Spear Phishing
Whaling Email Attacks: Examples & Prevention Strategies
12 December 2019
95% of all attacks on enterprise networks are the result of successful spear phishing. But spear phishing can take many forms. One form is whaling, and it’s on the rise.
What is the difference between a spear phishing and whaling attack? A whaling attack is a type of spear phishing attack targeted specifically at an executive like the CEO or CFO. Spear phishing is an advanced phishing attack directed at a specific individual or company, not necessarily an executive. Whaling attacks are designed to trick people into doing something like sending a wire transfer or clicking on a malicious link. Oftentimes, criminals will gather and use personal information about their target to personalize the email better and increase their probability of success. As a result, whaling attacks can be very convincing and difficult for both humans and email defenses to catch. It’s important to note that whaling and CEO fraud are not the same, even though they are sometimes used interchangeably. Whaling attacks target high ranking executives; they don’t necessarily impersonate them. CEO fraud (or CxO fraud) is a type of spear phishing attack where attackers impersonate a CxO or other senior leader.
Why are whaling attacks successful? Whaling attacks can be easy to pull off. Attackers don’t need much capital, special equipment or a particularly advanced skillset. They often just need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn. CxOs are incredibly busy and under a tremendous amount of pressure. They most certainly have access to significant amounts of sensitive information, and likely have their attention divided across many parts of the business. Working at a fast pace, on-the-go or outside work hours can lead to CxO’s to make critical mistakes on email and easily be duped into thinking a whaling email is legitimate. What’s more, CxO’s might be less likely to attend security awareness training due to their busy schedules. More and more companies are investing in training, but busy executives could prioritize educating the staff over themselves, which keeps the business at risk. After all, one employee misstep can have serious consequences for an organization. And CxO’s have a target on their backs due to the amount of sensitive company information that they hold. How can a successful whaling attack hurt a company? The motivation behind whaling attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Here are some of the main consequences of whaling attacks: Financial loss: Of course, a principal objective is to extract money from targeted organizations. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. Austrian aircraft parts manufacturer FACC AG lost €50 million when their CEO fell victim to a whaling attack and wired the money to what he thought was a trusted source. When second-order financial penalties like fines are taken into account too, whaling attacks can prove extremely damaging to organizations’ balance sheets. Data breach: Data breaches are rarely out of the press these days. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses. What’s more, data breaches are expensive to manage; the average cost of a breach is $3.86 million. Fines: It’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183 million after a 2018 data breach. Reputational damage: It’s harder to quantify on a balance sheet, but after a whaling-induced data breach, hard-won brand reputation could be put at serious risk. An email security failure can negatively affect an organization’s relationships with their customers. Another second-order effect could be knocking employees’ morale and denting confidence, making rebuilding work still more difficult. How can your organization protect against a whaling attack? Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound email threats, like whaling, SEGs commonly rely on the following— Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and can falsely increase user confidence. Spam and bulk-phishing prevention. Focus on past known attacks as well as basic email characteristics (e.g. domain authentication). These approaches rely on emails that contain blacklisted domains or IP addresses as well as they block bulk emails. These fail to prevent advanced impersonation, which is low-volume and often contains domain and IP addresses that have never been seen before. Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g. by detecting newly registered domains, different sender/reply-to addresses, etc) but attackers have learned to evade these rules. While SEGs can block malware and bulk phishing attacks, rule-based solutions struggle to stop advanced impersonation attacks and to detect external impersonations, common in whaling attacks. External impersonation is the impersonation of someone who belongs to a different organization than the target such as a supplier or vendor. Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. Tessian Defender stops advanced threats that legacy systems miss. Tessian Defender’s stateful machine learning retroactively analyzes historical email data in order to understand the difference between safe and unsafe emails being received. By analyzing multiple data points within email headers, body text and attachment data, Tessian Defender can detect and prevent threats in real time with minimal end-user disruption.
Spear Phishing
What is Spear Phishing? Defending Against Targeted Email Attacks
08 December 2019
With legacy tools trapping more scatter-gun approaches to stealing data and money from organizations, spear phishing has become increasingly popular amongst the cybercriminal community. Part of the appeal is that it is extremely difficult to detect.
What is spear phishing?
What is the difference between phishing and spear phishing? On the face of it, phishing and spear phishing attacks may seem similar, however there are many differences. Phishing emails are sent in bulk and are relatively easy to execute by those with nefarious intent. Phishing attempts are generally after things like credit card data or login credentials and are usually a one-and-done attack. On the other hand, spear phishing is significantly lower in volume and much more targeted. A spear phishing attack is usually targeted at a specific individual within the organization and is highly personalized. What makes a spear phishing attack so effective is that it’s more difficult to spot that the email is malicious as it often convincingly impersonates a trusted source known to the target. Spear phishing is an attack that isn’t as difficult to pull off as you might assume. The research required for an effective attack isn’t much of a barrier either due to the abundance of data that is available online. It is no exaggeration to say that spear phishing is the number one security threat facing businesses today. While every spear phishing attack is unique by its very nature, we will discuss some of the characteristics that can be seen in a spear phishing attack: the target, the intent, impersonation and the payload.
The target Spear phishing attacks often target staff with access to financial resources, critical internal systems, or sensitive information. Spear phishing attacks commonly target specific employees or groups that have access to money, sensitive systems or important people within the organization. In addition to selecting their target by the department, attackers will also select a target by their job title. New hires are also a frequent target for attackers as they tend to be a bit more eager to please their superiors than colleagues who have been employed for some time. There is an abundance of valuable data available online for criminals to exploit to identify the best targets, from LinkedIn career updates to new employee details on company websites. Finally, new hires tend to have a lack of understanding about what normal email communication looks like within the company, meaning they have less knowledge of how internal email address should look and less insight into who the organization usually communicates with. Once they have identified their target, the attacker can easily undertake further research to find out who the target regularly communicates with. Here, social media sites such as Facebook and Twitter can provide valuable information about roles, responsibilities and professional relationship structures within an organization. With this information, the attacker can create a credible narrative and personalize the email they send. This makes the victim far more likely to fall for impersonation.
The intent The intent of the spear phishing email usually falls within three specific areas. Extract sensitive information Install malware onto the network Wire money to accounts that belong to the attackers Criminals are on the hunt for sensitive information, like login credentials, medical records or bank codes, because any information – regardless of its type – has a value on the dark web. To get this data, attackers can use different tactics. They may try to deploy malware in the form of ransomware or keyloggers in order to invoke widespread havoc. Or attackers may use spyware, which is designed to sit, undetected, in the background and mine valuable data. Alternatively, attackers can take a more direct approach: request a wire transfer in a well-crafted email impersonating a familiar colleague, supplier or customer.  Attackers can also build relationships with their victims long before making any requests for money or information. Or, they may send a very simple, casual email — “are you in the office?” — which can easily initiate an email exchange. Only after that do they strike with a follow up email include requests for the target to wire money, send confidential information, or click on a payload. Generally, the email will contain deliberate language to establish context and intent within both the subject header and body copy, to create a feeling of urgency that helps trick the target.
The impersonation There is always an element of impersonation in a spear phishing attack. Whether it is impersonating an authoritative figure within the organization (for example a CEO or CFO), someone external (such as from a trusted supplier or valued client), or a business unlikely to cause suspicion (such as Microsoft or PayPal). The spectrum of impersonation tactics is broad, ranging from display name and domain manipulations to the specific language used within the body of the email. Furthermore, the very fact that modern organizations generally deal with so many counterparties offers limitless possibilities to impersonate vendors or suppliers (external impersonations), making them very hard to detect. Impersonating a display name is easy for even those with little technical knowledge and can be done quickly within almost all major email clients. Display name impersonation involves attackers setting a authentic-looking display names on their email account in order to mislead recipients. This approach has proven to be especially effective on mobile phones, as the email address of the sender is generally hidden when a user is accessing their inbox through a smartphone.
Impersonating a display name is easy for even those with little technical knowledge and can be done quickly within almost all major email clients. Display name impersonation involves attackers setting a authentic-looking display names on their email account in order to mislead recipients. This approach has proven to be especially effective on mobile phones, as the email address of the sender is generally hidden when a user is accessing their inbox through a smartphone. Domain impersonations are another popular technique, in which attackers spoof or impersonate an organization’s domain in order to appear legitimate. They look to circumvent security filters by impersonating recognized, trusted domains whether at the root (i.e. [email protected]), top-level (i.e. [email protected]) or subdomain (i.e. [email protected]). Such complex domain manipulations are very hard for both humans and rule-based security solutions to detect. For instance, a commonly used rule is to calculate the number of different characters between 2 domains: “If the difference is smaller than 2, block the email.” Attackers have learned to use a complex domain manipulation to evade such a rule.
