Recently inboxes have been hit by the so-called “airline phishing attack.” It is a new take on an old phishing email. It uses multiple techniques to capture sensitive data and deploy an advanced persistent threat (APT).
Barracuda Networks has seen this attack with several of its customers, especially in industries that deal with frequent shipping of goods or employee travel, such as logistics, shipping, and manufacturing. The attacker will either impersonate a travel agency or even an employee in HR or finance who is sending an airline ticket or e-ticket. The email will be constructed to appear inconspicuous.
The attacker will have researched his target, selecting the airline, destination and price so that these details look legitimate in the context of the company and the recipient, Barracuda reports. After getting the employee to open the email, an APT embedded in an email attachment goes into action. The attachment is typically formatted as a PDF or DOCX document. In this attack, the malware will be executed upon opening the document.
Barracuda’s analysis shows that attackers are successful over 90 percent of the time in getting employees to open these emails and deploy the malware.
The company has also observed attacks that have included links to a phishing website designed to capture sensitive data from the victim. This phishing website will be designed to imitate an airline website, or it will impersonate the expense or travel system used by the company. This step in the process is designed to trick the victim into entering corporate credentials on the site. The attacker captures the credentials and uses them to infiltrate the corporate network and internal company systems, such as databases, email servers and file servers.
“Email security is a dynamic market. Email security systems need to deal with increasingly dynamic and targeted threats. The market is moving from a static rule-based approach that relies on seeing the same virus or spam message across many customers, to dynamic machine-learning-based systems that learn and adapt to the attacks. Future email security systems will need to learn each customers’ environment and find anomalies in real-time,” said Asaf Cidon, vice president of content security services at Barracuda.
According to an Agari/ISMG study, 89 percent of survey respondents have seen either a steady pace or an increase in spear phishing and other targeted email attacks in the past year.
Grant Shirk, vice president of marketing at data security provider Vera, said cybercriminals are getting better at disguising themselves. “They’re really doing their social engineering homework by scanning all socials to find out what your ‘likes’ are, who your friends are, who your former co-workers are to create fake profiles and connect with you or send you emails from fake email address.” He cited the example of using a font that makes a ‘r’ and ‘n’ together to make it look like an m (rn -> m) in hopes of duping you into giving up sensitive information (usernames, passwords, financials, etc.).
Illustrating just how successful these attacks are, 60 percent of security leaders surveyed by Agari said their organizations were or may have been victim of at least one targeted social engineering attack in the past year.
Email is the number one attack vector used by cybercriminals to breach enterprises and scam consumers, Agari reports. But evolving threats on the email channel have increasingly complicated its security — attacks today have evolved beyond ‘phishing’ to include such attacks as ransomware and BEC. And even within these categories, there are several techniques employed by cyber criminals that further distinguish each attack. The email threat landscape is important for enterprises to understand because each attack requires its own solution — there is no on size fits all approach.
According to a ProofPoint study last year, BEC attacks increased by 45 percent in the last three months of 2016 vs. the prior three months.
Kirk Averett, general manager of cloud office at Rackspace, said all businesses today are legitimately concerned about data security, especially the loss or public sharing of sensitive data. “Attackers use email by pretending to be a trusted partner and then cleverly trick users into revealing private information like their login username and password to a valuable site online. Attackers then have valuable data and can often use that information to perpetrate additional damaging attacks against customers or employees.”
Despite the rollout of enterprise collaboration tools like Dropbox, Slack and Confluence, 80 percent of a business’s intellectual property is still shared through email, yet only 12 percent of security leaders trust their existing email security solutions.
Why hasn’t the market closed the security hole?
There are many legacy solutions that can encrypt select messages, however many fall short in a few key areas: they’re hard to use, don’t provide persistent, end-to-end protection, and they’re focused only on a limited slice of an organization’s email, said Shirk. Many don’t even provide basic security for attachments.
“Because of these changes in the email security landscape, it’s more important than ever to re-evaluate how we protect email. It must be simple and easy to use. It must work inside and outside the enterprise. And, it must work natively in our favorite email tools. People don’t like to change their behavior (which is why phishing attacks work so well), so you have to flip the problem on its head,” he said.
Grant Shirk, vice president of marketing at Vera
One of the most common misconceptions is that email security solutions can stop all attacks, he said. While the solutions on the market identify the majority of threats, there are still instances that slip through the cracks and it’s up to the users to be aware when they are clicking on links, attachments or pictures.
