Salted Hash Ep 21: Scammers targeting Office 365 and DocuSign

On this week's episode, Salted Hash talks with Barracuda's Asaf Cidon about targeted scams leveraging Office 365 and DocuSign

Welcome back! Salted Hash is gearing up to shoot our next season, as well as other segments in April during the RSA Conference, but this week we're going to chat with Asaf Cidon, vice president of email security services at Barracuda.

Barracuda released a report shortly before this episode was filmed, highlighting an uptick in scams targeting the Office 365 and DocuSign brands, luring victims to false login portals in order to obtain credentials, which are later used in additional scams.

"Email continues to be one of the most commonly exploited conduits to compromise. The good and the bad about email security is that we've gotten much better as an industry improving email security," commented Brian Contos, CISO of Verodin.

"The bad news is, in some cases, we've become too comfortable and simply assume that our email security solutions are filtering out all the bad stuff. But like any filter, email security isn't 100%. And as with everything in security, technology alone isn't the answer."

Like the scams we've covered previously on Salted Hash, the links in these emails seen by Barracuda are often fresh, meaning they won't appear in blacklists, and often leverage legitimate websites that have been hijacked for malicious means.

"Even if an organization has traditional email security technologies enabled, there will be nothing preventing the user from providing their credentials to the cunning cybercriminal," the report explained.

These attacks haven't showed any sign of slowing. Last month, IBM's X-Force released a report outlining BEC attacks against accounts payable personnel at various Fortune 500 firms, which have resulted in millions of dollars in losses.

The scammers, believed to be from Nigeria, followed the same pattern from the campaigns in late-2017 and earlier this year, and focused on credential harvesting, phishing, and social engineering to steal financial assets.

"This is an attack vector that is seeing explosive growth; Trend Micro has predicted that this form of spear phishing will increase by more than $9 billion in 2018," commented Alan Levine, Security Advisor to Wombat Security.

"Though there has been a lot of focus on the risk to Fortune 500 companies, they are not the only targets. Everyone is at risk. BEC attacks typically target employees who have access to an organization’s financial accounts, like controllers and staff accountants."

Want to get the audio of this episode, and all of the other Salted Hash episodes? We've made the show available as a podcast, which is available on Soundcloud, iTunes, Google Play, and Stitcher.

This week's audio is below:

Security Smart: 4 Common Password Myths ... Debunked!