The payload A payload is a malicious link or attachment contained in an email. Examples of payloads include: attachments that deploy malware or ransomware when opened; or embedded links that drive to fake login sites that farm credentials. It is important to note that not all spear phishing emails contain a payload. Historically, attackers have leveraged payloads in phishing attacks. Because of this, certain email security solutions have been developed in order to detect them. These solutions analyze and sandbox attachments, inspect links as well as look at the website that the links are pointing to in order to see if they’re malicious. As these security solutions become more popular, attackers have learned to execute attacks without links or attachments and instead are utilizing coercive language and social engineering to ask the target to share confidential data or wire money.
Why is spear phishing still a problem today? Today, employees are the most important data processors in any company. The reality is that just one employee misstep can have serious consequences for an organization. With the information they manage to obtain, fraudsters can reveal commercially sensitive information and steal large amounts of money from organizations. Employees likely receive more security awareness training than in the past, but their workloads have become greater and more complex. They are busier than ever and expected to maintain the same pace of delivery. Because of this, people can make mistakes and be deceived. No amount of training will change this. While training is well intentioned, it simply isn’t enough to prevent increasingly sophisticated spear phishing attacks. Companies can’t rely on people spotting every attack. While SEGs can block malware and bulk phishing attacks, they cannot stop spear phishing emails that don’t include a payload. Email is the main communication channel for enterprises today, however the openness of email makes it easy for attackers to exploit. Data continues to be lost and systems continue to be compromised via email, with spear phishing increasingly being the attack vector of choice. Recent headline-grabbing attacks include: volunteers for Hillary Clinton’s presidential campaign were targeted as part of one attack; City officials in Ocala, Florida were tricked into sending over $742K to what they thought was a construction company; Australia National University was targeted by a spear phishing email that led to attackers silently monitoring the university’s activity as well as stealing the credentials of staff and students.
How can machine learning help stop spear phishing attacks? The common root of all spear phishing attacks is impersonation—an attacker is pretending to be someone the target trusts. Companies therefore need to identify impersonations on email in order to protect their users, and importantly, their data and systems. But detecting impersonation is not easy. To do so, you need to understand human relationships and human behavior. Machine learning (ML) is the perfect tool to do this. By learning from historical email data, Tessian’s ML algorithms can understand a company’s users relationships and the context behind each email. This allows them to detect a wide range of impersonations, from obvious payload-based attacks to subtle social-engineered ones. To learn more about how Tessian Defender prevents spear phishing attacks for organizations like Arm, talk to an expert today.  
Human Layer Security Spear Phishing
It’s the Most Fraudulent Time of the Year
30 November 2019
With Black Friday just around the corner, the holiday shopping season is upon us and retailers will face their busiest time of the year. In the last six weeks of 2018, for example, UK retailers and US retailers saw sales of £79.7bn and $719.2bn, respectively, as shoppers rushed to scoop up the best deals. No wonder, this window is often referred to as the “Golden Quarter”. But retailers and their customers may get more than they bargained for as this surge of shoppers makes the “Golden Quarter” a golden time for cybercriminals to launch phishing campaigns. We often think about consumers as the main victims of retail-related phishing attacks in the holiday shopping season. And quite rightly; shoppers receive hundreds of emails from retailers promoting their latest deals around peak shopping days like Black Friday and Cyber Monday. It’s a ripe opportunity for cybercriminals, who are looking to steal personal data and payment details, to “hide” in the noise, pose as legitimate brands and prey on individuals who are not necessarily security savvy. However, it’s also important to remember that retailers themselves are at greater risk of phishing attacks during this time, as well. In fact, our latest report reveals that nearly two thirds of UK and US retailers (64%) receive more phishing attacks in the three months leading up to Christmas, compared to the rest of the year. Black Friday, in particular, is a prime time for seasonal scammers as UK retailers (56%) and US retailers (57%) saw an increase in the number of phishing attacks during the Black Friday / Cyber Monday weekend last year. Given that phishing attacks have only grown in frequency and severity since then, there is no doubt that phishing will continue to be a persistent threat for retailers this year too. It’s also concerning to see that 70% of IT decision makers at UK retailers and 65% at US retailers believe their staff are more likely to click on phishing emails during the holiday shopping season. The reason? Employees are at their busiest and working at a much faster pace, meaning they are less likely to check the legitimacy of the emails they are receiving. Hackers will take full advantage of the fact that security won’t be at the front of mind for busy and stressed retail workers, and will craft sophisticated spear phishing campaigns to encourage individuals to click on malicious links, download harmful attachments or wire huge sums of money. On top of this, staff will also receive more emails at this time. Consider how many colleagues, temporary workers, customers and third party suppliers retail workers engage with during the holiday shopping season. Knowing inboxes will be filling up with timely requests and orders, hackers can easily deceive employees and get them to comply with their requests via spear phishing emails that convincingly impersonate colleagues, senior executives or trusted suppliers. With the average phishing attack now costing a company $1.6 million, there are significant financial consequences for a retail worker being duped by a phishing attack. It’s understandable, then, that the IT decision makers we surveyed said that “data breaches caused by human error” are the number one threat to their business in the final quarter of the year. Phishing came in a close second, with one in five IT decision makers in retailers believing phishing is the greatest threat to their organization during the holiday shopping season. Given the people-heavy nature of the industry, retailers are, sadly, an easy target for cybercriminals. Our report clearly shows that retailers need to do everything they can to build robust defenses and minimize incidents of human error that could lead hackers to steal data and compromise systems this holiday season.  
Spear Phishing
7 ways to Survive this Black Friday
15 November 2019
Shoppers are expected to smash previous Black Friday spending records this weekend, with experts forecasting global sales of around $36.9 billion on Friday alone. With over 165 million people heading to stores or shopping online during the frenzy that follows Thanksgiving, retailers will be busier and more distracted than ever. And this makes them a prime target for cybercriminals. Here are our top tips for your business to survive the Black Friday weekend: 1. Think before you click on email Phishing is the biggest risk for one in five IT decision makers at UK and US retailers during the holiday shopping season. No wonder – over 60% receive more phishing attacks during this time than any other point in the year. Peak shopping days like Black Friday, Small Business Saturday and Cyber Monday are a golden opportunity for hackers to hide in chaotic inboxes and take advantage of individuals who are not security savvy. Is your business defending against this risk? 2. Keep calm and carry on When dealing with throngs of shoppers, processing thousands of orders and meeting overwhelming sales targets, retail staff will be under pressure to deliver. With more emails being sent and received and with staff working at a fast pace for long hours, mistakes will inevitably happen. In fact, 67% of IT decision makers at UK and US retailers believe staff are more likely to click on a phishing email during the holiday shopping season. Put measures in place to protect your people, especially when security is the last thing on their mind. 3. Train temporary staff on the threat Temporary seasonal workers play a critical role in helping retailers out during this busy time but they rarely benefit from the cybersecurity training that full-time employees receive. This makes them more vulnerable to threats like phishing. If just one employee falls for a scam, the retailer could face a security breach exposing the personal and financial data of thousands of consumers. Make sure all staff are trained on the phishing threat and know what action to take should they receive one. 4. Keep customer service teams alert Over a quarter of retail IT practitioners are concerned that customer service workers will fall for phishing attacks during this peak shopping season. Hackers will target these teams with phishing emails that contain malicious attachments or links, knowing that staff will need to deal with every customer enquiry they receive. Stay on high alert: encourage customer service teams to flag any messages that look suspicious. 5. Protect your customers from seasonal scams Consumers will be inundated with emails touting Black Friday deals this weekend. It’s a golden opportunity for cybercriminals looking to steal personal data and credit card information to pose as legitimate retail brands and lure consumers to fake sites. We increasingly see hackers impersonating brands in sophisticated spoofed emails; it’s surprisingly easy to do if the company doesn’t have email authentication records like DMARC in place. Worryingly, a third of retailers we surveyed do not have these checks in place. The problem is that consumers are more likely to click on malicious links or download harmful attachments when an email looks like it comes from a legitimate brand and email address. Protect your customers by protecting your brand. 6. Be wary of spoofed suppliers Not only can hackers target your third-party suppliers to gain access to company information, but they can also impersonate suppliers’ domains and send seemingly legitimate emails to your staff, asking them to wire money or share credentials. Nearly one in three retailers say employees have received spear phishing emails impersonating an external supplier. Always examine what the sender is asking you to do—are you being asked to carry out an urgent request? If this isn’t normal, it may be a fake request. 7. Don’t rely on tick-box training Don’t make cybersecurity training a one-off exercise. Continually teach and reinforce safe email behavior so that your staff are able to make the right cybersecurity decisions both at work and in their personal life. Our handy cheat sheet will help. Encourage your employees to print it and keep it on their desk so that they can identify the cues of a malicious message. To find out more about how to avoid seasonal scams, read our report.
