Email Security Intelligence - Is It Possible to Intercept Email and How?

The net was a very different place when internet email was introduced to the world back in 1982. Then, it was mainly populated by technical people from a few academic institutions. Security was not yet a concerning issue and those involved were enthusiastic and cooperative. Because of this, they decided that there was no need to protect email messages with any kind of digital envelope as they traveled over the Internet.

Today, the web is riddled with potential threats including email interception fraud. Email interception is the practice of monitoring the Internet to read private messages that were intended for other people as well as a method for criminals to steal information such as email usernames and passwords, giving hackers the power to hack personal or business email accounts.

Threat actors monitor incoming messages before intercepting emails with sensitive data embedded in the content, such as invoices that include banking information or account details. Hackers then respond to the email by posing as the business using fake banking information to scam both the individual and the company out of large sums of money. This data can be compromised via phishing and spoofing scams, as well as DNS hacking, email impersonation, and more.  

There are a number of ways that email interception can take place. One common method is for an attacker to gain access to an email server and read or modify the emails stored on that server. Another possibility is for an attacker to intercept emails in transit, between the sender and receiver, by using a technique called man-in-the-middle attack. In this type of attack, the attacker inserts himself into the communication between the sender and receiver, and can then read or modify the messages being exchanged.

This article will discuss the different types of tactics hackers may use, as well as ways to keep your account and private information safe.

How Hackers Access To Your Email

Hackers will use cleverly disguised phishing and spoofing scans to compromise email passwords of mail accounts. Once the login credentials have been stolen, they will create malicious forwarders and filters with the intention of intercepting sensitive emails, particularly messages that contain financial information such as invoices, payment requests, banking details, etc. 

Threat actors will then monitor these mailboxes until opportunity strikes. An example of this would be an email where a buyer requests the banking details belonging to a seller. The attacker will intercept these messages and hide them before you’re able to see it. This is done to create a filter for your incoming email that sends messages from that address into a trash folder. The attacker will respond to the intercepted email using your compromised email account or they may use a spoofing method. This is when an attacker uses another domain and uses your email address as the sender to make it look like the message came from your email account after changing the banking details. The buyer is unaware of this and will make the payment, effectively transferring the money into the fake bank account.

Email Payment Fraud

Email payment fraud is the result of a fraudster hacking into the email communications between a client and a company and a scammer places malware into a computer. The malware will lie dormant specific keywords relating to a request for funds or deposit payment are recognized. At this point the attackers will make contact with the client in disguise as the solicitor claiming that the bank information for the company has changed and request funding be transferred to the ‘new account.’

Attackers are also playing the long game, analyzing the emails while building up a timeline of the conveyancing activity. About 3 months into the transaction, they will contact the client by email and request the deposit. Since the emails have been intercepted for months at this point, the attackers are aware of the template and are able to produce an authentic-looking email. Once the payment has been received the fraudsters will quickly withdraw the money, and send it overseas.

How to Prevent DNS Hijacking

Domain name server records are used to translate a domain address into an Internet address, which is commonly known as an IP address. An attacker can intercept and read emails by performing a DNS MX record hijacking attack. One possible solution to this issue is the deployment and enforcement of Domain Name System Security Extensions (DNSSEC), which can render DNS hijacking obsolete by requiring a signature to the DNS records with the domain owner’s private key. This guarantees that an attacker won’t be able to send a spoofed DNS record to the client because they can't forge the signature. This also protects each protocol, such as SMTP and HTTP, against those attacks.

Mail providers are also working to develop technology that is similar to HSTS, but for SMTP traffic. This unnamed SSTS protocol will allow us to pin a certificate and enforce that all emails are sent encrypted. This will prevent both MX hijacking attacks and TLS downgrades for providers that deploy it. The protocol is still in development and early stages of specification but hopefully, deployment is coming sooner than later. 

Enforcing signing with DMARC may help alleviate the issue by preventing an attacker from modifying intercepted emails. Because hackers lack access to the legitimate DKIM private key, the receiving server checks for the presence of DKIM, and for the email signature. The receiving server will then reject it if the email has been modified in any way. DMARC also allows you to supply an email address where you will receive a statistical report of how many emails have failed the DKIM signature check, which helps to detect attacks against your domain. 

How to Minimize Risks

Companies must recognize the importance of having safeguards in place to protect against unauthorized access to corporate email accounts. However, there is more that can be done on an individual level, tips for minimizing risks include:

• Use different passwords for all the other email accounts relating to the domain. 
• Reset and have new passwords for all email accounts. 
• Regularly update your password. 
• Use complex, secure passwords.
• Run security scans on any personal computers or other devices with access to the email accounts. 
• Use an SSL certificate in your email client settings.
• Look at alternative methods to supply invoices, such as online invoicing services. 
• Periodically monitor filters and forwarders in the control panel, this includes individual email account filters as well as global filters. 

The Bottom Line

Hackers are constantly developing new methods to access your accounts and compromise your sensitive information. In this ever-changing and potentially threatening digital landscape, it is important your company take the right measures to keep from being a victim of email interception fraud. Effective modern security requires defense in depth and having the right email security technology in place, as well as engaging in email security best practices.