(U) Overview
(U//FOUO) The Orange County Intelligence Assessment Center (OCIAC) has received reporting indicating cybercriminals are manipulating e-mail filters as a means to monitor and divert e-mail communications. Cybercriminals may use malicious e-mail filters to:
•(U//FOUO) Monitor victims’ e-mail after malware removal and password changes
•(U//FOUO) Monitor victims’ e-mail without continuously logging in to victim accounts
•(U) Divert e-mails that might alert the victim of a system compromise
(U) Application of E-mail Filters
(U//FOUO) Cybercriminals must first gain access to victim’s e-mail accounts in order to implement malicious e-mail filtering. Access might be gained by:
•(U) Password guessing
•(U) Password cracking/brute force attacks
•(U) Eliciting credentials through the use of fake websites and forms
•(U) Eliciting credentials via phone calls
•(U) Sending the victim credential-stealing malware
•(U) Exploiting documents where passwords are written down
(U//FOUO) Cybercriminals might employ this tactic in a variety of crimes and surveillance efforts, which might include:
•(U//FOUO) Stalking and cyberstalking
•(U//FOUO) Corporate, industrial, military, and economic espionage
•(U//FOUO) Tax fraud
•(U//FOUO) Mortgage fraud
•(U//FOUO) Wire transfer fraud
•(U//FOUO) Identity theft
(U) Incidents
(U//FOUO) Examples of incidents by which criminals used e-mail filters to facilitate crimes include:
(U//FOUO) Use of Really Simple Syndication (RSS): In late 2016, an Orange County-based critical infrastructure organization was targeted in a Business E-mail Compromise (BEC) scam why which a cybercriminal compromised a Chief Financial Officer’s e-mail account. While impersonating the CFO in e-mail correspondence, the cybercriminal requested wire transfers to unauthorized bank accounts. The cybercriminal created an e-mail filter that forwarded all of the CFOs e-mails to a public RSS feed being monitored by the cybercriminal.
(U//FOUO) Use of “trash” mail folder: In October 2016, an Orange County-based medical practice fell victim to a wire transfer scam. A cybercriminal compromised an accountant’s e-mail account and created an e-mail filter so that all communications from other finance personnel were sent to the accountant’s “trash” mail folder. Masquerading as the accountant, the cybercriminal requested wire transfers from finance department personnel. All responses to the cyber criminal’s requests were filtered to the “trash” folder,out of sight of the accountant, where the cybercriminal would actively wait to respond to wire transfer correspondence.
(U) Use of filters to evade security alerting: According to a 2014 FireEye report, hacking group FIN4 targeted publically traded companies and advisory firms to gain insider knowledge for trading advantage. FIN4 sent phishing e-mails to various targeted individuals. The phishing e-mails contained either Visual Basic Applications (VBA) macros or links to fake Microsoft Outlook Web Access (OWA) to steal usernames and passwords. Once FIN4 had access to the victims’ e-mail accounts, e-mail filters were set up to automatically send any e-mails referencing“virus”, “malware” or other terms that might alert the victim to a cyber intrusion directly to the victims’ “trash” mail folder.
(U) Mitigation
(U//FOUO) The Orange County Intelligence Assessment Center (OCIAC) recommends auditing e-mail filters as part of the cyber incident response process. E-mail filters that may have malicious intent include:
•(U) Sending security-related e-mails to the trash or other unattended folders
•(U) Sending e-mails to suspicious e-mail addresses
•(U//FOUO) Sending e-mails to RSS feeds
•(U//FOUO) Moving e-mail correspondence containing keywords relating to sensitive topics tosuspicious folders, feeds, trash, etc. (i.e. sending e-mails with keyword “SSN” or “social security” to a suspicious e-mail address)
(U//FOUO) At an organizational level, information security professionals may consider:
•(U//FOUO) Instituting a Data Loss Prevention (DLP) policy if one does not already exist
•(U//FOUO) Logging the creation of new e-mail filters across the enterprise
•(U//FOUO) Blocking the forwarding of e-mails to e-mail addresses outside the network, if in accordance with organizational policy
•(U//FOUO) Auditing e-mail rules on a regular basis to identify malicious e-mail filters and potential insider threats