Human Layer Security Spear Phishing
Types of Email Attacks Every Business Should Prepare For
14 November 2019
Corporate email continues to rule in the world of business. Today, the average office worker receives 120 emails every day.  While many of these emails pertain to business as usual, not every email is quite what it seems. Now more than ever, organizations are on the receiving end of advanced email attacks that aim to steal money, pilfer data or compromise systems.
What is an email attack?
What is the purpose of an email attack? Email attacks can take many forms but are typically deployed by cybercriminals in order to steal money or data. In order to keep organizations secure, it is important that employees are able to recognize the most common types of email attacks and understand the potential impact that they could have.
Most common types of email attacks Cybercriminals can leverage email in multiple ways to attack people and systems. There are a variety of tactics that range from being very broad to very targeted: Spam. Spam is known as a high volume commercial messaging sent over email.Despite several tools to filter out unwanted email, spam remains a significant challenge for organizations large and small. 56 percent of all email traffic is made up of spam; so while spam is not always the vector of attack, its sheer volume helps obfuscate real attacks, such as spear phishing. Phishing. Phishing is a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by pretending to be a trusted entity.Phishing attacks are sent in high volume, and the legitimate look of the email can trick users into accidentally opening an attachment or clicking on a malicious link. However, phishing emails are not personalized and tend to start with generic greetings like “hello” or “dear sir.” What makes phishing attacks successful is that even though a small percentage of targets fall for the attack, the sheer number of people receiving the email means that the attacker is likely to have some success.
Spear phishing. Spear phishing is an advanced phishing attack that is targeted at one or a few individuals. This type of attack targets a specific individual and tries to impersonate a person or an entity that they trust. Before the attack is launched, the attacker spends time researching their target to gain information such as their name, or suppliers that the target uses in order to make the email appear legitimate. Because spear phishing emails are more sophisticated in their construction and convincing in execution, they are harder to catch.
Business Email Compromise (BEC) is when a relationship is hijacked through email – an attacker tries to trick someone into thinking they are a trusted contact in order to steal money or information. BEC can be accomplished through spear phishing or account takeover. Read more about BEC here. According to the FBI, BEC attacks cost organizations $26bn between 2018 – 2019. In fact, BEC attacks have now overtaken both ransomware and data breaches as the main reason that companies file a cyber-insurance claim according to insurance giant AIG.
Consequences of email attacks There are a variety of outcomes that can occur from the above email attacks. Here they are: Malware: Malware is a computer software that has a malicious intent. Some of the different types of malware include ransomware and spyware, which have the goal of gaining control of infrastructure, farming credentials or gaining access to passwords. Ransomware is a type of malware that essentially holds a target hostage; attackers will demand a fee in exchange for unencrypting the target’s systems. Like malware, ransomware is a payload that is often deployed by phishing or spear phishing emails. Ransomware can have a significant impact, as seen with the WannaCry attack, which was estimated to have affected more than 200,000 computers across 150 separate countries. The financial outcome of ransomware has made it attractive for attackers, with over $1 billion being racked up by criminals annually. Businesses and governments continue to get inundated with ransomware attempts and reports even suggest that more than 600 US government entities have been hit with ransomware so far this year. Credential Theft. Credential theft occurs when an attacker is able to steal the credentials of the target by executing a successful phishing or spear phishing attack. Often, the email will include a link which will take the target to a fake login page where the target’s credentials are ultimately harvested. Wire-transfer fraud. Wire-transfer fraud is when a target wires money to an attacker’s account. Wire-transfer fraud can be accomplished by the attacker including bank details in a phishing or spear phishing email, and requesting the target to pay a specific amount. Another way that this can be achieved is if the attacker tricks someone into changing the details of the bank account to which a recurring payment is paid.
Why are email attacks so successful? Phishing and BEC attacks are difficult to detect because cybercriminals are utilizing social engineering techniques in order to build trust. The attacker manipulates the target by posing as a trusted individual or organization and will oftentimes engage in a conversation over several emails, before requesting the target to divulge credentials, confidential data, or to wire money to an account they own. Social engineering is what contributes to the success of these attacks because attackers use convincing language to get people to act instinctively, not rationally. For example cybercriminals were able to access payroll information of 700 current and former employees at social media behemoth Snapchat by posing as CEO Evan Spiegel in an email and tricking a junior employee into sending them the confidential data. Email impersonation can take on a variety of forms, such as display name impersonation where the attacker sets a deceptive display name on their email account, or spoofing where an attacker forges an email to make it appear as if it’s been sent from another email address. Email authentication protocols such as DMARC, DKIM and SPF have been introduced over the years as an attempt to stop spoofing. The problem with these three protocols, though, is that many organizations have yet to adopt them and weaknesses can be exploited. For example, 80% of Fortune 500 companies do not have DMARC policies set up. As well, this email authentication only prevents an employee’s individual domain from being spoofed but it does not prevent them from receiving emails that have been spoofed. Finally, it’s easy for attackers to figure out which counterparties don’t have email authentication set up as DMARC records are publicly available.
Email attacks continue to cause sleepless nights for IT administrators everywhere. Although many organizations have implemented employee training programs into their security strategy, these programs often are not designed to account for human error. Human error is the main cause for the majority of data breaches, and it can easily occur because employees can become distracted or tired which leads to mistakes being made over email. The assumption that employees can become an effective line of defense after undertaking just a few hours of security training is unrealistic. Security teams need to implement the right technology to support employees without getting in the way of their day-to-day business.
How can machine learning help stop sophisticated email attacks? Defending against targeted email-borne threats requires superior email security. Legacy tools have not been able to keep pace with evolving email attacks. Rule-based systems may be able to block simple impersonations, but struggle to detect more complex ones. Complex impersonation attacks cause more damage for organizations. It is time for organizations to adopt a more intelligent approach to inbound threats – one that understands historical email relationships and communication patterns, and can therefore, automatically detect anomalies and threats. Tessian’s stateful machine learning engine learns the difference between normal and abnormal email communications. In real time, Tessian automatically prevents the most advanced forms of spear phishing, accidental data loss and data exfiltration. This ensures that organizations can stay ahead of attackers and protect the data that they hold most dear. To learn more about how Tessian is helping organizations like Arm keep data safe, talk to one of our experts today.
Spear Phishing
Business Email Compromise – What it is & How it Happens
11 October 2019
This question should be standard issue at any cybersecurity pub quiz: What increased by 108% one day in September 2019? It’s not the number of data breaches experienced around the world. It’s not even the proportion of businesses now targeted by cyberattacks. No: it refers to the total amount of money stolen from businesses thanks to Business Email Compromise scams, according to the FBI. The Bureau’s flagship figure of $12.5bn was revised upwards by more than 100% on September 10th, hitting a staggering $26bn. The two figures don’t cover identical timespans. But if anything, comparing the periods of time used to arrive at the totals generates even more alarm. The original $12.5bn figure was derived from business losses over a five-year period between 2013 and 2018. The new figure of $26bn is the product of just three years of criminal activity, covering June 2016 to July 2019. So how are attackers able to extract such large sums of money from enterprises? And what can be done to stop them? Perhaps part of the reason Business Email Compromise (BEC) has been so successful is that everyone has a slightly different definition of what it means, and no clear solution to stop it…
What is Business Email Compromise? Business Email Compromise (BEC) is when a trusted relationship – between colleagues or counterparties – is hijacked through email. BEC can be accomplished in two ways: email impersonation (i.e. spear phishing attacks) email account hacking Conveniently for attackers, account takeover is often achieved after a successful spear phishing attack. BEC is a catch-all term often conflated with other kinds of email attacks, like phishing, spear phishing and account takeover. Account takeover (ATO) attacks, for instance, are often described as identical to Business Email Compromise. However, ATO attacks see the attacker literally gain access to an individual’s genuine account, potentially by using brute force “credential stuffing” hacking techniques. BEC attacks, meanwhile, are geared around impersonation. An attacker “compromises” an email account by convincingly impersonating a trusted counterparty of the target. What is being “compromised” in a BEC attack is the trust between the target and the impersonated counterparty. Because BEC scams rely on people making mistakes and being tricked, attacks can be relatively simple or extremely complex. The initial step involves fraudsters identifying a company they intend to target. Once this is done, before executing the attack itself, the attackers must first impersonate an employee or one of the company’s external counterparties. (Attackers might choose to impersonate a display name or a domain in order to fool their target. To understand more about the different types of email spoofing and impersonation exploited by cybercriminals, head to the this Tessian blog.) To execute a BEC attack, attackers will send spear phishing emails to targets within the company. Building trust over time comes down to communicating authentically. Although you might have read about spear phishing campaigns convincing people to click on malicious links or attachments, this is no longer a necessity. “Zero-payload” attacks, a growing phenomenon, build trust with targets over time using entirely innocuous communications. The request, when it comes, may be made in writing without the suspicious links or attachments that are easier for traditional security programs to flag. This example shows an attacker impersonating a CEO, Thomas Edison, asking an employee to change invoicing details. There is no link or attachment required, only text:
It’s clear that subtle and hard-to-detect techniques can have a potentially damaging effect on enterprises. So what are the main methods by which attackers compromise this trust in BEC attacks? What are common BEC techniques? Supplier / vendor fraud The dangers of external impersonation are becoming better understood, but there is still a learning curve for security leaders within enterprises. Every business has a finite number of employees, which makes it easier for security products to keep on top of potentially suspicious activity on “employee” email accounts. But all businesses have networks of suppliers and vendors, which dramatically increases the number of people attackers might choose to impersonate. (Download Tessian’s guide to email impersonation to see this effect in action.) CEO fraud CEO fraud is a type of spear phishing attack where attackers impersonate a CEO, CFO or another high-level executive. Attackers aim to trick the executive’s colleagues into carrying out actions that place data, money and/or credentials at risk. As with other BEC scams, the usual aim is to extract money from the targeted business by coercing an employee into making illicit wire transfers. Whaling Whaling is related to CEO fraud, with a key difference: instead of impersonating senior executives and targeting lower-ranking employees, attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective. Because they tend to be very busy, and because of their access to key systems, senior executives can be especially profitable targets for attackers. Account takeover As covered above, ATO describes the unauthorized takeover of someone’s actual email account, using brute force hacking to harvest credentials before sending a fraudulent email from the target’s own account. ATO attacks are understandably extremely hard for traditional technologies to identify as the “genuine” email account is in use. Institutional impersonation Some of the most impersonated parties around the world are not necessarily businesses at all but institutions. Emails from entities like the IRS (HMRC in the UK), or a communication from a court, have the potential to worry people and cause them to react instinctively, rather than rationally. (It’s worth pointing out that the big tech companies, such as Microsoft and Netflix, are invariably among the most impersonated brands in the world, despite both companies employing DMARC to defend against spoofing.) The consequences of BEC As we’ve seen, the main motivation behind BEC attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Here are some of the main consequences cybersecurity leaders should be wary of. Data breach / credential harvesting Data breaches are rarely out of the press these days. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses. Financial losses Of course, a principal aim of BEC attacks is to extract money from targeted organizations. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. When second-order financial penalties like fines are taken into account too, BEC can prove extremely damaging to organizations’ balance sheets. Fines Nowadays it’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. Currently, for instance, Yahoo is tackling an enormous class action suit with estimated damages of more than $100m. And legislation designed to make fines more than a slap on the wrist is now ramping up all over the world. In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183m after a 2018 data breach. Reputational damage It’s harder to quantify on a balance sheet, but after a BEC-triggered data breach, hard-won brand reputations could be put at serious risk. An email security failure can cause share prices to fall and affect organizations’ relationships with their customers. Another second-order effect could be knocking employees’ morale and denting confidence, making rebuilding work still more difficult. There are a wide range of reasons for businesses to protect themselves against Business Email Compromise, which raises the question: why are most business unprepared to defend against this threat?
Why rule-based technology does not stop BEC Simply put, security products have not moved as quickly as cyberattackers in predicting and preventing new and emerging threats. Secure Email Gateways do a great job of preventing run-of-the-mill spam and “bulk” phishing attacks, but they do this with static lists of rules that can only stop attacks the software has already seen. They simply aren’t cut out to defend against increasingly sophisticated attackers deploying social engineering techniques and exploiting human frailties in order to trigger dangerous actions. (Read our CTO Ed Bishop’s thoughts on Secure Email Gateways and other legacy technologies here.) BEC attacks are highly targeted towards particular individuals within organizations. Even the most vigilant employees can be foxed by a spear phishing scam if it is sent on a busy day, delivered in a particular tone, or perceived to be from an authoritative source. Indeed, some threats are confined to IP addresses hidden in email headers – undetectable by employees. That’s why organizations must invest in technology that explicitly protects theirpeople. And that’s where Tessian’s software, trained on over 1 billion emails, comes in. Our stateful machine learning engine learns what “normal” email communications look like within complex organizations. Using historical patterns and behavioral signifiers to understand relationships between internal and external parties, Tessian Defender identifies malicious impersonations before they have the chance to deceive employees. If you’re interested in learning more about Defender or our other Human Layer Security products, sign up for a demo here.
Spear Phishing
Spear Phishing Demystified: the Terms You Need to Know
10 October 2019
Jargon is a hallmark of all industries. Cybersecurity is no different, but using the right security terminology has a real impact. When an organization’s data and systems are threatened by spear phishing attacks, being aware of evolving trends and the definitions of key terms could be the difference that helps prevent the next threat. Spear phishing is the number one threat facing businesses today, but research still suggests that “lack of knowledge and awareness about cyber-attacks could hinder the growth of the spear phishing protection market.” In this article we define and explain key spear phishing concepts and terms. (To learn more about how to prevent spear phishing attacks with machine-intelligent technology, read about Tessian Defender.) Spear phishing definition, and other attack types Although media outlets and security companies rightly pay a lot of attention to spear phishing, advanced impersonation spear phishing attacks come in many forms. Once you’ve read our breakdown of different key terms and what they mean, you’ll come away with a clearer understanding of the range of sophisticated inbound email threats. Spear phishing Spear phishing describes an advanced impersonation phishing attack directed at specific individuals or companies. (Head to the “Other useful terms” section below to see a definition of regular “bulk” phishing.) Similar to “bulk” phishing, spear phishing attacks are designed to trick people into taking an action like transferring funds or clicking on a malicious link. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. Because spear phishing emails are low-volume as well as more sophisticated in their construction and convincing in execution, they are far harder for traditional email security products to catch. CEO fraud / executive fraud CEO fraud is a type of spear phishing attack where attackers impersonate a CEO or another high-level executive. Here, attackers aim to trick the executive’s colleagues into carrying out actions that place data, money and/or credentials at risk. Attackers often use social engineering techniques (see “Other useful terms” below) to convey urgency and prevent targeted employees from thinking twice about following the instructions of the “CEO”. A notorious example of this kind of fraud saw an impersonation of Pathé France’s CEO lose Pathé €19.2m. Whaling Whaling is related to CEO fraud, with a key difference: instead of impersonating senior executives and targeting lower-ranking employees, attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective. Because they are many times more likely to be targeted than rank-and-file employees, because they tend to be very busy, and because of their access and influence, senior executives can be especially profitable targets for attackers. Forms of impersonation used in spear phishing attacks Although all spear phishing attacks revolve around impersonation of some kind, impersonation itself can take many forms. Attackers impersonate people on email in order to: • Steal money, data and credentials • Compromise systems • Take over accounts Essentially, all spear phishing attacks use impersonation as a strategy. Mechanisms differ from the easy (display name impersonation) to the complex (direct spoofing). Here’s how we break impersonations down: Business Email Compromise According to the FBI, Business Email Compromise (BEC) attacks cost organizations $1.2bn in 2018 alone. BEC is closely related to spear phishing – and commonly confused with it – but is potentially still more damaging and severe. Attackers impersonate employees or external counterparties and send spear phishing emails to people within the organization being targeted, using social engineering techniques to convince targets to wire funds outside the organization or to click on dangerous links that risk compromising systems and/or data. Readers should bear in mind that there are several different interpretations of BEC. For example, it’s often confused with Account Takeover (ATO): ATO describes the unauthorized takeover of someone’s actual account, using harvested credentials or “brute force” hacking. Domain impersonation These attacks involve attackers spoofing or impersonating an organization’s domain in order to appear legitimate. There are three main kinds of domain impersonation: root, top-level and subdomain. Below is an example of each of these impersonations, using the domain companyinc.com as a starting point: • Root: [email protected] OR [email protected] • Top-level: [email protected] • Subdomain: [email protected] Display name impersonation Display name impersonations involve attackers setting deceptive display names on their email accounts in order to mislead recipients. This might mean impersonating a senior executive within a company, or the name of a key supplier or partner. The technical skill required is effectively zero: most mainstream email clients offer users ways to change display names in their account settings. Display name impersonations are particularly effective when received on mobile devices, as the sender’s actual email address is usually hidden.
Attackers can also change a sender’s display name to include a genuine-seeming email address, such as “Thomas Edison <[email protected]>
Freemail impersonation Freemail impersonation describes spear phishing attacks where criminals use the fake personal email address of a senior-level executive. An attacker impersonating the CEO of a company – let’s use Thomas Edison again – could send an email from [email protected] to an employee working in the finance department, for example, requesting an urgent transaction. Here’s the example from before:
Automatic “Out of office” replies are a useful tool for attackers planning freemail spear phishing campaigns. By probing lists of contacts, attackers can learn when a particular executive is out of the office. Details volunteered in OOO autoreplies may tell them how long the executive is out of the office for, and even where they’ve gone. With this knowledge, attackers are free to impersonate the executive’s personal email account (or simply register an authentic-looking freemail address) and target the executive’s colleagues with a convincing impersonation.