Email-based attacks have been an ongoing threat to businesses and consumers ever since the internet came to the mass market, said Markus Jakobsson, chief scientist at Agari. “Several factors have led to this cyber crisis, including the inherent security vulnerabilities of email, the rise of the cloud, and the realization that human vulnerabilities are easier to exploit than technical ones. Subsequently, the email channel has turned into a stomping ground for cyber activity, with endless opportunities to explore.”
For a long time, email-based attacks weren’t very successful, and mostly preyed on the naïve, he said. The past three to five years have seen dramatic changes, though, with email-based attacks increasing in both prevalence and sophistication, and manifesting in many forms.
“For example, while the ‘spray & pray’ consumer phishing attacks of 10 years ago are still happening, more targeted attacks have also evolved to form new categories — think spear phishing, ransomware and business email compromise (BEC). And no doubt there will be more variations to come,” he said.
He used the analogy of nesting dolls to show the evolution of email-based attacks. “When you pull one doll apart, another similar, but slightly different doll emerges. New generations of email attacks are continuing to be born in the threat landscape, each one more competent and threatening than the last.”
The design and social engineering of email-based attacks have changed significantly in the last few years, Jakobsson noted. Leveraging the use of social networks and data stolen from breaches and individual account compromises, cyber criminals are looking for ways to increase the legitimacy of their emails.
“To make it worse, email also offers a low barrier to entry. While some attacks — like those on John Podesta last year — are devilishly clever, most attacks are rather straightforward, technically speaking. Yet, they are still very successful,” he said.
Compared to malware development, email-based attacks are less demanding, and cyber criminals do not need advanced computer skills to execute them. Today, there are resources and methods that virtually anyone connected to the internet can use. “Couple this with the tremendous profits criminals can see, and the common failures of traditional email security measures — like traditional spam filters — and it is not hard to understand why this type of crime is exploding,” he said.
Malicious ‘phishing attacks’ have dominated security headlines in recent months, with 2017 already seeing campaigns targeting Gmail, Netflix, and Amazon customers, as well as large enterprises with W-2 and BEC scams.
Today the email threat landscape is extremely complex, but there is no commonly agreed-on classification system available to help businesses really understand what’s going on. This is a problem because in the case of stopping email attacks from reaching an organization, knowledge is power, he said.
Cidon said the threat landscape is changing dramatically. Traditionally, the same malware was sent to many customers, and once these viruses were identified, the security companies used the file’s signature to identify new attacks. In today’s world, attackers generate a unique file for each recipient. This has created the need for sandboxing, where each file is opened in a secure virtual machine and its behavior is observed to determine whether it is malicious.
“However, even this approach may soon become obsolete, since attackers can anticipate that a file will be opened in an artificial sandboxing environment and take active steps to avoid detection,” Cidon said. “Similarly, we have seen a sharp increase in the rise of spear phishing, or social engineering attacks, where the attacker doesn’t even need to rely on a virus or a malicious link. Instead, the attacker tricks the recipient to send out sensitive information (e.g., W-2s, credit card numbers) or wire transfer by impersonating someone else in the company.
“Traditional email security falls short in defending against these threats, because the attack is seemingly not malicious. This is why machine learning is increasingly a key part of email security," he said.
Almost all attacks use some form of identity deception, but there are many varieties of this, Jakobsson said. There is what is traditionally referred to as “spoofing”; there is the look-alike attack wherein the attacker registers a domain; and there is what is referred to as “display name abuse” — this is an attack in which the criminal selects a convincing display name, commonly for a free webmail account he registers. There is also the problem of corrupted accounts that are the accounts of honest users, whose credentials the attackers have managed to steal.
Another part of the problem is how the deceptive identities are used, Jakobsson said. The targeted attacks use contextual information which makes them more credible. In addition, they are also less likely to be blocked by filters that use blacklisting, since each attack instance looks different from the other. Also, attacks can be classified based on whether they involve a URL (like consumer phishing attacks do); an attachment (as many ransomware attacks do); or are just conversation-based (like typical BEC attacks).
These descriptors make it helpful to understand what types of countermeasures should be used to prevent them; for example:
- Ransomware attacks. These are commonly sent from an imposter or a compromised account but sometimes come from apparent strangers. Like BEC attacks, they are often targeted and use social engineering techniques to create ‘believable’ content that convinces people to open a malware-infected document or click on a malicious link. Sometimes this content is a fake invoice; sometimes, a link to an apparent news article or some salacious material. Up-to-date anti-virus software is helpful, but no guarantee of protection since the attackers commonly use crypters to obfuscate their payload. Employee awareness is also helpful, but commonly circumvented. Filters that identify identity deception and potentially dangerous emails from strangers can address a large portion of the problem.
