• United States




Treasures attackers look for in the sea of email

Sep 30, 20164 mins
Data and Information SecurityData BreachIT Leadership

Navigating the digital waters without getting caught by whaling and phishing attacks

As we dive into October, cybersecurity awareness month, there are lots of strategies to help us all become stronger swimmers in the digital waters. Given that there are 112 billion business emails sent around the world every day, that is one huge ocean that everyone can learn how to better navigate.

Since its inception, email has become mission critical, and so many necessities beyond mail service have grown up along with it. Enterprises have become burdened by the complexities of email, which additionally requires the added protections of encryption gateways, spam filters, phishing protections, and much more.

In order to attack all of the issues of email security in the age of digital disruption, you first have to know what is beneath the rough seas.

Peter Bauer, CEO of Mimecast, said beyond the nuisance of spam, virus, and email DDoS, there are threats that have become much more targeted. “First, there are URL links in emails that are typically taking a recipient to a website where they are going to try to steal their credentials with a phishing attack or malware to download,” Bauer said.

Those who aren’t proficient swimmers can avoid this threat by not taking the bait. Don’t click. It’s become common knowledge in many enterprises that users shouldn’t click on a link before verifying its authenticity.

Unfortunately, business emails are intended to do business. Sometimes that demands that sender and recipient exchange information either by clicking on links or opening attachments.

Those attachments, Bauer said, are another targeted threat. “Weaponized attachments are very frequently ransomware. There are other malware vectors coming through as well that may be looking to do data exfiltration or to recruit botnets.”

When it comes to the targeted threat of impersonation attacks, perhaps all the fish in the sea would be safer if they suffered from memory loss and repeatedly asked, Do I know you? like the beloved little Dory.

Bauer said, “There is no malicious payload in the email. It’s become so easy to impersonate other people within the company through whaling, which is designed to steal data.” As far as emails are concerned, maybe all users should assume everyone is a stranger. That way, the attackers have a lesser chance of finding the treasures at the bottom of the sea.

“They are looking for credentials, consumer credentials, or user credentials. Others are after ransoms, maybe bitcoin but sometimes cash as well in exchange for returned access to data,” said Bauer.

The data holds the most value whether its personal information which they can sell or use for other financial gain. “Data is stolen for espionage purposes and intellectual property theft or to gain a lot of insight so that they can plan a more sophisticated attack,” said Bauer.

Still others are after computing resource, said Bauer, and they are recruiting for botnet armies, for spam, and for launching DDoS attacks.

The best ways to stay safe in the email seas are either to teach your fish how to swim or get everyone aboard that old yellow submarine. On the technology side, Bauer said, “There are a lot of email security technologies that are largely capable of addressing the spam problem but not the more targeted attacks.”

When it comes to email security solutions, there are methods that will detect the malicious URLs and prevent weaponized attachments from ever getting to the end user. ”For the majority of files that come in from the outside world,” said Bauer, “the recipient doesn’t intend to do anything with them in terms of editing.”

Human resources departments are receiving resumes, they don’t need to edit those. One solution is that those recipients get read only files. “If they need the original, they can click a link to request the original,” said Bauer.

Yes, frolicking in the water looks fun, but it’s also dangerous. Novice or inexperience swimmers who are tossed into the middle of the ocean will likely drown, which is why awareness and user training is so critical. “We try to help people be less trusting of things that may not be as they appear,” said Bauer.

“The barriers of entry to launch an impersonation attack are so low and so effective that attackers are going after all sized companies,” Bauer said. They aren’t only targeting enterprises where the reward is $100,000. “They are able to get $5k for an impersonation attack, and that’s not bad for a morning’s work,” Bauer said.

That’s why it’s your job to throw the end users a buoy so that they can at least float while they try to become stronger swimmers in the email seas. Check out the weekly themes for National Cyber Security Awareness Month and remind everyone of the important of cybersecurity awareness. 


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author