Other useful terms Credential harvesting Credential harvesting is often an end goal of spear phishing attacks. Attackers will use coercive emails to direct recipients to fake login pages or other websites, where credentials can be harvested. Attackers can monetize credentials by selling them, or by using stolen account information to make purchases. In an enterprise environment, compromised credentials can also place entire systems at risk, doing significant financial and reputational harm to the business. Having harvested credentials, attackers can even take over email accounts and begin targeting victims’ contacts. Payload Many spear phishing emails contain a payload: on email, this might be a malicious link or attachment that, when opened, triggers malware on affected devices or systems. Increasingly, spear phishing attacks don’t have a payload at all, relying on persuasive language to coerce an employee into making a mistake. In turn, this makes these attacks especially hard for traditional security tools to defend against. Phishing Generally, phishing attacks are sent in bulk to a large audience, meaning the attackers’ language is relatively untargeted and unpersonalized. While phishing attacks can be successful, most attacks can be identified by traditional email security tools. This is why attackers have evolved to rely on spear phishing to extract money, data and credentials from organizations. Ransomware Ransomware attacks are growing in popularity and also need little or no technical skill to carry out. In a ransomware attack, an attacker holds an organization “hostage” by deploying malicious software across critical infrastructure. The attacker will threaten to steal money or data, or to cripple the organization’s systems unless a ransom is paid. Perhaps the most famous example of such an attack is the NotPetya worm which crashed systems around the world in 2017. Many ransomware attacks start with a spear phishing email containing a dangerous payload. Social engineering Social engineering describes the techniques attackers use to persuade people to take a dangerous action. Attackers may rely on the seniority of the person they are impersonating, or the illusion of urgency being created, to prompt a lower-ranking employee to take a desired action. Often, attackers will build trust with a target by communicating ‘normally’ for periods of time, using entirely innocuous language: this heightens the effect of coercive language when an attack is finally launched. Spoofing A spoof describes an impersonation where an attacker forges an email by modifying the email address from which the email appears to have been sent. (Many people don’t know that it’s possible for anyone with their own mail server to specify any From: address when sending an email, a loophole often leveraged by more sophisticated attackers.) As an industry, cybersecurity is responding to a rapidly evolving threat landscape and growing more complex every day. It’s vital to understand the range of different concepts and terms that surround the exploding spear phishing crisis. A reminder: if you have further questions about spear phishing, speak to a Tessian expert.
Spear Phishing
CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives
01 October 2019
You’re sitting at home when your phone lights up. It’s an email from the CEO. Subject line: “Urgent”. Your heart rate rises a little. It’s after hours – it must be something serious. And aren’t they meant to be on holiday this week? “Hi – I’ve just had a call from Supplier X in France. We need to change the account details for the invoice that’s due to be paid tomorrow. I’m OOO so can’t look at it. Could you help? Sorry for late message.” You check the accounting platform. The invoice is there, ready to go tomorrow. It takes less than two minutes to amend the details. You notify the CEO that the job’s done. (Maybe they’ll mention to your boss how you helped them out!) The reply comes: “Excellent – thanks for sorting this. Great job.” A good evening’s work, right? Unless your “CEO” isn’t who you think it is. What is CEO fraud?
CEO fraud is a form of Business Email Compromise (BEC). It’s just one part of an epidemic of email impersonations that are responsible for billions of dollars in losses around the world. Collectively, Business Email Compromise scams have been responsible for $26bn in enterprise losses. According to the FBI, “Between May 2018 and June 2019 there was a 100% increase in identified global exposed losses.” CEO fraud and other BEC attacks can cause extreme harm to organizations. A particularly common outcome, as with most BEC scams, is to extract money from the business by coercing an employee into making a wire transfer to a cybercriminal-controlled bank account. However, CEO fraud attacks can also seek to extract sensitive information like contact data and credentials, and even disseminate malware into an organization.
CEO fraud vs. whaling CEO fraud and whaling are closely related, but far from identical. The key difference is that in a whaling attack attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective. Whaling is seen as an effective attack vector because senior leaders themselves are perceived to be “easy targets”. Leaders tend to be extremely busy, and they often enjoy access to the most sensitive information an organization holds. Verizon research has suggested that senior executives are 12x more likely to be the target of attacks such as phishing than other employees. CEO fraud, meanwhile, uses the seniority of those high-level executives to exploit other employees within organizations. So what are the methodologies information security practitioners have to watch out for?
The most common CEO fraud techniques As with so many email threats, at the heart of every CEO fraud attack is impersonation. This type of attack most often occurs by way of display name or domain impersonation. (We’ll also cover freemail impersonation, another important technique to be aware of.) Display name impersonation Display name impersonations involve attackers setting deceptive display names on their email accounts in order to mislead recipients. The display name is not part of the email address itself: it’s the name affiliated with the account that usually appears before the email address in inboxes. Impersonating a display name is extremely easy, and works especially well on mobile devices, where the actual email address used to send the email is unlikely to be visible. The image below shows an impersonation of an example CEO, Thomas Edison. Anyone can change their display name to Thomas Edison and send a potentially convincing email on mobile devices with nothing looking amiss:
Domain impersonation Domain impersonation attacks involve attackers spoofing or impersonating an organization’s domain in order to appear legitimate. Attackers can produce convincing impersonations of a genuine CEO email address in three ways. Root domain impersonations change aspects of the company’s domain – an example might be te55ian.com. Top-level domain impersonations involve changes being made to the .com or .co.uk parts of a domain: an attacker might exploit an unregistered or less common domain like .io or .work. Additionally, attackers can add company-branded subdomains to a completely separate and abstract domain (eg company.email-outbound.com). Just because a company owns the more popular .com or .co.uk top-level domains does not mean they own every variation on those domains. CEO fraud attacks can exploit any inconsistencies in security infrastructure, leveraging online properties unclaimed by the organization in question in order to create a compelling spear phishing email.
Freemail impersonation Freemail impersonation describes spear phishing attacks where criminals use the fake personal email address of a senior-level executive. An attacker impersonating the CEO of a company – let’s use Thomas Edison again – could register an email address on Google and send an email from [email protected] to an employee working in the finance department, for example, requesting an urgent transaction. Here’s an example of this in practice:
Impersonations come in many shapes and sizes. CEO fraud attacks can rely on any one of these techniques to exploit the trust of employees, with potentially devastating consequences for enterprises. But why do employees click on these spear phishing emails in the first place? Social engineering has a lot to do with it. CEO fraud and social engineering Of all types of BEC attack, CEO fraud might be the type that relies most on social engineering. Social engineering describes the techniques attackers use to persuade people to take a dangerous action. Attackers may rely on the seniority of the person they are impersonating, or the illusion of urgency being created, to prompt a lower-ranking employee to take a desired action. Often, attackers will build trust with a target by communicating “normally” for periods of time, using entirely innocuous language: this heightens the effect of coercive language when an attack is finally launched. There are a range of social engineering levers attackers can pull to affect their target and coerce them into sending assets like money or data outside the organization: Seniority It might sound obvious, but emphasizing the nature of a CEO or senior executive’s work can be an effective tactic in coercing an employee into action. Emails that ask for work to be done ahead of a board meeting, or which appear to be critical to the success and/or health of a business, underscore their importance and encourage people to act swiftly (perhaps without thinking carefully). Trust While most early spear phishing attacks contained malicious links or attachments, a growing proportion of attacks now contain no payload at all. This has the advantage of being harder for traditional security tools to detect, but sending innocent, non-fraudulent emails also helps to build a rapport with the target. A history of “regular” email communication raises the chances of the target taking the bait when the key, malicious email is sent. Urgency If there isn’t much time to act on a given request, targets may not think as critically about the motivations behind that request. By centering the message on time sensitivity, attackers hope that they will force targets to think instinctively (not rationally), particularly if the message comes from a trusted senior colleague. Let’s return to an example we used earlier, this time focusing on the content of the email rather than the display name. It concerns a supplier payment that’s due “tomorrow”, making the request appear to be a high priority:
