Technical Support: 412-349-6678 | Incident Response

FBI Issues Cybersecurity Warnings About Email, Domain Spoofing

FBI issues warning about email, domain spoofing and more

On Nov. 23, the Federal Bureau of Investigation (FBI) and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS-CISA) recently issued a series of warnings regarding email spoofing, ransomware, and unpatched vulnerabilities.  

Take these warnings seriously and act. Why?

Take, for example, Baltimore County Public School system. Following a general audit in November showing that the district ignored security warnings issued in 2015, it was struck by a ransomware attack on Nov. 24.

The audit showcased a “lack of security for [the system’s] IT infrastructure [that] made personally identifiable information and critical databases vulnerable to attack.” By the time state auditors revealed the risks, it was too late…the ransomware attacks occurred the very next day.

So, now that you know they importance of warnings, let’s break down the most recent one issued by the FBI.

Spoofing Attacks from FBI Domains

The FBI released an alert warning of spoofing attacks following the discover of cybercriminals using FBI internet domains and email addresses. 

These attacks follow similar campaigns, which appear to originate from Google services, Microsoft Teams, and quasi-official COVID-19 related topics, such as loan relief (Small Business Administration spoof) and contact tracking (Department of Health and Human Services spoof).

Spoofing attacks use phishing techniques in combination with fake web domains to trick users into downloading malware or giving up their credentials.  These attacks often lead to other types of attacks, such as Business Email Compromise (BEC), ransomware, or cryptocurrency mining.

To counter these types of attacks, organizations should follow a two-pronged approach using education and technology. 

For education, alert users about new threats and train users to avoid phishing scams. As for technology, deploy multi-factor authentication (MFA) to reduce the impact of stolen credentials and enable stringent anti-spam settings on email services to reduce opportunities to trick users.

Woman using Citrix for remote access

FBI BEC Warning

The spoofing warning was followed by an alert on Nov. 25.

In it, the FBI and DHS-CISA warned of an increase in Business Email Compromise (BEC) attacks.  The warning specifically noted attackers have been taking advantage of auto-forwarding rules on web-based email clients, such as Microsoft 365 and Gmail. 

BEC scams have increased substantially over the past year, costing businesses almost $2 billion in 2019.  They work by tricking victims into making fraudulent payments, stealing banking credentials, or even intercepting legitimate payments to business partners.

Auto-forwarding rules allow legitimate users to automatically route emails to specific email folders or to other email addresses. However, hackers seize account access and create rules to forward emails to themselves, and to route specific types of emails to hidden folders on a user’s account. 

This technique allows the attackers to begin communicating with business partners and coworkers using the victim’s email address.  Meanwhile, the replies are routed into a folder hidden from the victim.

To reduce these types of attacks, the FBI suggestions include: Prohibiting automatic forwarding of email to external addresses, prohibiting legacy email protocols (POP, IMAP, SMTP) that circumvent multi-factor authentication, and monitoring and tracking mailbox logins and setting changes. 

It’s recommended that organization engage cloud experts to verify that email settings have been appropriately configured.

Other FBI and CISA Warnings

The FBI and DHS-CISA also issued formal warnings to beware Ragnar Locker data theft and ransomware attacks, Advanced Persistent Threat (APT) attackers targeting think tank organizations, and a password leak attack targeting Fortinet VPNs

None of these attacks reveal new attack methods or unknown vulnerabilities.

Each attacks uses well-known vulnerabilities, and patches and controls have been available for some time. The agencies issued these alerts to raise awareness so that organizations would take action to eliminate old vulnerabilities.

For example, researchers detected that an Oracle WebLogic server flaw, which was patched two months ago, remains the active target of a botnet because nearly 3,000 servers can be detected to be vulnerable to the attack. However, with the steady barrage of alerts, Microsoft patches, and daily news about the latest ransomware victims, can we really claim that the problem is a lack of awareness? 

Alert fatigue and IT team capacity constraints likely play a significant role.  Unfortunately, unmanaged devices only make matters worse for struggling IT departments.

Investigators exploring the Baltimore County Public Schools attack suggest attackers frequently use unmonitored devices that connect to the network without any constraints.  Microsoft estimates as much as 63% of all attacks in November originated from devices in an educational network and researchers believe attackers target schools because they are easier to attack and they quickly pay ransoms.

Help is Available

Detecting problems and/or catching up to unpatched devices becomes much more expensive and difficult during and after an attack. 

By partnering with Ideal Integrations and Blue Bastion, you’ll gain extra bandwidth to survey networks for flaws, segregate uncontrolled devices, detect unpatched devices, and monitor for attacks. Or, you can leave it all to us!

Our experts will be able to tell the difference between the annoying cryptominer and the APT disguised as a cryptominer. And, our cloud specialists can set up web email settings to thwart auto-forwarding attacks and many other potential threat vectors. 

Call us today at 412-349-6680 or fill out the form below to stay ahead of cyber attacks.

Need a Managed IT Solution For Your Organization? Contact Us!

  • This field is for validation purposes and should be left unchanged.