Spear Phishing
How to Prevent and Avoid Falling for Email Spoofing Attacks
By Maddie Rosenthal
25 February 2020
Email spoofing – also known as a domain spoof or direct spoof –  is a type of phishing attack in which an attacker sends an email that appears to be from a legitimate source. These emails are sent with the intention of tricking the target into following a link, downloading an attachment, or performing some other kind of action that will result in the attacker capturing login details or other sensitive information like their banking or credit card information. While some spoofed emails may be flagged by inbound security solutions, they’re often mistaken for legitimate emails, which can lead to serious consequences for both individuals and businesses. This blog explores how and why email spoofing works, how to identify spoofed emails, and what you can do to protect yourself and your organization from such attacks. What does a spoofed email look like? While email impersonation attacks often rely on imperceptible misspellings, spoofed emails appear to be sent from the real domain, look genuine to most users, and can bypass spam filters and security tools.  For example, a bad actor might craft an email that appears to be “from” a well-known courier service, which for the purposes of this example doesn’t have DMARC set-up. The email will claim there was a problem with your delivery and that you must follow a link to log in and confirm your details. Savvy people may look for Display Name impersonations, but, because it’s a domain spoof, they won’t notice any inconsistencies. 
And, if such an email is sent to many thousands of users (which is one of the techniques hackers use when sending phishing emails) this increases the chance that at least one recipient will be expecting a delivery from the spoofed courier, and, because of that, the target may do what the email instructs.  Incidents of email spoofing  Email spoofing is on the rise.  The FBI’s 2019 Internet Crime Report states that the agency received complaints of spoofing attacks from over 25,000 victims last year alone, making it the fifth most popular form of cybercrime. The total loss reported from these victims was over $300,000,000. How does email spoofing work? Email spoofing attacks can be successful simply because people assume that the information in email headers – specifically about where the email comes from – is trustworthy. The reality is that the original protocols that still underpin email, such as the Simple Mail Transfer Protocol (SMTP), were never designed to authenticate the sender information.  In other words, there is no inherent way to confirm that an email comes from the email address specified in the Sender parameter in the email header. When an email is sent, the initial connection to the receiving mail server contains two parameters, MAIL FROM and RCPT TO, which specify the address the email is sent from and to, respectively. These parameters are commonly known as the “envelope” of the email. However, there are no default checks on the MAIL FROM parameter to ensure that the connecting mail server is authorized to send emails on behalf of that domain. Therefore, if the RCPT TO parameter is correct, the receiving server indicates it will accept the email and the sending server proceeds with the rest of the email, including the From, Reply to, and Sender header items, which are similarly not checked by default. Therefore, an attacker with the right tools at their disposal can easily create and send emails as if they were someone else. This is not hard to achieve, and there are many tools available for them to do this. They can also create a legitimate seeming link in the email that, if followed, will take the recipient to a server under the attacker’s control. Spoofed emails from the attacker’s perspective The easiest way to explain how an attack might unfold is to explain it from the attacker’s perspective. Example scenario: An attacker of moderate skill decides to launch a phishing attack on a company. The attack takes the form of an email asking the recipient to read and indicate acceptance of a company security policy update; this will be a document attached to the email. The file itself will contain malicious code, which will give the attacker a foothold on the machine of anyone who opens it. Target: Copper Duck, a finance company. Copper Duck hasn’t configured DMARC, nor does it have other protections in place. Objective: The attacker’s aim is to run malicious code on Copper Duck machines, in an attempt to gain information on the company network that will uncover further vulnerabilities and also capture usernames and passwords. The ultimate goal is to gain access to Copper Duck’s sensitive financial and personal data. Research: The attacker researches Copper Duck, and from publicly available information discovers that it has not registered its domain – @copperduck.com – with DMARC. They also search for Copper Duck email addresses in public repositories so they can copy the header and footer information. Additionally, they’ll look for any other information, such as employee names and job titles on LinkedIn, which could help them target the attack and create a believable email.  Attack preparation: The attacker can obtain phishing kits and code suited to their purpose on the dark web. There are many such kits, and while it only takes moderate skill for an attacker to launch a phishing attack, these make it even easier. They compile a list of email addresses to target, sometimes from addresses discovered in the public domain, or by making informed guesses. For example, if the attacker has a number of addresses in the form [email protected], it’s likely that other employee addresses follow the same format. Once they have the list, the attacker creates the phishing email and the attachment file containing the malicious code. Because Copper Duck has not implemented a method to protect their domain from spoofing, the attacker can easily forge the Sender and other information in the email header. The attack: The emails are sent early in the morning on a weekday, to arrive shortly before employees begin working their way through their inboxes.  