by Ryan Miller
Summary
As per the 2023 UK Cyber Breach Survey, 24% of charities experienced breaches or attacks in the last 12 months of 2022. One notable instance is the Account take-over (ATO) attack on Philabundance, falling under [7.2.3 Account take-over (ATO)] and [7.4.2 Unauthorized email server access] by ITU-T X.1236 standard definitions. To effectively counter various cyber attacks aimed at non-profit organizations, a comprehensive understanding of attack types and adherence to proactive security measures based on security requirements is paramount. These measures are outlined in the International Telecommunication Union (ITU)'s international email security standards. This piece aims to dissect real-world hacking incidents involving non-profit entities, providing insights into the various attack vectors employed. Furthermore, it offers pragmatic response strategies grounded in international standards, empowering non-profits to bolster their cybersecurity posture.
1. Overview
Cyber attacks on non-profit organizations are on the rise and carrying substantial consequences. Non-profits become prime targets for cybercriminals due to constraints like limited security budgets, outdated tech infrastructure, ideological opposition, and possession of valuable sensitive data. The 2023 UK government cyber breach survey reports that 24% of charities experienced breaches or attacks in 2022. These attacks not only pose financial threats but severely impact their operational capabilities. For example, in 2021, a UK non-profit faced shutdown for 21 days following a ransomware attack. The spectrum of threats is broad, encompassing identity theft leading to reputation damage, leaks of sensitive donor information, dissemination of politically motivated messages, and even website hijacking.
Cyber attackers often employ sophisticated tactics, crafting emails that appear legitimate or using spoofing techniques to deceive recipients into revealing personal information or clicking on harmful links. Attachments disguising themselves as innocuous bank transactions or contracts may compromise security protocols and insert harmful content into computers or mobile devices. Prevention is crucial, but these attacks are generally hard to identify, making them challenging to identify and easy to fall victim to.
2. Attack Case Analysis - Attack Type
To identify fraudulent emails, it's important to understand the hacker’s attack type and intent, along with the necessary proactive security requirements. This understanding is elaborated in the ITU's international email security standards, recognized globally as they are associated with the UN-specialized ITU. Grounded in these standards, this article aims to analyze actual cyber attacks on non-profits, identify attack types, and share proactive response solutions.
Case: 2020 Account Takeover Attack on Philabundance - Social Engineering Email Attacks (Account Take-Over (ATO))
In 2020, Philabundance, a hunger relief organization in Philadelphia, Pennsylvania, was defrauded of over $923,000 by cyber attackers. The incident involved the attackers infiltrating the organization's email server and impersonating a construction company working with Philadelphia. They sent fraudulent invoices via email, prompting the organization to transfer funds amounting to approximately $923,000 to a bank account controlled by the criminals. The attackers hacked the organization's computer system, intercepted legitimate emails from the construction company, and replaced them with their deceitful emails.
Email security standards define this hacking type as [7.2 Social engineering email attacks]. 'Social engineering attacks' are psychological tactics aimed at deceiving users into transferring money or extracting confidential information, not targeting system vulnerabilities. From Philabundance’s viewpoint, this case is considered an account take-over (ATO), involving unauthorized access and manipulation of the organization's email system to redirect legitimate transactions to fraudulent accounts. From the sender's standpoint, it falls under [7.4 Outbound email threats by attackers], specifically [7.4.2 Unauthorized email server access]. (Further details will be discussed in a subsequent article.)
According to the standard, [7.2.3 ATO (Account Take-Over)] is defined as follows:
ATO is a social engineering attack using actual user accounts. After logging into a stolen email account to view the user's email history, the attacker looks for confidential information and potential secondary victims. For example, the attacker might send an email requesting a change in the transfer account using account information stolen from a phishing site or disclose stored confidential information to external parties.
3. Attack Case Analysis - Solution
In a bustling environment where no significant problems are apparent at first glance, people tend not to observe in detail. Requesting busy employees to perform a thorough forensic analysis to verify email legitimacy can be overly cumbersome. So, how can organizations shield themselves from such fraudulent activities? Effectively responding to phishing emails necessitates prior analysis of sender information, user warnings, and proactive attack responses. Compliance with international standard clauses 8 and 9, [Security requirements for countering targeted email attacks] and [Countermeasures for targeted email attacks], can enable effective solutions and proactive responses.
To counter account take-over (ATO) attacks, it's imperative to adhere to the security requirements outlined in [8.2.3 Security requirements for countering account take-over (ATO) attacks] in the ITU-T X.1236 standards.
Step 1: Warn or block emails if the sender's location differs from previous emails received.
