Email breach chronicles: Lessons learned from customer support email security incidents​

Customer trust is crucial to a company's success, and security breaches and data theft can ruin years of painstakingly built confidence in an instant. Typically, numerous departments inside and outside an organization are involved in the safe storage, handling, and dissemination of customer information. Nevertheless, customer service teams are particularly vulnerable to information security breaches.

Customer service teams serve as the virtual front door for the majority of online firms. Customer care representatives detest hearing that their customers' accounts have been compromised. With so many online customer service departments, rising security issues have become a significant issue.

Support personnel are an enticing target for attackers seeking to steal sensitive data or extort money. They generally have access to sensitive information and high levels of trust, making them an appealing target for hackers. Support teams are frequently under pressure to respond swiftly to emails in order to fulfill deadlines and maintain customer satisfaction.

In this article, we’ll explore three email security incidents involving customer support teams and attempt to understand why support teams are vulnerable to email compromise and how to protect customer-facing teams from these types of attacks. 

Malicious attachments in support tickets

Malicious attachments in support requests can constitute a significant security risk to a company. These attachments may contain viruses, malware, or other forms of malicious software that compromise computer or network security. Additionally, they can be used to steal valuable information or initiate attacks against other systems.

As support teams interact with external entities such as customers, partners, and end users, they’re escalating more and more issues to the security operations center team. As more harmful attachments are being sent with support tickets, concern among support teams across enterprises has grown.

Support tickets can be hacked in numerous ways. Phishing attacks use a fake support request to deceive victims into opening a malicious attachment. Attackers also use hacked accounts to transmit harmful attachments through support tickets.

In recent times, malware (e.g., viruses) has shifted from being identified by antivirus and security controls to escaping antivirus and security controls.

Case 1: Support tickets with suspicious attachments

Attackers may send fake support tickets that appear legitimate but contain links or attachments that lead to phishing scams or malware downloads. These attachments have valid names and appear to be genuine client attachments; opening the HTML typically opens an HTML page. 

This document-based macro malware remains dormant to avoid detection by sandbox test environments and virtual machines. It drops a password-protected zip attachment that’s unnoticed by antivirus software (contents zipped with password-protected, ISO, or IMG files aren’t detected by antivirus because they don’t read the contents inside them). The attachment contains a Base64-encoded zip file within the HTML.

When the victim opens the attached zip file with the password displayed on the HTML page, an ISO file with the actual payload is present inside the zip. Once the ISO is mounted, the ISO mount point contains an INK file that resembles a folder icon. When the folder icon is clicked, the payload is executed, and the attacker now has access to the computer and can copy files and cookies, steal passwords, transfer configuration data to a remote site, and more. 

Some of the more sophisticated variants of the virus are also capable of querying the MaxMind IP database for information on the network, task counts, task names, and recent file counts in order to determine whether or not the program is being executed in a sandbox or is being analyzed.

Steps to control threats from malicious attachments in support requests

• Support agents should be trained to spot hazardous social engineering emails or papers, much like phishing emails. Teach customer support personnel not to open macros or embedded documents and to only open attachments when indicated in the email and the client says the document is part of their troubleshooting process.
• Admins should update email and help desk spam filters to detect HTML, zip, and obfuscated Javascript malware attachments. The team should update the antivirus and endpoint and detection response systems and ensure all endpoints have active antivirus agents.
• The customer support team should implement a web-based portal so users can enter data, upload photographs, and convert files. The conversion software removes unnecessary and hazardous content from Word and JPG files.
• Most customer support agents can be advised to use secure programs and (Linux) systems to enhance security, and their PCs can use a sandbox or virtual machine for opening files from untrusted sources to limit malicious files. 

Compromised transactional and operational emails

Operational emails are automatically triggered by the system and configured by the internal teams such as support, IT operations, and security. These emails include alerts, notifications, or guidelines to the end users, e.g., the emails that are triggered to the delivery stakeholders when a service request is raised, or emails to the end user when critical patches or updates are deployed, or alerts when an internal service or application is undergoing maintenance, and so on. These emails are essential for end users and teams so that they can plan workarounds. 

Transactional emails are a subset of the operational emails that have a very pertinent role (i.e., start, confirm, facilitate, and finish transactions) and are delivered to customers and employees as a result of their activity on their account or a transaction with a business.
These operational emails are central to the day-to-day operations of the support and service teams. Teams rely on SMTP or API-based email providers that they integrate with or build into their systems (i.e., help desk and workflow tools). The transactional email solutions come with numerous features, such as automation, templates, A/B testing, and more, to ensure optimal delivery of their transactional emails. 

These automated emails (i.e., operational/transactional emails) often fall prey to social engineering attacks where they’re used to trick individuals into giving away sensitive information or performing a certain action, such as clicking on a link or downloading a file. 

For example, a hacker may send a false transactional email posing as a bank or financial institution, demanding account details or login passwords. The email may seem urgent, threatening account closure if the receiver doesn't comply. This can deceive the recipient into revealing critical information or making an uncharacteristic decision.

Case 2: Transactional mail account credentials changed over an email ticket 

This case is based on the ChunkHost incident in 2014, where attackers used social engineering techniques to trick the support teams of transactional email providers into changing account credentials (i.e., the email address) on the account, which is against normal policy. This was done either over the phone or by submitting a support ticket. 

