Cyber Extortion: Harvesting the Fruits of Business Email Compromises

By: Christopher Ballod (Managing Director of Cyber Risk at Kroll), Jaycee Roth (Associate Managing Director of Cyber Risk at Kroll), and Sean B. Hoar

Business email compromises have long been the staple of online criminal activity. As targets, email accounts were initially seen as a trove of information to be mined and monetized. As malicious actors refined their means of access to email accounts, their criminal goals increased in complexity and sophistication. Rather than merely mine the content of an account, they began to use the accounts to gain secondary access to funds through fraudulent wire transfers, direct deposit manipulation, and W-2 image theft. As they continue to enhance their ability to monetize unlawful access to email accounts, malicious actors are now accessing and downloading emails and attachments, as well as files stored in OneDrive and SharePoint platforms, and using the sensitive information to extort ransom payments from legitimate email account holders.

This relatively new exploit is significant because companies have increasingly moved data to cloud storage for better security and to avoid ransomware attacks. Increasingly, whereas local storage systems are protected by managed detection and response solutions, cloud systems may lack the same protections – or they may increasingly rely upon the data owner to configure security controls. Cloud storage systems may also lack effective systems to alert data owners of imminent risk to data. Unfortunately, instead of being the secure storage option, cloud “solutions” have become the valuable targets of malicious actors.

This shift in tactics by malicious actors appears to reflect the extortionate value of exfiltrated data, especially when it can be done without the investment of time and expense necessary for encryption attacks. Although phishing attacks have always been an attack vector for system intrusions, this new exploit highlights the need for additional security in email platforms and cloud solutions. These “invisible” extortionate attacks - where no encryption occurs but sensitive data is exfiltrated for extortionate purposes – will inevitably increase in frequency and severity. The deployment of available security measures, including multi-factor authentication, are no longer discretionary options for email platforms – they are critical to the security of information. 

For more information on this topic, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.

< Previous Post Next Post >


Related Attorneys

Find an Attorney

Each of the Firm's offices include partners, associates and a professional staff dedicated to meeting the challenge of providing the firm's clients with extraordinary service.