How to defend against CEO fraud Part of the challenge for IT and security professionals is the sheer number of options in the cybersecurity marketplace that promise to help combat advanced impersonation attacks. The rising number of data breaches every year is testament to the fact that legacy security tools are not able to defend against sophisticated email impersonations. Traditionally, security products have depended on extensive lists of rules to operate. Although rule-based software has been able to defend organizations against predictable, unsophisticated spam and “bulk” phishing attacks, more agile and sophisticated techniques have rendered Secure Email Gateways (SEGs) and other rule-based software programs ineffective. When criminals are changing their angles of attack all the time, legacy tech just can’t keep up. Organizations frequently extol the benefits of training and awareness in combating sophisticated spear phishing attacks. However, placing the onus on employees to defend against cyberattackers detracts from the reason they were brought into the business in the first place – to be empowered to do their own specialized work. Too many organizations still rely on unintuitive training sessions that don’t focus on real-world issues the firms in question are facing every day. Instead of placing all their chips on training, organizations must invest in understanding the patterns that betray CEO fraud and other impersonations. Spear phishing emails have certain key components that, when analyzed together, can help detect the attack that’s taking place. Target: Spear phishing attacks are invariably directed at specific employees or groups of people. Criminals don’t have to search long and hard to identify good targets. There is an abundance of valuable data online, from Linkedin career updates to employee details on company websites. Intent: In both the email subject line and body copy, the attacker will use deliberate language to establish context and intent. They want the recipient to do something now. In sophisticated attacks, fraudsters will initiate normal conversations but not mention any requests. With this approach, they invest time in developing a legitimate dialogue and establishing trust with the target over multiple emails. As a result, any subsequent requests﹘like a wire transfer﹘will appear authentic and usually get the target to complete the desired action. Impersonation: At the heart of every spear phishing attack is impersonation. The attacker is pretending to be a person or entity that the target knows and trusts. Payload: Spear phishing emails may contain some form of payload (a malicious attachment or link) to engage the target. Advanced impersonation tactics are discreet; they usually rely on text alone to elicit a desired action. For example, “please wire payment to this account: 123-4567” or “Can you please buy 10 Apple gift cards for our clients and send me the voucher codes as reference ASAP?” By omitting conspicuous payloads, these advanced threats (aka zero payload attacks) can more easily slip through standard email defenses. Here’s a view of these components laid over a potentially suspicious email: Attackers can be incredibly subtle in crafting their messages, and it is unreasonable to expect busy employees to identify potentially threatening aspects of an email straight away. That’s where Tessian Defender, our security software built to detect advanced impersonation spear phishing, comes in. It’s a given that email security software needs to analyze email headers, IP addresses and other information that’s normally hidden from the end user. But to prevent CEO fraud and other spear phishing attacks, software must also be able to analyze natural language and compare the message in question to as much historical comparison data as possible. Even the content employees can see – perhaps particularly the content employees can see – is designed to trigger a dangerous action on the part of the target. Using 12 months of archival email data to establish what “normal” looks like, Tessian understands how different people inside and outside a given organization communicate with each other on email. Analyzing behaviors and communication patterns, Tessian can identify whether the content of each new email appears suspicious. If an email to an employee is deemed a potential risk to security, Tessian generates a notification which sits above the message itself in the employee’s email client and explains what could be amiss. With all the salient information on hand, the employee can choose whether to reply to the message or to change their course of action and flag the threat. With Tessian’s technology keeping email safe, employees can get on with their work without the pressure of feeling like they are the first line of defense against cyber threats. Security leaders, meanwhile, can be sure that employees are dealing with fraudulent emails in an appropriate way. Technology that stops threats and educates workforces: is this the route to eradicating the threat of CEO fraud? CEO fraud: in summary Security practitioners need to be extremely mindful of the risk of CEO fraud and other BEC scams. Impersonation-based cybercrime continues to extract billions of dollars from organizations each year. Attackers are constantly evolving their methodologies and showing that legacy email security software is increasingly outdated. The way to take on the threat of CEO fraud is to look at the fundamental technique at the heart of any such attack: someone with bad intentions impersonating a senior leader on email. Software that understands the email relationships between different stakeholders, and that is built to look for this kind of impersonation, is vital for any organization looking to minimize harm from data loss, financial penalties and reputational damage. Learn more about Tessian Defender on a call with a Tessian security expert here.
Spear Phishing
Inside Email Impersonation: Why Domain Name Spoofs Could be your Biggest Risk
18 September 2019
Domain names are some of the most highly-prized assets for brands today. The trust placed in an authoritative domain name can lend organizations valuable legitimacy and support brand reputation. The problem? An attacker with a computer and a few minutes to spare can impersonate that domain over email, putting an organization’s hard-won reputation in danger. Email impersonation attacks have disastrous consequences for enterprises. Whether it’s the threat of severe financial loss, the leakage of sensitive data, or of deep damage to brands and reputations, the risks to businesses of impersonation and spoofing are ever-present, and growing by the day. The most worrying thing for cybersecurity leaders is that attackers do not have to execute especially difficult or sophisticated techniques for their cyberattacks to have an outsize impact on organizations. This blog will cover some of the simple methodologies cybercriminals are employing to impersonate domain names – a powerful impersonation technique that is used by attackers all over the world to target enterprises. (Read our previous blog in this series, on display name impersonation, here.) If you’re interested in learning how criminals infiltrate enterprise networks and extract money, data and credentials from organizations around the world, just read through this guide to domain impersonation attacks and how they impact email security.
What is a domain name? Let’s begin with what a domain actually does. It all starts with IP addresses, which are numeric codes used to identify network activity on individual computers. Domains were originally developed as a way of making IP addresses easier to remember and identify. Today, domain names are used to define ownership of particular properties on the internet, like websites and email addresses. Domains can be purchased and registered using a hosting site or registrar. (More on the different parts of domains, and their vulnerabilities, later). By registering a domain, individuals and companies can be sure that when someone visits the domain www.tessian.com, or sends an email to [email protected], they will be interacting or communicating with Tessian. Or can they? If only it was that simple. The struggle to secure domains Attackers penetrating organizations’ defenses by spoofing emails (i.e, forging an email by modifying the email address from which the email appears to have been sent) is a growing threat. Even as awareness of the threat grows, though, there are several ways for attackers to take advantage of lax enforcement of the protocols that govern domain identification. In 2000, SPF became the first protocol that allowed domain owners to specify which IP addresses could send email from a given domain. Recent years have seen growing adoption of newer authentication protocols, first DKIM (DomainKeys Identified Mail) and later DMARC (Domain-based Message Authentication, Reporting & Conformance). DKIM is a complex authentication protocol that uses cryptographic encryption to give each email sent from a domain a “signature”. The most recent protocol to have become a widely-accepted standard is DMARC. DMARC gives organizations that have already set up SPF and DKIM an extra level of security. DMARC validates that both SPF and DKIM authentications have completed successfully, and also lets senders tell other email providers what to do with emails that fail authentication. However, all is not as rosy as it seems. Key structural problems with authentication mean that it is very easy for malicious actors to work around protocols. First among these difficulties is the scale of adoption. As of 2019, roughly 80% of large enterprises have “no DMARC policy in place.” Because authentication protocols are in the public domain, it’s easy for attackers to identify which firms do or do not have policies in place. As Tessian’s Laura Brooks previously wrote in a blog on DMARC:
DMARC’s settings let sending domains tell recipients to quarantine, block or passively monitor any emails that fail SPF and/or DKIM authentication (ie, the emails that could be spoofing the sending domain). But having DMARC set up doesn’t necessarily afford enterprises the flexibility they need. Let’s use the example of a big bank that works with several different law firms. As is the case in many industries, relationships between banks and their professional services suppliers are often disclosed in press releases and other media coverage. It is very simple for an attacker to find out whether any of the bank’s legal partners have failed to configure DMARC correctly. The attacker would then be free to spoof these law firms’ domains and target the bank, knowing that any communications would be likely to reach their intended targets given the flaws in many traditional Secure Email Gateway (SEG) products. For businesses whose DMARC policies aren’t set to block or quarantine messages, emails that fail DMARC checks will still be delivered to their intended recipients. This threatens email security. But many businesses simply can’t risk missing important and legitimate communications by using DMARC’s quarantine or block settings. The only way the bank’s – or any other organization’s – email infrastructure can be truly secure is for all third party suppliers and partners to also have DMARC configured to reject or quarantine non-compliant emails. Working within these unrealistic conditions, the only way to reliably identify impersonations is to focus on behavioral and relationship patterns within email communications – something legacy security companies do not offer. While there are still such fundamental gaps in the security infrastructure of global businesses, this leaves enterprises vulnerable to many of the same issues that plague employees and security leaders – DMARC or no DMARC.
Classifying domain impersonations Impersonating an organization’s domain in a spear phishing email is just one way for attackers to get past organizations’ defenses. But what domain impersonations do attackers rely on? There are three main kinds of domain impersonation that are regularly exploited in cybercriminal scams. Root Before selecting a top-level domain, organizations usually stipulate which root domain they want to represent them. Put simply, this is the “branded” part of a web address – the “tessian” in tessian.com. However, even owning a root domain does not prevent impersonations. Attackers may substitute characters in the root domain (see the image below, where an “l” has been turned into a “1”), or even by using characters from other alphabets. The Cyrillic alphabet’s “а” looks identical to an English “a” but will not be treated as such by a computer. Another strategy might be to register a domain that appears to be an “extension” of the targeted company’s regular root domain. Using dashes, for example, attackers can give the appearance of a functional subdomain that could easily trick a busy or distracted employee. At Tessian, we’ve registered the root domain to demonstrate the value of defending against these kinds of impersonations. Otherwise, attackers could add “company” subdomains to the root domain and easily create a convincing impersonation.
