Targeted (email hacking) phishing attacks against professional services firms

Impetus

I have come across two cases of phishing attacks targeted against professionals over the past month. One was an immoblier (real estate agent), and the other is a law firm in Spain.

I knew a partner in the law firm, and s/he told me of the other case with the immoblier – who was based in a different country, who did business with them.

They both said that they were being ‘blackmailed’. The immoblier acts as agent in buying and selling expensive houses and apartments. The law firm is one of the big four firms in the country in question. While both appear to me to be highly professional and ethical, I have no doubt that neither would not wish to have copies of emails relating to client property deals or client legal matters/negotiations (eg divorces, lawsuits and similar) to be published in the open (eg on a website or in a tabloid newspaper). In the Irish context, this might be a director of a supermarket chain in Ireland buying a vacation villa in Bermuda or the Seychelles for x million or whatever. In big countries, the market is bigger and the sums rise accordingly.

The blackmail was basically pay us XBT (bitcoin) 100 (EUR 560’000) within 48 hours or all your incoming/outgoing email (stolen from their email servers) would be published. The immoblier was extorted for just XBT 10. Presumably these crooks thought that there was more money is a large law firm than in a real estate agency.

To make matters worse, these events took place post GDPR. My response to the partner in the law firm was that presumably you encrypt your emails using S/MIME certificates (a simple universally used (in business) add-on to Microsoft Outlook and several other email clients), and the other parties you correspond with don’t you? It confirms the identity of the sender (like a notary) and encrypts the email. He said no. And went on to say that when banks use their internal systems to send documents to law firms in his country, these documents (arriving at the law firm encrypted) are frequently forwarded on (by advocates/law firms generally) to the client or other law firms in the clear. (None of this relates to Irish professional services firms, who I have no doubt encrypt everything and take client confidentially seriously, and are well aware that an email is like a postcard etc). Having said that, to be honest, I have never received an encrypted email from an Irish law, accountancy firm or even a bank. And I always sign my emails to them with my S/MIME electronic signature.

Even if I was sleeping rough on the streets, and had to employ a legal professional via legal aid, I would hate to think that my lawyer was communicating by email about an issue in my life in the clear via email. Not to mind people who have the resources to engage in big transactions, and put their legal advisor out of business should an email server get hacked as a result of their negligence – not to mention the GDPR 2%/20 million fine.

End to end encryption (eg S/MIME), while not perfect, (emails need to be text only at present) encrypts an email stored on email servers, making them look like noise to a hacker (rather than readable text etc). This locks the email down to the sender and recipient’s computer email client – eg Outlook, Thunderbird etc.

The people at dataprivacy.ie seem to be over worked managing Facebook & Co Europe-wide, at the expense of Irish citizens and their basic human rights – which are totally ignored by often grossly over-priced ‘professional’ services firms. And those who ‘regulate’ them – eg Law Society, CAI, ACCA, etc not to mention the Central Bank (the latter who has shown to be incapable of regulating the movements of a snail on the ground).

And politicians are supposed to ‘regulate’ the regulators. One wonders if they would like their private family dealings to be the subject of an email hack?

When (not if) one or more big hacking attempts take place against Irish firms, it has the potential to do big damage to the firm’s good name, the country as a destination for online business, financial services, IFSC matters, even as a place to make a hotel reservation online with a high value payment card. (30% of credit card fraud globally is hotel related).

L1011

I'd suspect the percentage of consumers that are in a position to use S/MIME could be counted on one hand; which is why adoption isn't effectively non-existant. I would hope that anyone contacting their legal advisors by email is fully aware that it is inherently insecure; those that aren't and are doing it for high value/risk transactions are bordering on deserving what comes.

Impetus

I agree (about average consumers not having S/MIME) but that does not excuse big professional services firms & co from not having S/MIME at their end - so that the paying customer can make their own decision at their end. Big 4 accounting firms and the law industry equivalent are dealing with customers with deep pockets. And they face a 20 mil fine or 2% of revenues for security negligence. And yet they dumbly/brazenly/negligently/techno-phobicly put two fingers to client confidentiality when it comes to online stuff and particularly emails. POP3 and similar are dated protocols, with almost zero security.

In Switzerland (a country of direct democracy), one can get a basic S/MIME cert for EUR 25, or a 'extended validation' type cert for about EUR 40 equivalent pa which proves your online ID to notary standards. (An unknown concept in Anglo countries such as Ireland with its junk common law system, where notaries are unknown (as opposed to the largely untrained common law notary public)).

In the Swiss extended validation system (SwissID) one has to visit the post office/la poste/die post etc with an ID card or passport, for a face to face ID verification, among other controls.

And the equally grossly incompetent https://www.dataprotection.ie allow it to continue - which puts the public purse at risk. And the professional associations and societies who are supposed to regulate.... They are all exposing themselves to a big fine for negligence.

gctest50

Impetus wrote: »

I agree (about average consumers not having S/MIME) but that does not excuse big professional services firms & co from not having S/MIME at their end - so that the paying customer can make their own decision at their end. Big 4 accounting firms and the law industry equivalent are dealing with customers with deep pockets. And they face a 20 mil fine or 2% of revenues for security negligence. And yet they dumbly/brazenly/negligently/techno-phobicly put two fingers to client confidentiality when it comes to online stuff and particularly emails. POP3 and similar are dated protocols, with almost zero security.

In Switzerland (a country of direct democracy), one can get a basic S/MIME cert for EUR 25, or a 'extended validation' type cert for about EUR 40 equivalent pa which proves your online ID to notary standards. (An unknown concept in Anglo countries such as Ireland with its junk common law system, where notaries are unknown (as opposed to the largely untrained common law notary public)).

In the Swiss extended validation system (SwissID) one has to visit the post office/la poste/die post etc with an ID card or passport, for a face to face ID verification, among other controls.

And the equally grossly incompetent https://www.dataprotection.ie allow it to continue - which puts the public purse at risk. And the professional associations and societies who are supposed to regulate.... They are all exposing themselves to a big fine for negligence.

You forgot to mention :


#eFail

Impetus

gctest50 wrote: »

You forgot to mention :


#eFail

eFail is not a function of S/MIME - it is function of the client software. eg Outlook pre 2016 and other clients. Plain text emails appear to be not vulnerable in Outlook 2016. Outlook 2016 is not perfect, and thus does not comply with GDPR.

In any event, the objective is to ensure that the mails in a hacked email server are as difficult as possible to read. Sending them in cleartext does not achieve this and is a negligent way to go.

https://www.csoonline.com/article/3272067/security/researchers-warn-pgp-and-smime-users-of-serious-vulnerabilities.html

While Microsoft would appear to be a somewhat negligent company when it comes to S/MIME and their mobile phone email apps, there is little one can do except to move to a phone that supports S/MIME - eg not Apple and not Microsoft - perhaps Samsung Galaxy (latest) or similar. And keep logos and other decorative stuff (html) out of the email completely.