The recent string of high profile cyberattacks shows that even when the toughest cybersecurity policies are in place, many are still incomplete. After an organization suffers a cyberattack, they typically respond to their constituents warning them to change their passwords. But the organization remains vulnerable through the very means it uses to alert those constituents: Email. In fact, attackers can exploit that vulnerability using email that pretends to be a security warning from the organization, targeting users and wreaking even more damage.
For example, on May 31, popular cloud-based password manager OneLogin announced that it had suffered a serious security breach, and it updated its report the next day with a few more details.
The company communicated with its customers and the public promptly. OneLogin said the breach involved a hacker obtaining a set of Amazon Web Service keys and using them to gain access to OneLogin’s servers on AWS and create several new instances, which they then used to do reconnaissance. According to a customer email reported by TechCrunch, “All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.” To its credit, OneLogin responded quickly, shutting down the hackers’ access within hours and alerting its community the same day.
What is Phishing?
Criminals send out a wave of spam email. Each email contains a message that appears to come from a well-known and trusted company. Usually the message includes the company's logo and name, and it often tries to evoke an emotional response to a false crisis. Couched in urgent, business-like language, the email often makes a request of the user's personal information.
For instance, a hacker could have posed as a member of the OneLogin security team and sent an email to another security team member that looked for all intents and purposes like a legitimate OneLogin email with the intent of obtaining more information to assist with the breach or get an employee to click on malware.
It’s a time tested strategy for malicious actors: Strike with phishing attacks while an organization is dealing with the aftermath of a hack. A classic tactic is to send an email to constituents that appears to be a message from the CEO, warning people to change their passwords because of the recent attack, but which contains a password-reset link that leads to a website controlled by the hacker.
Properly configured email authentication is crucial for all companies to protect against current and future phishing attacks.