What is Spoofing? Definition, Types, Prevention
February 28, 2024
Email Attack Countermeasures Revealed in Google Cloud’s M-Trends 2025 Report
April 26, 2024Cyber Attack on Philabundance — Account Takeover (ATO)
1. Overview
2. Account takeover (ATO) Attack Case Analysis — Attack Type
To identify fraudulent emails, it’s important to understand the hacker’s attack type and intent, along with the necessary proactive security requirements. This understanding is elaborated in the ITU’s international email security standards, recognized globally as they are associated with the UN-specialized ITU. Grounded in these standards, this article aims to analyze actual cyber attacks on non-profits, identify attack types, and share proactive response solutions.
Case: 2020 Account Takeover Attack on Philabundance — Social Engineering Email Attacks (Account Take-Over (ATO))
In 2020, Philabundance, a hunger relief organization in Philadelphia, Pennsylvania, was defrauded of over $923,000 by cyber attackers. The incident involved the attackers infiltrating the organization’s email server and impersonating a construction company working with Philadelphia. They sent fraudulent invoices via email, prompting the organization to transfer funds amounting to approximately $923,000 to a bank account controlled by the criminals. The attackers hacked the organization’s computer system, intercepted legitimate emails from the construction company, and replaced them with their deceitful emails. Email security standards define this hacking type as [7.2 Social engineering email attacks]. ‘Social engineering attacks’ are psychological tactics aimed at deceiving users into transferring money or extracting confidential information, not targeting system vulnerabilities. From Philabundance’s viewpoint, this case is considered an account take-over (ATO), involving unauthorized access and manipulation of the organization’s email system to redirect legitimate transactions to fraudulent accounts. From the sender’s standpoint, it falls under [7.4 Outbound email threats by attackers], specifically [7.4.2 Unauthorized email server access]. (Further details will be discussed in a subsequent article.)
According to the standard, [7.2.3 ATO (Account Take-Over)] is defined as follows:
ATO is a social engineering attack using actual user accounts. After logging into a stolen email account to view the user’s email history, the attacker looks for confidential information and potential secondary victims. For example, the attacker might send an email requesting a change in the transfer account using account information stolen from a phishing site or disclose stored confidential information to external parties.
3. Account takeover (ATO) Attack Case Analysis — Solution
In a bustling environment where no significant problems are apparent at first glance, people tend not to observe in detail. Requesting busy employees to perform a thorough forensic analysis to verify email legitimacy can be overly cumbersome. So, how can organizations shield themselves from such fraudulent activities? Effectively responding to phishing emails necessitates prior analysis of sender information, user warnings, and proactive attack responses. Compliance with international standard clauses 8 and 9, [Security requirements for countering targeted email attacks] and [Countermeasures for targeted email attacks], can enable effective solutions and proactive responses.
To counter account take-over (ATO) attacks, it’s imperative to adhere to the security requirements outlined in [8.2.3 Security requirements for countering account take-over (ATO) attacks] in the ITU-T X.1236 standards.
Step 1 Warn or block emails if the sender’s location differs from previous emails received.
Step 2 Warn or block emails if the email server’s IP address differs from previous emails received.
Step 3 It is advisable to warn or block emails if the email’s sending route differs from previous received emails.
Reflecting these security requirements, the introduction of solutions under [9.2.3 Countermeasures for account take-over (ATO) attacks] enables a proactive response to ATO attacks.
- Emails from the same sender should undergo real-time analysis after learning email data, with subsequent validation.
a. Validating learning data involves understanding the configured header structure and social graph, comparing past learning records with current data when sending emails. - Detection of changes in sender location involves analyzing inbound email header information to accumulate sender location IP history and comparing newly received emails with the accumulated history’s sender location IP country. The email header includes the IP address where the email originated, the server’s IP address up to the transmission point, and the IP information of the server from which the email was ultimately sent.
4. Conclusion
5. Reference
ITU-T X.1236 (Security requirements and countermeasures for targeted email attacks)
https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=15710&lang=en
Email-based Attacks Against Nonprofits Are On The Rise. Is Your Organization Vulnerable?
Ransomware Attacks on Nonprofits: Rarity or Regularly Hidden?
Nonprofit Cyber Attack Case Studies and Solutions
https://blog.techimpact.org/nonprofit-cyber-attack-case-studies-and-solutions
How Nonprofit Cyber Attacks Really Happen
https://blog.techimpact.org/how-nonprofit-cyber-attacks-really-happen
Nonprofits and Cyberattacks: Key Stats That Boards Need to Know
https://www.boardeffect.com/en-gb/blog/nonprofits-cyberattacks-key-stats/
BASIC CYBERSECURITY HYGIENE MEASURES COULD HAVE PREVENTED RANSOMWARE ATTACK, SAYS EDINBURGH FRINGE FESTIVAL BOSS
Philabundance falls victim to cyberattack, loses almost $1 million
https://www.phillyvoice.com/philabundance-cyberattack-theft-1-million-dollars/
Non-Profit Out $923,000 After Business Email Compromise Scam
https://www.happierit.com/knowledge-center/breaches/philabundance-bec-scam
