Recently inboxes have been hit by the so-called “airline phishing attack.” It is a new take on an old phishing email. It uses multiple techniques to capture sensitive data and deploy an advanced persistent threat (APT).
Barracuda Networks has seen this attack with several of its customers, especially in industries that deal with frequent shipping of goods or employee travel, such as logistics, shipping, and manufacturing. The attacker will either impersonate a travel agency or even an employee in HR or finance who is sending an airline ticket or e-ticket. The email will be constructed to appear inconspicuous.
The attacker will have researched his target, selecting the airline, destination and price so that these details look legitimate in the context of the company and the recipient, Barracuda reports. After getting the employee to open the email, an APT embedded in an email attachment goes into action. The attachment is typically formatted as a PDF or DOCX document. In this attack, the malware will be executed upon opening the document.
Barracuda’s analysis shows that attackers are successful over 90 percent of the time in getting employees to open these emails and deploy the malware.
The company has also observed attacks that have included links to a phishing website designed to capture sensitive data from the victim. This phishing website will be designed to imitate an airline website, or it will impersonate the expense or travel system used by the company. This step in the process is designed to trick the victim into entering corporate credentials on the site. The attacker captures the credentials and uses them to infiltrate the corporate network and internal company systems, such as databases, email servers and file servers.
“Email security is a dynamic market. Email security systems need to deal with increasingly dynamic and targeted threats. The market is moving from a static rule-based approach that relies on seeing the same virus or spam message across many customers, to dynamic machine-learning-based systems that learn and adapt to the attacks. Future email security systems will need to learn each customers’ environment and find anomalies in real-time,” said Asaf Cidon, vice president of content security services at Barracuda.
According to an Agari/ISMG study, 89 percent of survey respondents have seen either a steady pace or an increase in spear phishing and other targeted email attacks in the past year.
Grant Shirk, vice president of marketing at data security provider Vera, said cybercriminals are getting better at disguising themselves. “They’re really doing their social engineering homework by scanning all socials to find out what your ‘likes’ are, who your friends are, who your former co-workers are to create fake profiles and connect with you or send you emails from fake email address.” He cited the example of using a font that makes a ‘r’ and ‘n’ together to make it look like an m (rn -> m) in hopes of duping you into giving up sensitive information (usernames, passwords, financials, etc.).
Illustrating just how successful these attacks are, 60 percent of security leaders surveyed by Agari said their organizations were or may have been victim of at least one targeted social engineering attack in the past year.
Email is the number one attack vector used by cybercriminals to breach enterprises and scam consumers, Agari reports. But evolving threats on the email channel have increasingly complicated its security — attacks today have evolved beyond ‘phishing’ to include such attacks as ransomware and BEC. And even within these categories, there are several techniques employed by cyber criminals that further distinguish each attack. The email threat landscape is important for enterprises to understand because each attack requires its own solution — there is no on size fits all approach.
According to a ProofPoint study last year, BEC attacks increased by 45 percent in the last three months of 2016 vs. the prior three months.
Kirk Averett, general manager of cloud office at Rackspace, said all businesses today are legitimately concerned about data security, especially the loss or public sharing of sensitive data. “Attackers use email by pretending to be a trusted partner and then cleverly trick users into revealing private information like their login username and password to a valuable site online. Attackers then have valuable data and can often use that information to perpetrate additional damaging attacks against customers or employees.”
Despite the rollout of enterprise collaboration tools like Dropbox, Slack and Confluence, 80 percent of a business’s intellectual property is still shared through email, yet only 12 percent of security leaders trust their existing email security solutions.
Why hasn’t the market closed the security hole?
There are many legacy solutions that can encrypt select messages, however many fall short in a few key areas: they’re hard to use, don’t provide persistent, end-to-end protection, and they’re focused only on a limited slice of an organization’s email, said Shirk. Many don’t even provide basic security for attachments.
“Because of these changes in the email security landscape, it’s more important than ever to re-evaluate how we protect email. It must be simple and easy to use. It must work inside and outside the enterprise. And, it must work natively in our favorite email tools. People don’t like to change their behavior (which is why phishing attacks work so well), so you have to flip the problem on its head,” he said.
