And just one mistake can compromise an entire organization.
By Danny Palmer – ZDNet.com
Email phishing has become the most utilized technique to steal personal information from unsuspecting individuals.
One in every one hundred emails sent round the globe has malicious intent, likely to deliver malware, conduct spear-phishing, commit fraud or other activity conducted by cyber criminals.
It’s not a theoretical threat, either: recently published documents by the US Department of Justice detail how email played a key role in in the 2014 Sony Pictures breach and other attacks by North Korean cyber attackers. In many cases, it just takes one malicious email being successful to provide attackers with a doorway into the back-end of a target network and a route to significant damage.
Researchers at FireEye have examined over half-a-billion emails sent between January and June 2018 and found that one in 101 emails are classed as outright malicious, sent with the goal of compromising a user or network. When spam is discounted, only one third of emails are considered ‘clean’.
One particular trend that FireEye details is that while attackers are still attempting to dupe victims into installing malware, ransomware and other forms of malicious software via weaponized attachments in emails, these only accounted for ten percent of blocked attacks in the six month period.
The remaining 90 percent of attacks involving no malware in the initial attack, but rather using social engineering and impersonation to conduct campaigns for directly stealing data or installing malware later down the line.
One way attackers are doing this is by increasingly turning to impersonation attacks. In these attackers, the culprit pretends to be a colleague, boss – or even CEO – within a workplace and leverages the relationship to convince the victim to part with sensitive data or to make a financial transaction. Sometimes, this only comes after a back and forth in order to avoid any initial suspicion by the user.
“Once you’re convinced of that, you’re easily pushed over into situations where you’re taken advantage of and fraud can occur. It’s because you have so little evidence when it’s text only, that you put yourself out on a limb and you’re really vulnerable – they’ve really caught onto that lately,” he added.
The attacks are relatively simple to carry out, because rather than needing to spoof an entire domain, they can much more easily spoof a display name or email address – particularly if the victim is using a smartphone.
“If you look at the inbox, all it gives you is the display name – anyone can type anything in there,” said Bagnall.
One particular means of impersonation attack FireEye points to in particular as on the rise are those leading to phishing sites and other malicious links. Rather than sending individual messages, the attacker send a more general message containing what looks like an internal company link, which once clicked, can lead to a malware payload or credential harvesting site.
Researchers point to the FIN7 group as one cyber criminal operation which has taken advantage of this particular type of attack. Also known as the Carbanak Group, the attackers have targeted businesses around the world in highly successful campaigns.
However, there are relatively simple things organisations can to decrease the likihood of falling victim to these attacks, be they phishing, impersonation attacks or anything else.
“You should never been in a situation where you can transfer $10m because you’ve had an email conversation with someone that hasn’t been confirmed outside that line of communication. That’s one obvious thing,” said Bagnall.
Security awareness training can also help improve awareness about these type of attacks – but human error will always have a part to play in these campaigns.
“It’s good to get security awareness training for your users – but a small amount of people will always respond to these,” he added.
This article by Danny Palmer was featured on ZDnet.
You can also check my previous blog entry “What the phish is all about” where I describe how to identify the types of phishing scams.