Know your enemy: Defining the new taxonomy of malicious emails
Just as it is the default tool for most businesses, email’s capacity for rapid, mass communication has made it a favourite instrument of criminals. As a result, malicious emails have become a common occurrence in most consumer and business inboxes. Although chances are that most people will correctly identify the most common malicious emails as fraudulent, many will fail to correctly identify sophisticated email attacks as unsafe. Familiarity can breed contempt, and all users are now at risk from increasingly more advanced email attacks, which have become vastly more sophisticated in the last few years.
There have been dozens of recent high-profile thefts and data breaches suffered by organisations that were triggered by malicious emails, with a recent example seeing two multi-national tech companies being stung for more than $100m by a fraudster impersonating a supplier. Both companies were repeatedly fooled by fake invoices, which saw funds wired into shell accounts dotted around the world.
Despite the wide awareness of these high-profile attacks, which leveraged identity deception to trick the intended victims, it is still common for users to have a complacent view of malicious emails, with many people still thinking back to the quaintly inept fraud attempts like the classic Nigerian scam. In addition, even when the threat is addressed, it is often oversimplified. People simply lump all malicious emails together under the label of “phishing” while ignoring the varied tactics used by attackers and the different threats that each type of attack represents. This oversimplification unnecessarily puts people at risk, as it commonly results in a focus on addressing only a portion of the real problem.
In the business world, a lack of awareness of the different types of threats can lead to enterprises focusing in the wrong direction, and on the wrong things. This leaves them vulnerable as they invest money in solutions that won’t protect them from sophisticated attacks that leverage techniques such as identity deception, or which target their victims using custom content. In order to properly protect their employees and customers, companies need to have a thorough understanding of the different attacks, the threats they represent and how they can be prevented.
A phish by any other name
Although phishing has become a catch-all phrase for email-based cyber attacks, the term specifically relates to attempts to trick victims into giving up log-in credentials by impersonating a known and trusted entity, such as a consumer brand or governmental authority. These attacks usually target tens of thousands of potential victims at once, to compensate for the relatively low success rate associated with non-targeted attacks.
Although attackers have traditionally taken a “quantity over quality” approach, we have seen some increasingly sophisticated examples more recently, where attacks have been highly tailored to their intended victims, and subsequently been much more successful. In these more sophisticated attacks, attackers will often enhance their deception with tactics including a spoofed email address, a look-alike-domain or a false identity in the “from field” of the email, and sometimes use obfuscation methods, such as substitutions of letters with identical-looking characters of foreign languages, to evade automated content-based detection methods.
While education can go some way to helping users identify these fakes, a better option is to prevent them from reaching their targets in the first place. Brands and organisations can prevent their own emails from being impersonated with the use of a DMARC (Domain-based Message Authentication, Reporting and Conformance) policy. This protocol is designed to detect and prevent emails from being spoofed by enabling ISPs (Internet Service Providers) to check that incoming mail is authorised by the domain name it is using.
A highly-engineered threat
From an enterprise perspective, a much greater threat is posed by the targeted attacks sometimes referred to as “spear phishing”. In contrast to the type of email attacks explained above, these sophisticated attacks involve emails that are sent to a smaller set of intended victims, with content that has been crafted for high-value targets.
In most cases, these attacks commonly assume the guise of a specific individual who is trusted by the recipient, requesting an action such as a wire transfer or access to confidential information. In the enterprise environment, an attack impersonating a known contact has come to be known as Business Email Compromise (BEC), also frequently referred to as CEO Fraud, as chief execs are one of the most popular identities to assume. BEC attacks carry even more weight, as an email from a senior executive will have most employees scrambling to comply. There have also been several notable cases where the attacker has instead impersonated a supplier or customer.
Whatever the specific methodology, BEC attacks include a high level of social engineering, with attackers researching the company, targeted employee, and relevant connections to manufacture a convincing identity and narrative.
With these attacks, the fraudsters will request confidential data, such as HR records or customer details, but may also seek to directly trick targets into paying into a bank account. In the guise of a CEO, the attacker will usually create a sense of urgency and a reason why they cannot be contacted for normal procedure. In the guise of a partner or supplier, fake invoices can be sent, causing payments to be made to the criminal.
These attacks are particularly dangerous because the traditional email defences that companies have come to rely on over the last decade are almost entirely useless. Most filters rely on indicators of malicious payloads, such as attachments or links, and without these factors there is nothing to distinguish a well-crafted fake email from the genuine article.
Alongside tricking targets into giving up information, email has also become the preferred vector for malware attacks, including the now notorious ransomware. Malware attacks increasingly share traits with BEC attacks, impersonating a senior or trusted authority to trick their target into downloading a file or clicking a link. Once the victim has done this, their machine – and potentially the entire network – will swiftly be compromised. Sophisticated attackers use crypters and other obfuscation tools to circumvent traditional defenses of malicious payloads.
Multi-layered defence
The more one understands malicious emails, the more he or she will realise there is no single catch-all solution that will halt all threats. Instead, firms will need to invest in a multi-layered approach to identify and block attacks. Traditional security and spam filters will continue to play a role in handling the almost endless wave of mass emails, but more sophisticated attacks must be met with equal sophistication. Combining content filtering with the ability to identify and authenticate senders based on their domains will go a long way to keeping a company safe from all level of threats. By understanding the threats against them, businesses can ensure they have the right combination of defences to protect their employees, customers and their brand.