Grant Shirk, vice president of marketing at Vera
One of the most common misconceptions is that email security solutions can stop all attacks, he said. While the solutions on the market identify the majority of threats, there are still instances that slip through the cracks and it’s up to the users to be aware when they are clicking on links, attachments or pictures.
Email-based attacks have been an ongoing threat to businesses and consumers ever since the internet came to the mass market, said Markus Jakobsson, chief scientist at Agari. “Several factors have led to this cyber crisis, including the inherent security vulnerabilities of email, the rise of the cloud, and the realization that human vulnerabilities are easier to exploit than technical ones. Subsequently, the email channel has turned into a stomping ground for cyber activity, with endless opportunities to explore.”
For a long time, email-based attacks weren’t very successful, and mostly preyed on the naïve, he said. The past three to five years have seen dramatic changes, though, with email-based attacks increasing in both prevalence and sophistication, and manifesting in many forms.
“For example, while the ‘spray & pray’ consumer phishing attacks of 10 years ago are still happening, more targeted attacks have also evolved to form new categories — think spear phishing, ransomware and business email compromise (BEC). And no doubt there will be more variations to come,” he said.
He used the analogy of nesting dolls to show the evolution of email-based attacks. “When you pull one doll apart, another similar, but slightly different doll emerges. New generations of email attacks are continuing to be born in the threat landscape, each one more competent and threatening than the last.”
The design and social engineering of email-based attacks have changed significantly in the last few years, Jakobsson noted. Leveraging the use of social networks and data stolen from breaches and individual account compromises, cyber criminals are looking for ways to increase the legitimacy of their emails.
“To make it worse, email also offers a low barrier to entry. While some attacks — like those on John Podesta last year — are devilishly clever, most attacks are rather straightforward, technically speaking. Yet, they are still very successful,” he said.
Compared to malware development, email-based attacks are less demanding, and cyber criminals do not need advanced computer skills to execute them. Today, there are resources and methods that virtually anyone connected to the internet can use. “Couple this with the tremendous profits criminals can see, and the common failures of traditional email security measures — like traditional spam filters — and it is not hard to understand why this type of crime is exploding,” he said.
Malicious ‘phishing attacks’ have dominated security headlines in recent months, with 2017 already seeing campaigns targeting Gmail, Netflix, and Amazon customers, as well as large enterprises with W-2 and BEC scams.
Today the email threat landscape is extremely complex, but there is no commonly agreed-on classification system available to help businesses really understand what’s going on. This is a problem because in the case of stopping email attacks from reaching an organization, knowledge is power, he said.
Cidon said the threat landscape is changing dramatically. Traditionally, the same malware was sent to many customers, and once these viruses were identified, the security companies used the file’s signature to identify new attacks. In today’s world, attackers generate a unique file for each recipient. This has created the need for sandboxing, where each file is opened in a secure virtual machine and its behavior is observed to determine whether it is malicious.
“However, even this approach may soon become obsolete, since attackers can anticipate that a file will be opened in an artificial sandboxing environment and take active steps to avoid detection,” Cidon said. “Similarly, we have seen a sharp increase in the rise of spear phishing, or social engineering attacks, where the attacker doesn’t even need to rely on a virus or a malicious link. Instead, the attacker tricks the recipient to send out sensitive information (e.g., W-2s, credit card numbers) or wire transfer by impersonating someone else in the company.
“Traditional email security falls short in defending against these threats, because the attack is seemingly not malicious. This is why machine learning is increasingly a key part of email security," he said.
Almost all attacks use some form of identity deception, but there are many varieties of this, Jakobsson said. There is what is traditionally referred to as “spoofing”; there is the look-alike attack wherein the attacker registers a domain; and there is what is referred to as “display name abuse” — this is an attack in which the criminal selects a convincing display name, commonly for a free webmail account he registers. There is also the problem of corrupted accounts that are the accounts of honest users, whose credentials the attackers have managed to steal.
Another part of the problem is how the deceptive identities are used, Jakobsson said. The targeted attacks use contextual information which makes them more credible. In addition, they are also less likely to be blocked by filters that use blacklisting, since each attack instance looks different from the other. Also, attacks can be classified based on whether they involve a URL (like consumer phishing attacks do); an attachment (as many ransomware attacks do); or are just conversation-based (like typical BEC attacks).
These descriptors make it helpful to understand what types of countermeasures should be used to prevent them; for example: