Nonprofits are appealing targets for cyber criminals. The criminal world has zeroed in on us for four main reasons: 1) they don’t believe we have the resources to hire security teams, 2) we are thought to have aging technology infrastructure that’s easy to penetrate, 3) we’re more susceptible to phishing scams, and finally 4) our billing and medical data is valuable in the black market.
That’s the bad news. The good news is there are several straightforward and cost-effective measures nonprofits can take to strengthen their computing environments. The first of these is education. A lot of people aren’t exactly sure how digital attacks work and because of that, don’t know what to look for. Below, I’ve outlined two real-life examples of recent attacks that Tech Impact’s information security team has responded to. In each scenario, the attackers had different skill levels and motivations; however, we recommend the same five solutions to help protect nonprofits from these common attacks.
Scenario 1: Low Skill, Low Motivation Attacker
In this scenario, a nonprofit client was hit by a professional-grade attacker that was well-resourced and had a well-honed plan of attack, but wasn’t particularly skilled or creative. However, the level of access that the attacker(s) had in this case was unusually high (a Global Admin account), which means that they could have easily done a considerable amount of damage that might have been very difficult to detect or reverse.
The attacker created two fake email accounts, and used them to send out links to a PDF stored in the nonprofit’s tenant. The PDF contained a link to the real attack site, which hosted a fake Office 365 login portal. The attack email was sent to roughly 10,000 addresses in batches of 298 emails – just below the threshold that would have triggered Office 365’s automatic spam blocking. The hit list was an aggregation of several contact lists that had presumably been stolen from numerous sources.
This attack could have been much worse if the attacker had a better plan in place. Additionally, our team was able to quickly stop the attack by shutting down the email accounts, resetting passwords and reporting the attack site and having it shut down. If the attackers had been craftier, or we had been slower to respond, the damage from this attack could have been much more significant and long-lasting.
Scenario 2: A Highly Skilled Attacker with a Specific Plan and Background Information
A nonprofit’s Office 365 tenant was breached by an attacker operating with Global Admin credentials. The attackers knew exactly what they were doing, and were creative. Their initial point of entry into the organization was via the account of the organization’s controller, which was operating with Global Admin rights. Once the attackers gained access, they granted the compromised account full access to the mailboxes of several other organizational leaders – indicating that they had significant knowledge of the structure of the organization, and were going in with a very clear plan in mind.
Next, the attackers sent a request to initiate a wire transfer to both the finance director and the controller of the organization – and then used their access to the finance director’s account to immediately reply to that same message as the finance director, authorizing the transaction to take place, and asking the controller to make it happen. The attackers also implemented a user-level mail rule that immediately deleted the original email they had sent, so that the finance director wouldn’t see any evidence of the request taking place. Luckily, the finance director was working in Outlook at the time and saw these messages disappearing in real time, which is what prompted a call to Tech Impact.
The attackers then granted the compromised account full access to two other mailboxes, both belonging to the executive director. To defend their footing against simple password resets, the attackers proceeded to promote two unused accounts to Global Office 365 admins, and reset both account passwords – thereby granting themselves multiple backups if they were locked out of their initial point of entry. They also changed the password on the controller’s account, so that the controller could no longer log in.
On top of everything else, these attackers anonymized their whereabouts using Tor (or a similar anonymizing service), which made their connections to the client’s tenant appear to come from all around the world.
The good news is that the target nonprofit’s staff handled the attack very well, didn’t fall for any of the attacker’s advanced tricks, and called Tech Impact as soon as they realized that they were being attacked. Our team was able to shut the attackers out within just a few hours of the time they started their activity.
Safeguarding Against Attacks
The attacks described in the above scenarios are both very different, but the core defenses needed to help prevent them are ultimately the same. You may be surprised to learn that many of the tactics aren’t costly or cumbersome to implement. This is low-hanging fruit that most organizations have the resources to implement and will greatly improve your overall security.
- Alerting and Reporting – Set up alerting and reporting measures in Office 365. Be sure to review all incoming alerts and read through activity logs weekly to identify any unusual activity. Also, if an attack does happen, auditing will provide a clear picture of exactly what the attackers did so you know exactly what needs to be addressed.
- Multi-Factor Authentication (MFA) – I can’t stress how important MFA is for nonprofits – it is the single most important thing you can do to protect your nonprofit from phishing and other identity-based cyberattacks. In both instances, if MFA had been active on the account, the attackers wouldn’t have been able to gain entry. If you have not implemented MFA, please note that Microsoft is now donating 50 free Enterprise Mobility + Security E3 Licenses to nonprofits, and Okta is donating 25 licenses to non-profits. For smaller organizations, this means implementing MFA doesn’t require ongoing costs.
- Global Admin – Revoke global admin rights from everyday email accounts. Organization leaders should still have access to a dedicated admin account – but they should not use that account for their day-to-day work.
- Be Discreet – Limit public access to the names, titles, emails of your team members. While it is common for organizations to post this information on websites, doing this can make it easy for attackers to quickly see the main targets at an organization and get their email addresses. Only publish names, titles and emails when it is completely necessary and use alias emails instead (i.e. email@example.com).
- Verbal Confirmation – Create a formal policy that requires verbal approval (by phone or in person) to transmit all passwords and money. By implementing such a policy, all employees will be required to interact directly to confirm password/financial requests to ensure emails stating such requests are coming from the actual person and not an attacker.
Visit our IT Security page for more information on how Tech Impact can help your organization create and implement a customized security solution for your nonprofit.