Attackers Are Attracted to Email Like Flies to Honey

Email contains business plans, credentials, and sensitive data that attackers harvest after compromising systems—either from local PST files or directly from Exchange servers. Mitigations include avoiding email for sensitive information, encrypting contents at rest, periodically deleting old messages, and monitoring for anomalous logins.

Email has been with us for a very long time. It’s supported by seasoned technologies. The practices for securing email are relatively mature as well, especially when compared to instant messaging and online social networking. Email is such a mundane part of our lives that it’s easy to forget about the treasure trove of information it contains and become complacent about protecting it. Attackers, though, recognize its importance.

Harvesting Mailboxes on Compromised Systems

I was reminded of the attractiveness of email from the perspective computer attackers who target corporations when reading Mandiant’s M-Trends 2011 report. It discusses Advanced Persistent Threat (APT) incidents, highlighting the importance that APT attackers place on harvesting email contents for sensitive information after initially compromising a system. After all, individuals store all sorts of details in their emails, including business plans, product details, IT infrastructure information and access credentials.

According to Mandiant, APT attackers obtain email of a targeted individual using two approaches:

1. “They individually acquire local Windows Exchange e-mail files (PST files) from specific user systems; or
2. They harvest multiple e-mail mailboxes from the e-mail server (Windows Exchange or Lotus Notes) within a single session.”

Harvesting Email by Phishing Logon Credentials

Email has been a target even outside of the “elite” APT realm for a while. The classic way to gain access to the victim’s email in this context has been phishing, whereby the person gives up webmail logon credentials often without even noticing the scam.

Having access to the person’s email might allow the attacker to reset passwords to other valuable services, such as the victim’s on-line banking account, social networking site or a massively multiplayer online role-playing game (MMORPG) such as the World of Warcraft.

Email access is also valuable for sending spam as well for performing fraudulent activities, such as the “I’m stuck in London” scam.

When performing a penetration test that included a social engineering component, my team was able to obtain webmail logon credentials for a number of the client’s employees, including those of system administrators. Once we had access to their mail boxes, it was game over, considering the data that was present there.

Securing Email

Much has been written about email security and plenty of products exist to in this space. A few security measures that might be worth highlighting include:

• Avoid using email for storing and sending sensitive information. Consider out-of-band communication methods instead, such as in-person meetings and paper. Phone and fax might work for this too, though they are increasingly being channeled over IP networks.
• Encrypt sensitive email contents not only in transit, but also at rest. Use an email encryption tool such as PGP, so that you need to type a password any time you wish to read the message. (Full disk encryption is of little help here.) If you cannot encrypt email contents in the mailbox, export the data to a more secure medium and delete it from the mailbox.
• Periodically delete or move off-line old email messages. By getting rid of old email, you decrease the amount of possibly-sensitive data that an attacker can access after compromising your email system.
• Remember to secure your email archival system, too. Some companies, such as those in financial services, archive email access to meet e-discovery regulation requirements. The existence of such systems provides attackers with another location they can target for email access. Remember to secure such email archives at least as well as the regular mailboxes.
• Track access to email systems to detect anomalous log-ins. You may be able to identify an attacker logging into a compromised email account by looking for anomalies, such as the time of day or the geographic of the activity.

Email-Like Systems Are Also a Target

In addition to being interested in traditional email systems, attackers are similarly attracted to email-like communication systems that might hold sensitive or otherwise valuable data. An example of such an incident is the NASDAQ breach, where a private communications application for Board management needs called Directors Desk was compromised.