequent attacks were launched from other email addresses, indicating the attackers may have gained a foothold in the vendor’s systems.

The Managing Director took several successful containment steps. The CIRT helped ACE strengthen their security further by identifying high-risk O365 users. These users were signed out of their accounts and required to create new passwords. Multi-Factor Authentication (MFA) was implemented for all users.

After completing the analysis and finishing these steps,Pragma assured the client their email was secure. No ongoing unauthorised access could be detected.

Our Recommendations

Endpoint Security

Enabling advanced security features such as remote lock-out, data wipes, and device locator services improves security.

Passwords and Access

New unique passwords can be generated for every user and changed regularly to avoid account compromise.

Updated Firewall Rules

Firewall rules were reviewed with the client to ensure all rules are known.

Mailbox Rule Review

Reviewing mailbox rules, such as forward and transport rules, can reveal hijacked accounts.

Multi-Factor Authentication

MFA is one of the strongest tools for preventing unauthorised access to accounts and systems and could be implemented on all devices and endpoints.

Payment Protocols

Clear payment protocols can be implemented requiring users and vendors to receive a personal confirmation of payment detail changes.

Active Directory Lockout

Activation of Active Directory Smart Lockout for Office 365 protects against brute force attacks.

THE RESULT

The potential loss to ACE from this email compromise was $62,140. This is the amount paid to the attackers. Pragma’s investigation and actions were concluded within 1 day. Because our CIRT secured the accounts and eliminated further fraud, the client was able to contact their bank and have the transaction reversed.