IT Could Happen to You: Security Breach Bites NBA Team
Editor's Note: This article is the first in a two-part series about e-mail security.
The FBI, IRS and NBA, a trio of three-letter organizations that don't often come together, crossed paths last month when the Milwaukee Bucks fell victim to an e-mail spoofing attack that compromised the personal financial information of team members. Star players like Khris Middleton and Giannis Antetokounmpo are more accustomed to worrying about their rebound, assist and steal numbers than their Social Security numbers — but this incident might have temporarily diverted that focus.
This attack made print and online headlines due to the high-profile nature of the victims, but e-mail spoofing attacks take place every day, targeting many different types of organizations. The vast majority of messages fall on deaf ears and are immediately discarded by savvy recipients who recognize them as scams.
This doesn't bother the perpetrators of e-mail spoofing attacks because they're playing a different type of numbers game — they're counting on generating a large profit from each of the very small number of victims that respond to the scam messages. It only takes one unwitting victim to undermine the security of an entire organization. Just ask the Bucks!
On April 26, an employee in the Bucks front office received an e-mail that appeared to be from team president Peter Feigin. The e-mail requested sensitive financial information about team personnel and the employee, believing the request was legitimate, responded with copies of the W-2 statements for some or all team staff, including active players.
Unfortunately, as the culpable employee later found out, the message was not from Feigin but rather from an attacker seeking to gain personal information, likely for use in an identity theft operation. The Bucks discovered the theft of information almost three weeks later on May 16. In a press release, the Bucks stated:
"We take this incident, and the privacy and security of our employees, very seriously. We immediately launched an investigation, which is aggressive and ongoing. We quickly notified impacted individuals and are arranging for these individuals to have access to three years of credit monitoring and non-expiring identity restoration services.
"We have reported this incident to the IRS and the FBI, and will work with the authorities to continue our investigation and response to this incident. We believe this incident arose as a result of human error, and are providing additional privacy training to our staff and implementing additional preventative measures."
The Bucks fall within the sweet spot of organizations most susceptible to these scams. They're large enough that an unusual request might slip through the cracks because it's not easy for an employee to poke his or her head into the president's office and ask whether he really requested copies of employees' W-2 statements.
At the same time, they're small enough to lack many of the controls that would restrict employee access to large quantities of sensitive information, or block their transmission by unencrypted e-mail to an external recipient.
NBA players certainly make lucrative targets for identity theft, due to their relatively high net worth, but organizations of all types should be on guard against e-mail spoofing attacks. It's hard to imagine an organization that doesn't have at least a handful of highly compensated employees. Attackers also often reach beyond the ranks of the wealthy as well, exploiting the good credit of middle-class workers for personal gain.
Understanding E-mail Spoofing
E-mail spoofing is as old as e-mail itself. I remember experimenting with it during the early 1990s, as e-mail began to mature as a communication mechanism. Three decades ago, a couple of college students sitting in a computer lab in the middle of the night could send their classmates fake messages that listed the sender as firstname.lastname@example.org.
The scary thing is that the security controls around e-mail haven't improved very much today. While there are some technologies now available to limit e-mail spoofing, they're still in the process of being widely deployed.
The root cause of these issues is that e-mail depends upon the Simple Mail Transfer Protocol (SMTP) to route messages around the internet, and that protocol is, well, "simple." Anyone can attempt an SMTP connection to a mail server and feed it whatever fake messages they like.
While many servers implement restrictions that prevent unknown individuals from using them to inject new messages, it is trivial for an attacker to create a rogue SMTP server that can serve as the source of e-mail spoofing attacks.
You don't have to look far to find examples of e-mail spoofing attacks. Earlier this year, customers of Virgin Media became convinced that attackers gained access to customer information and used it in a spoofing attack. The company denied that their servers were breached, implying that customers' claims were nothing more than a coincidence.
Regardless of who's to blame, the attacks may have impacted sensitive personal information of customers who fell victim to the spoofed messages. It's hard to tell whether customers suffered financial loss, but the company certainly suffered reputational damage in the wake of these spoofed messages.
In some cases, the financial impact of spoofed e-mail is more clear. On May 26, the Austrian aviation manufacturer FACC announced the firing of their CEO, stating that "Mr. Walter Stephan has severely violated his duties, in particular in relation to the �Fake President Incident.' "
The company did not provide much detail about the incident, but media reports claim that hackers sent spoofed e-mails to employees within the company claiming to be Stephan and requesting money transfers. The employee executed the transfers resulting in a loss of $41.9 million Euro to the company.
Fortunately, there are measures that companies can take to protect themselves against these attacks. Strong access controls and data loss prevention technology can prevent the theft of sensitive information. The Sender Policy Framework (SPF) can limit the ability of outsiders to spoof messages from corporate domains. Employee education and awareness efforts can increase the savviness of the workforce, training them to question unusual requests for information or financial transactions. I'll cover those and more in the second article in this series.