By Debasish Mukherjee; Vice President, Regional Sales APJ at SonicWall Inc.
While the coronavirus pandemic is credited with the initial surge in work-at-home policies, economics has made many organizations – including global corporations, small and medium-sized businesses, and government agencies decide that the remote office is a permanent fixture in the workplace.
The change in the global workforce has become an area of interest for the cyber-criminal world, particularly the social behaviors of remote workers. Cybercriminals studying these changes in the workplace are changing their tactics, techniques and procedures to enhance the effectiveness of their attacks via email. Email is a critical business tool used for all aspects of business: fast, easy to use, convenient, personal, and friendly. Being a widely used form of communication, it has become the most targeted.
Types of email fraud and attack
As email security hardens, cyber-attacks become more sophisticated, and attackers deploy new techniques. Links to an intelligent gateway may replace direct links to a credential-stealing web page. Intelligent gateways can recognize probes from a security system sending it to a benign site, while clicks from the intended victims get directed to the phishing site. Threat actors also deploy AI and ML for credential phishing. Microsoft sign-in page of the targeted domain, including logo and background.
There are many different types and categories of attacks that overlap each other. Phishing attacks can involve pretexting; credential harvesting can start with spearphishing; spoofing used for business email compromise attack. It is essential to understand the types of attacks, how they work, and how best to stop them.
Pretexting is a social engineering attack. Criminals like con-artists have been using this tactic for years: they create giving up important information. The attacker may create a reasonable-sounding scenario to manipulate people to take specific action.
Phishing is one of the most well-known attack types. Attackers send emails to users impersonating a known brand and leverage social engineering tactics to create a sense of urgency that leads people to click on a URL or download an infected document. These URLs go to malicious websites (or links in a chain that eventually leads to a malicious website) that steal credentials or install malware on a user’s device. The downloads, usually PDFs or weaponized word documents, have malicious code that installs the malware once the victim opens the document.
Spear phishing takes a more targeted approach. Malicious actors gather information from open-source intelligence (OSINT) or data harvested from surveys conducted on social media and other information available to the public. Using real names, job functions, work telephone numbers, and other data makes the targeted individuals think the email is from a trusted sender, such as a work colleague or a manager.
Whale phishing is another type of corporate spear phishing most often targets the CEO. Malicious actors use social organization’s CEO or another c-level leadership member. They then impersonate that person using a similar email address with a request to review an attachment that contains malware.
Credential harvesting often starts with a phishing email. Credential harvesting emails attempt to trick victims into entering their credentials into a clone of a legitimate website to steal their login information. After entering their credentials, the user is redirected to the legitimate web page and are oblivious to the theft of their credentials. Indirect credential harvesting has a victim open a document that downloads malware like Smoke Loader, which later drops additional malware to harvest credentials.
Business Email Compromise form of phishing designed to defraud an organization. The malicious actor will impersonate someone of authority in an organization and instruct a regular employee to send money to an account controlled by the malicious actor. The sender could be a bogus supplier, a spoofed C-level employee, or an impersonated attorney. These emails do not need malicious links or attachments, all instruction would be in the email itself.
Impersonation and Spoofing are similar. In email impersonation, the malicious actor sets up an email address that looks like the legitimate email address of the person that they are impersonating.
Account takeover email attacks are very destructive the email is from a genuine compromised account. A compromised account may be used for additional attacks, such as a BEC attack, to harvest more credentials and spread malware including ransomware. Since the email account is 100% genuine, the malicious actor has free use until the user or admin realizes that the account is compromised.
Ransomware is a particular type of malware designed to encrypt files on a device with a secret key known only to the malicious actor. Once encrypted, any files on the target, applications that rely on files, are unusable. The malicious actor then sends a demand for a ransom in ransomware directly in their attachments or point recipients to malicious sites that deliver the malware.
Basic Security Approaches
Many email systems include basic security hygiene, that include:
Blocking- it is the most basic form of email hygiene using a blocked senders list to protect senders from spam, pretexting, spoofing and phishing attacks. An email server’s IP address or an individual email address in the list is blocked.
Scanning for viruses on email attachments is essential to the email security’s virus database, unless the email system is equipped with advanced content analysis and detection software.
Content analysis identifies unwanted emails based on set of rules derived from analysis of previous spam and phishing emails. Malicious actors get around this analysis by using obfuscation.An example of obfuscation is an image that displays to the user a text message that the malicious actor wants the user to see but in the body of the email is benign content that the content filter will check. Other obfuscation techniques include Unicode encoding or JavaScript
More Advanced Technology to Defend Against an Attack
Sandboxing is effective at defending against zero-day threats. Sandboxing opens and “detonates” suspicious attachments or URLs. It provides an added layer of protection.
Advanced Detection Techniques include high-level services that conduct deep memory inspections that proactively detect and block mass-market malware, even new or previously unknown variants. The service may detect malicious software that is hidden by custom encryption or concealed by limiting activity to short bursts (ex: 100 nanoseconds) which can escape detection in traditional sandboxing.
Advanced Artificial Intelligence (AI) and Machine Language (ML) deployments can help with sophisticated attacksthat use domains that cannot be blocked, such as Google or Microsoft. AI and ML are used to see through attackers’ obfuscation methods, including Zero Font which enables attackers to display one message to the anti-phishing filter
and another to the end-user. Some AI detection uses natural language processing to catalog hundreds of historical emails between employees and businesses (for example) to better understand the language used in phishing tactics. By comparing normal versus malicious formats, AI quickly discerns questionable email and moves it to a different folder or adds a warning banner to the email.
Data Leak Protection (DLP) makes sure sensitive data is not misused. It maps to regulatory laws such as HIPPA, PCI, or GDPR, where protecting Personal ldentifiable lnformation (PII) is required. When integrated into email security, it can stop sensitive information’s accidental or willful exfiltration.
SPF, DKIM, and DMARC are acronyms for text records that specifically prove and protect a sender’s authentication.
Together they block email spoofing with forged “from” addresses, ensure the contents of the email have not been tampered with, and verify if the email was sent by the owner of the “from” addresses that the receiver will see.
Conclusion
Attackers Are Getting Smarter: Cybercriminals are investing time and resources to study their victims. They gather information from (OSINT), or data harvested from social media such as Facebook surveys or LinkedIn posts. They pick their intelligence, including tracking those working remotely, and plan their email attacks accordingly. Security leaders must stay ahead and block the attacks early in the kill chain by selecting the right technology and implementing the best security practices.