On the 16th of January 2023, the Johannesburg South High Court ruled that ENSAfrica were to pay damages and costs to Judith Hawarden – who,
in the process of purchasing a house, transferred R5.5 million into the account of a fraudster impersonating ENSAfrica.
Many articles seem to misconstrue the events – even suggesting that ENSAfrica itself was hacked – but a close reading of the judgement tells a different story. We gave the judgement a read to try and pick apart what really happened. You can find the judgement here.
While legal liability issues are obviously for the court to decide, we thought it would be useful for the public to understand the various lapses of security that happened so that businesses and individuals can better protect themselves.
What actually happened?
While much of the technical detail is missing from the judgment, there’s lots of information about the events. Without going into too much detail, these are the basic facts:
- Hawarden purchased property from a seller who appointed ENSAfrica as the conveyancer.
- During the purchase, Hawarden elected to pay R5.5 million for the property via EFT into ENS’s account.
- ENSAfrica furnished Hawarden with their banking details via a PDF attached to an email.
- This email was intercepted and altered to reflect the fraudsters account.
- Hawarden, unaware of the alteration, made payment into this account.
If we’re trying to understand the lapses in security, the above timeline raises an important question: how was the mail intercepted?
While the evidence within the judgement itself is minimal, it seems that this attack followed a very familiar pattern.
- The attackers gain access to the mailbox. There are many ways that this can happen, but a typical scenario would be the leakage of your username and password (that you use across multiple sites) onto a database, which attackers can use to access your account.
- Once in, they set up a rule that forwards your mails to a mailbox they control (and deletes those forwards) or forwards to an RSS feed. This approach allows them to stay informed about your communication, even if they no longer have access to your mailbox.
- Attackers may observe the mailbox for several months before acting. They wait until an important transaction takes place (like with a financial institution or, in this case, a conveyancer). Once they know who you’re talking to, they set up a rule that autodeletes mails from that sender. As they are still getting copies of the mails thanks to step 2, this allows them to control what information you receive.
- They hijack the conversation. This will often entail sending a spoofed mail from the sender. This mail is setup in such a way that when you hit reply, your response will be sent to a mail-box they control.
What’s critical to understand here, is that at no time does the attacker have any control over any piece of infrastructure that the sender controls. Similarly, in the ENSAfrica case, the attackers had no control over their infrastructure.
So, in a technical sense, why are ENSAfrica at fault?
The judgement suggests that there are a few ways that ENSAfrica could have prevented this attack from happening and that by not taking these actions they didn’t do their job correctly. Firstly, they could have informed not only Hawarden, but their staff of the dangers of cybercrime and of Business Email Compromise particularly. Secondly, ENSAfrica could have pushed the transmission of data to a secure portal (for example, your bank may send important communication to you via their app – this app would be a secure portal) and not utilized email (given its proclivity to abuse by bad faith actors). Finally, they could have implemented technologies like DMARC to protect Hawarden against this mail being intercepted..
What can you do to better protect your business?
Considering this information, here are some tips on how to protect your businesses:
- Institute awareness training for your staff. By educating your employees about the dangers of email impersonation and what to look out for, businesses can empower their staff to recognize and report anything suspicious.
- Consider moving sensitive conversations to a secure portal. Email communication is an important tool for business but is an attack surface that is easy to exploit. Using a secure channel to communicate sensitive information can be useful. There are many ways to get this right, but a common approach is to use a business customer portal – for example, your banking app.
- Implement DMARC (you can test your current protection here). DMARC will verify the source of an email message and decide what to do with it. It’s an additional security check to ensure that only legitimate emails are delivered. Additionally, here are some practical measures that businesses can implement to safeguard against Business Email Compromise:
- Implement Two-Factor Authentication for all users. Two-factor authentication adds an additional layer of security to the login process, protecting the account even if the password is compromised.
- Regularly audit your environment for suspect rules. Email box rules are often used by users to make the management of email easier. However, rules that auto-forward every email to external addresses or auto-delete messages should be carefully scanned.
- Regularly audit your environment for suspicious logins. Most modern email platforms allow you to understand where the IP addresses of users that are logging into their systems are geo-located. This information can be very useful in identifying potential malicious actors – after all, if all your users are based in South Africa, for example, you shouldn’t be seeing logins from Iran or the United States or any other region for that matter.
What can you as an individual do to better protect yourself?
Unsurprisingly, you as an individual can benefit from choosing an email provider who:
- Has good inbound email filtering. Ask your email provider if they perform inbound SPF, DKIM and DMARC checks.
- Supports two factor authentication.
Lastly, you can put pressure on your providers to get their business measures right! Ask about awareness training, push for secure portals and check your providers DMARC score. If it’s 3/5 or less, they can be impersonated.
Is your domain at risk? Find out how susceptible your organisation is to being used as a cybercrime weapon by taking Sendmarc’s quick online assessment.