- Business email compromise (BEC) attacks. These can come from either an impostor or from a legitimate but compromised account. These types of attacks typically target key employees, such as financial controllers, HR managers, and CFOs; and almost always use social engineering methods to create ‘believable’ content for a fraudulent email. The attackers either aim to steal sensitive data (such as W-2 information for employees of the targeted organization) or to trick the recipient to initiate a funds transfer. The emails almost never rely on URLs or attachments with malware payload so traditional blacklisting methods rarely catch them. The most appropriate defense against BEC attacks is one that identifies identity deception.
- Phishing attacks. A phishing attack is a social engineering attack aimed at stealing credentials, typically those associated with a financial institution or an email account. Attackers often use phishing as a launchpad for other types of attacks, since it gives the attackers contextual information useful for targeting — in addition to an account that can be used to deceive contacts of the phishing victim. Traditional artifact-based filters are doing a decent job detecting and blocking scattershot phishing attacks, but are almost entirely useless when it comes to targeted attacks. Filters that detect identity deception are useful, especially when configured to detect the abuse of trusted brands. Companies that use the open DMARC standard get very good protection against a form of identity deception that is very common in the context of brand-name impersonation — namely spoofing attacks.
What can be done?
Jakobsson said there is also a common misconception that email authentication and spam filters will stop all attacks. “While these are key steps to creating a trusted inbox, it is far from what is needed today. For example, many companies understand that ransomware is a huge threat to their business, but still don’t have the right protections in place,” he said. “Free tools have been adopted, but many enterprises don’t realize ongoing investment is needed to truly minimize the threat of these attacks. Free tools often only prevent one type of attack, but today there are hundreds and thousands of variants of ransomware that each require a unique solution. Even then, ransomware strains are often updated to bypass these tools, making them near useless.”
A multi-layered approach is needed to truly secure against email attacks, he said. And even then, companies need to constantly assess the landscape to understand what other attack methods cyber criminals have been creating to bypass current technologies. “But it all comes back to understanding the nature of the threat, and to having a common language so that we can reason about what solution does what, and against what threat,” he said.
Cidon agrees to the multi-layer approach. The first layer is sandboxing. Effective sandboxing and APT prevention should be able to block malware before it ever reaches the corporate mail server, he said. The second layer is anti-phishing protection. Advanced phishing engines look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document. The third layer is employee training and awareness. Regular training and testing of employees will increase their awareness and help them catch targeted attacks without compromising the internal network.
Averett pointed to multi-factor authentication as key to combatting email attacks. “A highly effective first step to defending against these types of threats can be both low-cost and simple via multi-factor authentication (MFA). While not a panacea, MFA makes an attacker’s job significantly more difficult.”
MFA is easy to enable on many platforms, including Rackspace, Microsoft’s Office 365 and Google’s G-Suite, he said. Email encryption is an additional layer of protection that can be enabled by some providers. “It works because recipients do not possess their own local copy of email that could be compromised and the transmission of encrypted messages occur over a secure channel, eliminating the number of plain text copies of an email message that ever exist,” Averett said.
Is it the vendors’ fault?
“Ultimately, the problem we’re trying to solve is simple and uniform: protecting the confidentiality of sensitive data, whether it’s traveling in the body of the message or an attachment. If we can focus on this core problem, protecting the data, many of these competing messages can align around a single goal. And we can solve the problem of securing email once and for all,” Shirk said.
However some vendors believe the market is fractured because everyone wants to create a niche product.
Jakobsson said some anti-virus vendors may prefer that their potential customers focus on the malware aspect of the problem, as opposed to worrying about emails that are plain social engineering and have no malware. Similarly, vendors that block scattershot phishing attacks would rather speak of the percentage of phishing emails they catch — especially since scattershot attacks involve millions of recipients — and not talk about the much greater risks associated with targeted attacks, which are few and far between, but have a much higher success rate, he said.
“This is a very short-sighted approach. While I can see why individual vendors avoid talking about attacks they don’t defend against, this is harmful both to society, and, I suspect, to security vendors as a group. Instead, I am hoping for increased cross-vendor collaboration — both in terms of establishing a common language that allows meaningful comparisons, and in terms of exchanging data,” he said.
Another major factor is the challenge of communicating extremely complex cyber tactics into information that enterprises and consumers can easily understand, he said.
What can be done to begin winning back the faith of users?
Faith in the system is the key element, Shirk said. “We always say that ‘security that is unusable will go unused.’ The best way to approach this is to focus on working on employees' terms — what tools do they use? How do they use them? What are their expectations for how email should work? That's the starting point. From there, it's a usability and discovery problem. You have to earn back trust one message at a time. Show people that they can keep control over their communications, without undue burden, and you're making the first, most important step.”