Can you trust email replies?

I want to draw your attention to a perfidious attack that I’ve been seeing in the wild lately. Some researchers call it the “Reply Chain Attack”.

Here is how it works:

You get an email. You’ve been CC’ed into a conversation that’s been going on for weeks. 

Two people have been going back and forth about something. It could be a business venture, a research paper, or pretty much anything else. Usually, it’s relevant to you, because the attackers did their due diligence and learned a few things about you before reaching out.

The names of the people could be familiar, but don’t necessarily have to be. At one point, someone CC’ed you, and even introduced you. They might say that the topic could be interesting to you, or that your expertise could be valuable in the discussion. 

Somewhere along the line, one of the participants will share a file. It doesn’t even have to be addressed directly to you. It doesn’t matter, as long as you get it.

The file might sound useful, or you might download it out of sheer curiosity. Whatever your motives - as long as you download and run the files, the attackers win.

You know what the craziest thing about this is? 

There are no people. There is no conversation. It’s just one hacker, who created multiple email accounts, created a fake conversation about a topic that you might find interesting, and then added you somewhere along the line. 

It feels authentic.

It sounds legitimate.

It’s all fake.

Here is what really happened:

Let’s say you’re signed up for life insurance with a major insurance company. 

That company gets breached, because their corporate VPN used factory settings credentials. 

The attackers exfiltrate all of the information about their clients. They get your full name, email address, and a few other details.

Not only do they know your private email address, they also know a few things about you. They’ll cross-reference that information with Facebook, Instagram, LinkedIn, and a few other places, and get a basic profile. 

They will learn about your business, your interests, and more.

Then, they’ll create a fake email chain and strike.

Alternative Reply Chain Attack

There’s an alternative strategy, too. This one is a little harder to pull off, but it’s been done before.

If cybercriminals hack into the customer support platform of a company, they can read the conversations it had with people.

Not only that, but they can keep the conversation going, by sending the next message. 

That message can carry a virus, or lead to a malicious landing page. 

You’ll trust this message, because - why shouldn’t you? It’s coming from a known, trusted source. You talked to them before, right? 

If it happened to IKEA, it could happen to you, too.

How to defend against Reply Chain Attacks

If you’re not expecting an email, and more importantly - if you’re not expecting an email attachment - don’t open it.

Simple as that. 

Don’t be overly curious. Curiosity killed the cat. Instead, be skeptical. If the sender’s name sounds familiar, reach out via phone, or any other way, and confirm their intentions. You can also look at their LinkedIn profile, but be careful here, too, since many attackers will create fake personas on social platforms, as well. Luckily enough, these can easily be spotted (look for the account creation date, the number of followers, their activity, and you’ll get a clear picture if the account is fake or not).

Also, big firms such as IKEA operate their customer support on a per-ticket basis. Once a ticket is closed, a new one needs to be open. If a company reaches out to discuss a closed ticket, it’s most likely a scam.

If you’re interested in further reading, here’s how the University of British Columbia got hacked.

That’s all for now, until next week, stay safe!

• Sead from SmallBiz CyberWiz

P.S.

If you enjoyed this newsletter and appreciate these tips, please share this newsletter with your friends and colleagues, it would help a lot!