Policy dictated that the vendor should never modify a user's account credentials or email address, particularly via chat or email ticket. They must offer the user the necessary self-service links or instructions via a portal that can only be accessed with valid credentials.

The hacker set up a company.info domain and asked the vendor support team to update the email address to support@company.info. The previous email address was support@company.com. Convinced by the explanation, the vendor support team processed the request without conducting further investigation. 

The hacker enabled the transactional mail feature that allows users to blind carbon copy every outgoing transactional support email to a distinct email account. After activating that option, they immediately began the process of resetting the passwords for the accounts they were after. The email to reset the password was sent to the customer by the support team, but it was also copied and sent to the attacker. Because they had access to the password reset link, they were able to alter the password and access the accounts of the customers. 

Steps to protect against social engineering attacks through transactional emails

• Educate the support staff on the strategies and techniques employed in social engineering attacks, particularly those that can be carried out via operational/transactional emails. This includes understanding how attackers may manipulate employees through urgency, authority, and other psychological factors.
• Implement authentication methods, such as two-factor authentication or digital signatures, for support admins to access the transactional email provider tools or admin consoles.  
• Review and revise the company's rules and processes regarding transactional emails and social engineering attacks on a regular basis. Provide team members with continual training and reminders on how to spot and prevent social engineering assaults via transactional emails.
• Ensure that support teams adhere to predefined policies when it comes to service requests pertaining to account credentials. 
• Establish processes for end users to verify and authenticate transactional emails, such as contacting the sender directly or confirming requests via a secure channel.
• Product and IT teams should ensure that SPF, DKIM, and DMARC standards are in place within the email service and integrated with the SaaS systems to ensure that transactional and automated emails aren't faked or altered during transit, and they should monitor and report any concerns. This protects the SaaS tool's reputation and users' sensitive data.
• Educate the end users and customers to be cautious when responding to emails that contain urgent or time-sensitive requests. If an email seems suspicious, encourage team members to seek confirmation from a trusted colleague or supervisor before acting on the request.

Case 3: Phishing attempt against the support staff

Phishing is one of the most popular security attacks against support personnel. This involves sending false emails that look like they originate from a legitimate source, frequently using recognized logos or language to deceive the receiver into divulging sensitive information, such as login credentials or financial data.

Support personnel are susceptible to spear phishing because they routinely handle sensitive customer data and engage with clients through email and other online channels. This makes them a prime target for attackers who want to acquire access to sensitive data or assume the identity of a support team member in order to win credibility with customers.

To earn the support team member's trust, the attacker may masquerade as a coworker, customer, or even a corporate executive. They may also adapt the message to the specific responsibilities of the support team, increasing the likelihood that the team member may fall for the attack.

In September 2020, attackers initiated a spear-phishing attempt against the support staff of a financial institution by sending them cleverly prepared emails that appeared to originate from legitimate sources. These emails contained links or attachments that, when clicked or opened, installed malware on the receivers’ devices. This malware would grant access to the victims' login credentials and any sensitive data stored on their devices. The attackers would then use this information to obtain unauthorized access to the financial institution’s systems, potentially stealing critical data or disrupting operations. The spear-phishing attempt was likely successful because of the targeted nature of the emails and the support crew's belief in the emails' apparent legitimacy.

Steps for customer service and support teams to protect themselves from phishing attempts

• Use email filtering software. Email filtering software can help staff discover and prevent phishing emails. It can also alert employees to emails that may be questionable.
• Consider adopting secure messaging services for customer communications to avoid transmitting critical information via unprotected networks.
• Regularly update software and security protocols. To protect against the most recent attacks, it’s essential to keep all software and security protocols up-to-date. This involves updating antivirus software, firewall configurations, and password protocols.
• Use strong, unique passwords. Strong, unique passwords should be used for all accounts, including company email and customer support platforms. This makes it more difficult for hackers to crack or guess passwords.
• Enable two-factor authentication. This might be a code sent to a mobile device or an authentication application.
• It’s essential to educate staff about phishing scams so they can recognize and prevent them. This may involve training on popular techniques and warning signs, as well as periodic phishing simulations to evaluate employee awareness.

Wrapping up

Email security incidents involving customer support teams can have serious consequences for both the company and its customers. These incidents can result in the theft of sensitive information, financial loss, and damage to the company's reputation. It’s essential for companies to implement strong security measures and provide regular training to customer support teams to prevent these incidents from occurring. By taking proactive steps to protect customer data, companies can ensure the safety and security of their customers and maintain their trust.

This article is co-authored by Sandeep Kotla and Vignesh S.

Sandeep is an accomplished inbound marketer at Zoho Corporation, specializing in digital workplace strategies, digital transformation initiatives, and enhancing employee experiences. Previously, he handled analyst relations and corporate marketing for Manage Engine (a division of Zoho Corp) and its suite of IT management products. He currently spends most of his time re-imagining and writing about how work gets done in large organizations, reading numerous newsletters, and Marie Kondo-ing his inbox.

Vignesh works as a Marketing Analyst at Zoho Corporation, specializing in content initiatives and digital workplace strategies. He's a passionate creator with a penchant for marketing and growth. In his free time, you can see him shuffling between books, movies, music, sports, and traveling, not necessarily in the same order.