A brute force attack is a method of attack using automated systems that generate a large number of consecutive guesses to retrieve its targeted information. This means whoever is attacking wants encrypted data, such as passwords for various accounts. In a recent case, Skyhigh Networks found this being used in attempts to get corporate users’ Office 365 account information. They were pretty sneaky about it too. The pattern of attack was slow and methodical to escape detection.
Skyhigh mediated the attack and found over 100,000 failed logins from 67 IP addresses and 12 networks, targeting 48 different organizations. The specific targets were senior employees across multiple departments within these Fortune 2,000 organizations.
Because brute force attacks use automated systems that try various combinations of login names and passwords until they strike gold. And considering that password reuse is still running amok, it’s not unreasonable to believe they could be successful.
So don’t reuse your passwords for multiple accounts. It’s that simple. While it might seem overwhelming to keep track of all the passwords one may need in a given day, here’s a tip to help:
– Try using one base passphrase and adding to it depending on the website you’re visiting. For example, make your base XUP%2H. That’s what you would use on every site you log into. Then, say you’re going to your financial institution’s site, which is myfinancialorg.com. You could bookend your base passphrase with letters from the website. For example, using the first two letters, it would become “mXUP%2Hy.” Or at the end: XUP%2Hmy. Any pattern you come up with will allow you to remember the unique password for every site.
– Remember that a strong password or phrase should be a minimum of eight characters. They should include upper and lower case letters, at least one number, and at least one special character. Because it seems to be pretty standard for people to tack on a special character at the end of their passwords, try putting that in a different spot within your passphrase, just to be different. It’s only a matter of time before these brute force programs are able to succeed even with more complex passwords just because most people put that character at the end.
– Do not use dictionary words either. Brute force attacks count on being able to make small changes to the words to succeed. If your passphrase is gobbledygook, this becomes substantially more difficult.
In this recent attack, the perpetrators tried logging in with various versions of the employees’ Office 365 credentials. According to analysts, this suggests that they already had access to some combinations of this info previously and were seeking confirmation in order to perform spear-phishing attacks. Therefore, watch out for those as well. If you receive an email from an executive or manager that seems suspicious, such as those used for business email compromise (BEC) attacks asking for W-2 or other sensitive information, question it. Pick up the phone and call the sender or take a walk to his or her desk and ask for confirmation. If it’s a legitimate request, then no harm done (although it’s not advised to email such information). If it isn’t, your management will thank you for stopping a potentially damaging phishing attack.
Office 365 is becoming a bigger target these days. It accounts for 58.4% of all sensitive corporate data that is stored in the cloud. So it’s no surprise that it’s a big target.
© Copyright 2017 Stickley on Security