Step 2: Warn or block emails if the email server's IP address differs from previous emails received.
Step 3: It is advisable to warn or block emails if the email's sending route differs from previous received emails.
Reflecting these security requirements, the introduction of solutions under [9.2.3 Countermeasures for account take-over (ATO) attacks] enables a proactive response to ATO attacks.
● Emails from the same sender should undergo real-time analysis after learning email data, with subsequent validation.
a. Validating learning data involves understanding the configured header structure and social graph, comparing past learning records with current data when sending emails.
● Detection of changes in sender location involves analyzing inbound email header information to accumulate sender location IP history and comparing newly received emails with the accumulated history's sender location IP country. The email header includes the IP address where the email originated, the server's IP address up to the transmission point, and the IP information of the server from which the email was ultimately sent.
4. Conclusion
In the digital age, your data is as valuable as physical assets. As hacking techniques become more sophisticated and advanced, awareness and vigilance are key to preventing hacking damage. Non-profit organizations, alluring targets for cybercriminals, must guard themselves against hacking assaults by integrating effective security policies and promoting education on international email security standards. This proactive approach serves to prevent financial losses and secure sensitive data. Email security standards play a pivotal role, offering comprehensive security requirements and solutions designed to combat various email attacks. Being aware of the standards and continuously diagnosing email security based on them is a proactive defense against advanced hacking techniques. Compliance with international email security standards can be initiated by conducting a thorough diagnosis of email security standard adherence through Mail Inspector.
References
<Security requirements and countermeasures for targeted email attacks>
https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=15710&lang=en
<Email-based Attacks Against Nonprofits Are On The Rise. Is Your Organization Vulnerable?>
<Ransomware Attacks on Nonprofits: Rarity or Regularly Hidden?>
<Nonprofit Cyber Attack Case Studies and Solutions>
https://blog.techimpact.org/nonprofit-cyber-attack-case-studies-and-solutions
<How Nonprofit Cyber Attacks Really Happen>
https://blog.techimpact.org/how-nonprofit-cyber-attacks-really-happen
<Nonprofits and Cyberattacks: Key Stats That Boards Need to Know>
https://www.boardeffect.com/en-gb/blog/nonprofits-cyberattacks-key-stats/
<BASIC CYBERSECURITY HYGIENE MEASURES COULD HAVE PREVENTED RANSOMWARE ATTACK, SAYS EDINBURGH FRINGE FESTIVAL BOSS>
<Philabundance falls victim to cyberattack, loses almost $1 million>
https://www.phillyvoice.com/philabundance-cyberattack-theft-1-million-dollars/
<Non-Profit Out $923,000 After Business Email Compromise Scam>
https://www.happierit.com/knowledge-center/breaches/philabundance-bec-scam
![[Ransomware] Ransomware Demanding 'Ransom' - Risks and Survival Strategies](https://blogger.googleusercontent.com/img/a/AVvXsEhN6X-WYH1opNvLFgZlc3w7bcQoAkX8D2ehPg34_B9TVKMQmiOEiYGO1XGCfVT-Q1rMjvcWXILg7lMXslt1CysrnUk0D7qDpybt5kw8FOuroyB0Cr1_jarO1jaLhxj0p_aSLHoMbJqXYXlCVFz0OS6Qj865aQU2UjBKgxKJhRcaAlCzxrygjC3jiKjGx8g=w72-h72-p-k-no-nu)
![[Zero-day] Understanding zero-day attacks](https://blogger.googleusercontent.com/img/a/AVvXsEh2lWUhaQgbBMUsEIaEMq4-_EG0s_bz-VKacjDbO8N4TrTF1saQogoT6V2gDz7U8qaEJA-SMj3ngkstaZXyhjhGOrVIo8dJbrCnZptivX0XefGYiwoIr36kcsPMY6IQ_1J_3FyOOa0BKyVwXVOT48_5tUaK9RJRWxFiIgUM6mLm7YMA8EXUg3r3SA9I26U=w72-h72-p-k-no-nu)
![[DDoS] DDoS Attacks and Email Security](https://blogger.googleusercontent.com/img/a/AVvXsEilLO12WT5qpmRXH13cNNkfoLY0wBwZrEiFpdq2xSyTJCPFi6C80t-H5Hs6YUiZRZKNSpuQXfiin3GHa0vtU46NXv2fzyLMDRtYJ1JmAWGdgRYP84yMTtAaihWZbxUAhoKjRAsYgtDwClX8nQnvUgllsbGZ4WKHP-xY4Z2CUpSTpaGM2l2BmQlCLENg-cI=w72-h72-p-k-no-nu)
0 Comments