Top-level Top-level domains are the parts of web addresses that follow root domain names. Some of the most widely-known are .com, .net, .org, and so on. In recent years, many more top-level domains have come to market. Individuals and organizations can register domains using extensions like .work, .finance or even .pizza. The example below shows a potential domain impersonation where an attacker has registered the .io domain. If the organization in question has not configured DMARC, the name of the organization being impersonated can be absolutely identical to the “genuine” brand name. Just because a brand might own the .com and .co.uk top-level domains doesn’t mean it automatically owns all possible alternatives. Attackers thereby have more opportunities than ever to register and impersonate “legitimate” root domains with new top-level domains. Finding and registering a top-level domain that ties in with the purpose of the organization in question – .finance might work for a bank, for instance – gives attackers a simple way to impersonate that company and target its employees, customers or suppliers.
Subdomain Subdomains can be employed to distinguish different services from one another within an overarching website structure. They are separated from the main root domain with periods. If you’ve ever visited an online property with a prefix like , you’ll have interacted with a subdomain. Using subdomains also raises the likelihood of confusing which domain constitutes the original “root”. A good example might be the address <[email protected]>. The root domain, , is positioned directly before the .com top-level domain. Here, “tessian” is a subdomain, but as it appears first and potentially looks legitimate, the address could be convincing to an employee. As with root domains, owning a domain name does not prevent malicious actors from deploying authentic-looking subdomains. Registering , for instance, might give attackers a legitimate-seeming but separate domain by which to impersonate employees and third parties affiliated with the company in question. A cunning example of subdomain impersonation is shown in the below example. Here, someone impersonating a third party supplier has used subdomains to break a legitimate company’s brand name into two, creating the domain.
Domain impersonations: summary The bottom line of all this? Effectively, anyone in control of an email server can dupe recipients into thinking a fraudulent email is legitimate, easily bypassing SEGs and other security protocols. In many ways, email attacks have never been easier. It might seem alarming that impersonating a domain is so easy to accomplish. The reason impersonations are so surprisingly simple is down to deficiencies in the legacy email security services many organizations employ to defend against them. Attackers know all about the flaws and loopholes in SPF, DKIM and DMARC, and about the ways in which domain registrations can be exploited. These email threats are not going away. Organizations need to move away from network and endpoint security frameworks and embrace technologies that tackle the heart of the issue: the impersonation itself. Tessian Defender takes into account factors like an email’s language, and the historic relationship between the email’s sender and receiver, in order to judge whether an email could be the product of an impersonation. If Tessian judges that an impersonation is taking place, real-time contextual notifications are placed within the email client, warning the employee that something looks fishy. The final decision on whether or not to proceed as normal is down to the employee. Tessian learns and adapts to threats by focusing on people’s behaviors and relationships, preventing advanced impersonation spear phishing attacks and other forms of security risk like data exfiltration and data breaches caused by human error. Speak to an expert and learn more here.
Spear Phishing
Inside Email Impersonation: the Danger of Display Names
18 September 2019
A single spear phishing email can deeply damage your organization’s cybersecurity. After a data breach, credentials could be compromised and systems left unguarded, all as the result of someone’s failure to detect an impersonation of a colleague, supplier or partner. What makes the threat of impersonation especially worrisome is the fact that you don’t have to be a highly skilled cybercriminal to impersonate someone on email. In fact, many kinds of impersonation are startlingly simple. In this post we’ll cover display name impersonation, perhaps the easiest way for an attacker to dupe employees and extract money, data and/or credentials from enterprises.
What is display name impersonation? Display name impersonations involve attackers setting deceptive display names on their email accounts in order to mislead recipients. The display name is not part of the email address itself: it’s the name affiliated with the account that usually appears before the email address in inboxes. Display name impersonations are often combined with domain impersonations to execute sophisticated impersonation attacks, which use social engineering to threaten organizations’ most sensitive data and systems. How do attackers manipulate display names? Even for people with little or no technical knowledge, impersonating a display name is very easy: the operation can be carried out within almost all major email clients. Here, we’ll take you through how to do this with Gmail:
This approach is especially effective on mobile devices (pictured above), because the From: email address is hidden on mobile screens. Very little work has gone into creating a potentially convincing impersonation that could fool busy, distracted employees – especially if the sender being impersonated is a high-ranking executive or a demanding supplier. With CEO fraud losses totalling more than £14m in the UK in 2018, organizations should be aware of the growing threat of executive impersonations. Attackers can also change a sender’s display name to include both a genuine-seeming name and email address, such as “Thomas Edison <[email protected]>”. In this case, the attacker is betting the target won’t notice that the email address they see first isn’t actually the address from which the email was sent.
Why are impersonations so easy to carry out? Email is an extraordinary tool that offers effectively free communication to billions of people around the world. But email was never designed to cope with the sheer volume of traffic we now see on a daily basis (almost 125 billion business-related emails were sent per day in 2018). Simplicity is a core ingredient of email’s success. But being so simple means it’s dangerously easy for malicious actors to take advantage of inbuilt vulnerabilities. Email as a channel has many vulnerabilities, but despite being a multibillion-dollar industry in its own right, email security products – and the protocols that underpin email infrastructure more generally – have historically done a poor job of preventing impersonations. Organizations that have spent energy configuring DMARC, DKIM and SPF cannot rest on their laurels: authentication tools like DMARC are limited in their scope and are unable to prevent display name impersonation attacks. The legacy tech problem For decades now, Secure Email Gateway (SEG) products have defended organizations’ networks from attacks. The main methods of defense employed by SEGs are: Payload inspection like scanning URLs and attachments. (Attackers know that zero-payload attacks, which rely on social engineering techniques to persuade targets to take dangerous actions, are much more likely to evade SEGs’ defenses.) Spam and “bulk” phishing prevention. (By focusing on past known attacks and basic email characteristics like domain authentication, these techniques fail to prevent advanced impersonation, which is low-volume and crafted to evade such systems.) Rules to prevent impersonation. (Basic rules can prevent simple email impersonation attacks by detecting newly registered domains, different sender/reply-to addresses, etc.) SEGs were designed to protect networks and devices from inbound cyberattacks. More or less, they still do a good job of defending against the bulk spam and phishing scams that were so prevalent years ago. The problem? They are not flexible and intelligent enough to identify anything but the most basic impersonations. Being able to inspect suspicious URLs and attachments doesn’t help when an advanced impersonation spear phishing attack consists only of persuasive, urgent language to coerce an employee into taking a dangerous action like transferring money. Blacklisting known examples of names and addresses used in phishing attacks only prevents attacks that have been reported already; any new spear phishing or impersonation attack will bypass these perimeters. Meanwhile, rule-based email security services are limited by the ability of system administrators to continually update rules based on new edge cases and evolving threats. Static rules do not equip enterprises with the ability to identify and predict new anomalous email attacks in real time. SEGs find it hard to deal with advanced email threats, and even “simple” display name impersonations pose them serious challenges. Using rudimentary logic to determine whether a display name is “close” to the display name of an employee doesn’t work for external impersonations, for example. In addition, rules that trigger when (for example) a display name has one or two characters that are different from a genuine employee’s name are inherently limiting. Attackers are able to easily reverse engineer SEGs and find ways around their defenses. So should enterprises be looking elsewhere to defend their email environments? Display name impersonations: a summary For attackers, changing a display name is startlingly easy. The combination of display name impersonation with domain impersonation can lead to very sophisticated spoofing attacks that can have seismic repercussions for enterprises and the sensitive information they control. Cyberattacks continue to evolve and become more dangerous. But security products like Tessian Defender offer a way to combat display name (and other) impersonations. Using machine learning, Defender learns and adapts to threats by analyzing behavioral and communication patterns on email, preventing advanced impersonation spear phishing attacks before they wreak havoc within organizations. Every email employees receive is analyzed for anomalies: this might be the use of language, prior communications with the email’s recipients, discussion of sensitive topic areas, and many more factors besides. (This applies whether the email is from a colleague or from an external partner.) With this information to hand, Tessian’s algorithm predicts which emails represent a danger to the employee and the organization. Real-time notifications let employees take the right course of action before the threat can harm their employer’s defenses. Organizations need to respond by investing in products that are designed to deal with a newly advanced generation of cyber threats. Speak to an expert today to learn more.
