Threat Actors’ Tactics Help Maintain Access to Compromised Email Accounts

Threat actors targeting email accounts may take measures to maintain access to the accounts in the event of a password change. These actors often gain access to email accounts via credentials exposed in a data breach or through brute-forcing the account password. Once they have gained access to an account they conduct malicious activities, such as sending emails requesting wire transfers, attempting to gain access to additional accounts, or diverting funds related to ongoing transactions to an account controlled by the threat actor, as is the case in some of the recent real estate transaction scams. Once a victim discovers that their email account may have been compromised, the first course of action is to change the account password and enable multi-factor authentication, if it was not already enabled. However, victims are also advised to take additional steps to ensure their account is protected from unauthorized access as threat actors may have initiated auto-forwarding to a separate account to maintain access and visibility. Additionally, threat actors can also use an app password to link the email account to a separate app controlled by the actor. Even when the account password is changed, and multi-factor authentication is enabled after the hack is discovered, these other links may still provide criminals with continued access to the account. FireEye recently highlighted this issue in a blog post, Shining a Light on OAuth Abuse with PwnAuthThe NJCCIC advises users to be vigilant of any suspicious activity within their online accounts and to review the FireEye blog post that contains OAuth abuse mitigations. Cyber incidents can be reported to the NJCCIC via our website here.