Spear Phishing
How to Catch a Phish: a Closer Look at Email Impersonation
20 August 2019
Today, 95% of all cyber attacks launched on businesses start with a spear phishing email. What’s more, spear phishing attacks increased 250% last year as bad actors have discovered more and more ways to outwit email users (busy people) and defenses (legacy technology). The motivations behind attacks are straightforward: deploy malware or defraud the target of money or credentials. The tactics, however, vary greatly and are becoming increasingly more difficult to spot. What is spear phishing? A variety of terms are used to describe inbound email attacks ranging from spoofing, phishing, spear phishing and whaling. While some people use the terms interchangeably, they are, in fact, different. Here’s a breakdown of the terminology: Email spoofing: the creation of email messages with a forged sender address or display name. It is common for spam and phishing emails to use spoofing tactics to mislead a target about the origin of the communication. Phishing: the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by pretending to be a trusted entity. Occurring predominantly via email or text messaging, phishing is typically bulk in nature and not personalized for an individual target. While phishing attacks can be successful, most are often easy for clued-up individuals or email security policies to detect. Spear Phishing: advanced phishing attacks directed at specific individuals or companies. Similar to phishing attacks, these too, are designed to trick people into doing something like sending a wire transfer or clicking on a malicious link. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. Because they are more sophisticated in their construction and convincing in execution, spear phishing emails are harder to catch. They work best when they impersonate someone the target trusts. Whaling: a highly targeted phishing attack aimed at senior executives or employees with access to particularly valuable assets. Whaling emails are more sophisticated than generic phishing emails as they often target chief (“c-level”) executives and board members.
What does a spear phishing email look like?
Spear phishing emails have four key components: Target: spear phishing attacks are directed at specific employees or groups, oftentimes those with access to money, sensitive systems or powerful people. For example, accounts payable departments and executive administrators are frequently targeted. Criminals may also target new hires and other “quick-to-click” employees, exploiting their desire to act fast on any requests or assignments. Criminals don’t have to search long and hard to identify good targets. There is an abundance of valuable data online, from Linkedin career updates to employee details on company websites. Intent: in both the email subject line and body copy, the attacker will use deliberate language to establish context and intent; they want the recipient to do something now. In sophisticated attacks, fraudsters will initiate normal conversations but not mention any requests. With this approach, they invest time in developing a legitimate dialogue and establishing trust with the target over multiple emails. As a result, any subsequent requests﹘like a wire transfer﹘will appear authentic and usually get the target to complete the desired action. [Read more on how trust can be manipulated by tech in our report “Why People Make Mistakes”] Impersonation: at the heart of every spear phishing attack is impersonation. The attacker is pretending to be a person or entity that the target knows and trusts. The spectrum of impersonation tactics is broad, ranging from display name and domain manipulations to the specific language used within the body of the email. In general, criminals often impersonate an influential or powerful person﹘like a CEO﹘or a trusted company﹘for example, Microsoft ﹘in order to establish a sense of legitimacy or urgency. Tessian refers to sophisticated impersonation attacks as advanced impersonation spear phishing. Payload: spear phishing emails may contain some form of payload to engage the target. Basic impersonations include obvious payloads like links and attachments that appear legitimate, but which are in fact malicious. Advanced impersonation tactics are more discreet; they rely on text alone to elicit a desired action. For example, “please wire payment to this account: 123-4567” or “Can you please buy 10 Apple gift cards for our clients and send me the voucher codes as reference ASAP?” By omitting conspicuous payloads, these advanced threats (aka zero payload attacks) can more easily slip through standard email defenses.
Advanced impersonation spear phishing falls into three categories.
Why is spear phishing so dangerous? Spear phishing isn’t difficult to pull off. Attackers don’t need capital, special equipment or a particularly advanced skillset. They just need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn. Spear phishing is particularly effective because busy professionals are easy to trick on email. Today, the average worker spends nearly a third of their working week on email, sending and receiving around 124 emails every day. The pressure to be constantly connected and on-the-go means that employees are more likely to be distracted and make mistakes on email. A shift towards becoming a mobile workforce hasn’t helped the situation either. Verizon research has shown that people are significantly more susceptible to social attacks received on mobile devices; this is a result of mobile design and people’s tendency to multitask on mobile devices. Businesses globally have lost $12.5bn over the past five years as a result of phishing scams. Advanced impersonation spear phishing has emerged as one of the most popular and successful attack methods being leveled at businesses – small and large – around the world. Rewards for attackers are high, and the damage to organizations can be catastrophic, resulting in wire payment fraud, file sharing, credential theft and eventual systems takeover. How do you prevent advanced impersonation spear phishing? Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound threats, SEGs commonly employ machine layer methods: Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and can falsely increase user confidence. Spam and bulk-phishing prevention. Focusing on past known attacks and basic email characteristics (e.g. domain authentication), these fail to prevent advanced impersonation, which is low-volume and crafted to evade such systems. Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g. by detecting newly registered domains, different sender/reply-to addresses, etc). While SEGs can block malware and bulk phishing attacks, rule-based solutions cannot stop advanced impersonation attacks and are incapable of detecting external impersonation. Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. Defender stops advanced threats that legacy systems miss. Tessian Defender’s stateful machine learning retroactively analyses historical email data in order to understand the difference between safe and unsafe emails being received. By analyzing multiple data points within email headers, body text and attachment data, Defender can detect and prevent threats in real time with minimal end-user disruption. To learn more about Tessian or book a demo of Tessian Defender, contact us here.
Spear Phishing
Why DMARC is Not Enough to Stop Impersonation Attacks
By Laura Brooks
30 July 2019
The UK’s National Cyber Security Centre (NCSC) reported that in the past year, it has stopped 140,000 phishing attacks and taken down more than 190,000 fraudulent websites. In its second annual report on the Active Cyber Defence (ACD) program, the NCSC details how its use of Synthetic DMARC has stopped sophisticated phishing operations, including one in which hackers used a gov.uk domain to impersonate an airline organization. While this approach of synthesising DMARC records has proven to be effective in stopping spoof email campaigns so far, the NCSC’s report also describes it as “an evil hacky kludge,” adding that more needs to be done to express policy ownership in domain hierarchies. Here, we address the shortfalls of DMARC and email authentication records, and consider what more can be done to stop strong-form impersonation attacks. A necessary first step 95% of all attacks on enterprise networks are the result of successful spear phishing, which often involves an attacker directly impersonating the email domain of the receiver. For example, any attacker could send an email from your business email domain to an employee at your business, and the recipient would have no way to validate the sender’s authenticity in the absence of authentication records. SPF and DKIM are email authentication records that, in short, allow email clients to validate the domain name of an inbound email. DMARC enables organizations to specify how the client responds to emails that fail SPF or DKIM checks (generally reject, quarantine, or no action.) SPF, DKIM, and DMARC are essential for preventing direct impersonation of your organization’s email domain. All email domains – especially those of trusted brands – are at risk of direct domain impersonation, regardless of past threat activity. The darker side of DMARC However, DMARC has its downsides. And while the NCSC has encouraged more UK businesses and government agencies to adopt DMARC, the report doesn’t shy away from bringing these shortfalls to light. 1. DMARC configuration is time-consuming and resource intensive The NCSC report states that “for any enterprise of a decent size, implementing DMARC is often a long process”  and that “implementing DMARC is a lot harder than people will have you think.” Strict DMARC policies can, if misconfigured, block the delivery of real, legitimate emails. As a result, the ACD recommends organizations take time to digest DMARC reports and investigate the nuances of their mail infrastructure, before gradually moving to a more protective DMARC policy. Unfortunately, this process takes many organizations well over a year. 2) DMARC records are publicly available; attackers can work around them DMARC, SPF, and DKIM records are inherently public information – they need to be so that receiving mail clients can authenticate a sender’s domain. Attackers can see not only if your organization has a DMARC policy, but also how strictly you have configured it. Before trying to impersonate your email domain directly, a sophisticated attacker will check if you have a strict DMARC policy in place. If you do, the attacker can still carry out an advanced spear phishing attack. For example, DMARC doesn’t protect against indirect impersonation, or domains that are similar to yours (e.g. @tassian.com, @tessian.outbound.com, @tessian.email). There are thousands of ways an attacker can make a new domain look similar enough to your domain to fool members of your organization. These new, legitimate domains are unprotected by DMARC. Perhaps because of DMARC’s public nature and the vulnerability of indirect impersonation, ACD data has yet to establish a causal link between increased DMARC adoption and decreased phishing. 3) External domains remain a threat Configuring DMARC and other email authentication records are necessary measures for preventing attackers from directly impersonating your organization’s email domain. Unfortunately, a high percentage of the emails your employees receive likely come from the domains of other organizations, such as partners, vendors, customers, and government bodies. Given that other organizations are unlikely to have authentication records in place, employees remain vulnerable to direct impersonation of their external contacts. Email authentication records and policies, then, are only a small piece of the puzzle for protecting your organization against spear phishing attacks. Impersonation is a difficult problem to solve. To accurately detect it, you need to understand what is being impersonated. You need to be able to answer the question, “for this user, at this point in time, given this context, is the sender really who they say they are?” Tessian Defender uses stateful machine learning models to analyze historical email data and understand relationship context, which means we can automatically detect the impersonation of both internal and external parties.
Page