Every employee who clicks the link and opens the document will activate the malicious code it contains. It runs on their machine, and sends any sensitive data it can find back to the attacker. Even if not every employee clicks through, there is a good chance that at least one will. One is all it takes for an attacker to gain a foothold in the network. Bonus: The time of day an email is sent is one of many important factors that attackers may consider; there are several instances where an employee’s ability to make the right cybersecurity decision may be impaired. Read the full report here. What if there are protections in place? If Copper Duck used DMARC or a mail application that scanned attachments for malicious code, this would make life more difficult for the attacker, but not impossible. As previously mentioned, they could register a domain almost identical to that of Copper Duck (for example, copper-duck.com or coppperduck.com), and prompt the user to follow a link to a server under their control instead. However, protections like DMARC only stop spoofs of your domain; it won’t protect against all spoofs you might receive (for example, a spoof of one of your suppliers). This means you have to be vigilant both as a consumer and an employee when it comes to protecting yourself from these types of attacks. What can you do to protect yourself from email spoofing attacks? Phishing attacks employing spoofed emails are inevitable. So how can you spot them, what should you do when you’re targeted, and how can a business protect itself against the threat they pose? As a private individual… Watch for emails that try to instill a sense of urgency in the reader. Attackers often rely on inspiring fear or worry to try to get their targets to act in the way they want Try to get into the habit of reading emails thoroughly and exercise caution, especially if they contain a call to action, such as following a link, downloading an attachment, or sharing sensitive information If you have any reason to doubt an email’s legitimacy, such as poor spelling or an unusual tone of voice, check the email address it’s sent from, not just the Sender field or Display Name Also check  any links the email contains for grammatical errors or suspicious URLs Perhaps most importantly, do not open attachments or follow links that prompt you to log in unless you are absolutely sure they are legitimate. In the case of links, you’re better off searching for the organization and following links directly from their website As an employee… In addition to all of the precautions listed above, you should report suspected phishing attacks through the normal channels, such as your system administrators or IT helpdesk If you suspect you have fallen victim to a phishing attack, again, report it as soon as possible. Everyone makes mistakes, and the better phishing attacks can be hard to spot. The quicker you report it, the better the chances are of remediating the situation. For IT and security teams, oversight is essential  As a business… Set up proper DMARC records with a quarantine or reject policy, and use other protections such as SPF to help identify spoofed emails before they arrive in your inboxes  Train your employees to spot phishing emails by sharing information with them, such as this article Actively encourage employees to report the attacks. It is especially important that they feel they can come forward if they’ve fallen victim to one, without fear of blame. This is why creating a positive security culture is paramount. Unfortunately, though, DMARC, training, and a positive security culture simply aren’t enough. Cybersecurity strategies have to account for the fact that DMARC doesn’t stop bad actors from domain lookalike impersonations, training is ineffective long-term, and people won’t do the right thing 100% of the time.  To combat the threat of email spoofing, security teams should also deploy enterprise-level security applications to identify and block phishing attacks, such as Tessian Defender. What is Tessian Defender? Tessian Defender is powered by machine learning (ML). By learning from historical email data, Tessian’s ML algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of advanced phishing scams, including email spoofing attacks. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts.
Spear Phishing
How to Identify and Prevent Phishing Attacks
13 February 2020
Imagine you receive an email from FedEx with the subject line: You Missed a Delivery. Because you had, in fact, recently placed an order online and are expecting a delivery, you immediately open the email and follow the link to track your package. Everything about the email looks exactly as you’d expect it to; you recognize the sender as FedEx, the FedEx logo appears in the signature, the email itself is addressed to you, and it seems to contain information related specifically to you and your delivery. But, after following the link, your computer begins to slow and, behind the scenes, malware is consuming large chunks of your computer’s information, including personal data like saved credit card information and contact lists. What happened? You’ve fallen victim to one of the oldest and most prevalent cyber attacks in the book…phishing. What is phishing?
Although the technique was first described in a paper by HP back in 1987, the term “phishing” was actually coined in the mid-90s in a Usenet group for AOL by the well-known hacker Khan C Smith. Shortly thereafter, the term appeared for the first time in the AOHell hacking tool, which was used to generate and send fraudulent spam “from” AOL’s customer service team to users, tricking them into revealing passwords, birthdates, social security numbers, and more. While there are dozens of different “types” of phishing schemes that rely on different methods of obtaining data, the following criterion helps define this type of cyber attack. The sender is impersonating another person or company The content of the correspondence motivates users to act The message isn’t highly personalized and is sent to large amounts of people
Is phishing really a problem? While it’s been over two decades since the first phishing attack and today, most of us are attuned to what less sophisticated impersonations look like – for example, fake Nigerian princes asking targets for bank details in return for a share of their fortune – the threat is evolving and the stakes are higher than ever. Amazon, Apple, Booking.com, PayPal, Target, and Qatar Airways have all made headlines in the last several years because of successful phishing campaigns in which attackers impersonated their brands and targeted their customers. While it’s difficult to quantify the total cost to individuals and the reputational damage inflicted on the spoofed brands, these scams negatively impacted tens of millions of people. The fact is, we’re spending more time online creating and sharing more data than ever before; in fact, employees now spend 40% of their screen time on email, which is why phishing is just as big of a problem for businesses as it is for consumers. While the intent and top-level tactics employed by bad actors can be the same for these two types of targets, the brands impersonated often differ. Why? Because employees tend to trust and interact with different types of brands and be motivated by different types of content. For example, while news of a missed delivery from FedEx might motivate a consumer, an employee is more likely to trust an email from Microsoft and will, therefore, be more motivated to follow a link to a login portal for Office 365. Hence why Microsoft is consistently a favorite amongst phishers.
Phishing tools and techniques Surprisingly, cybercriminals don’t actually need an arsenal of technical skills to create a successful phishing campaign. Phishing kits are readily available on the dark web and contain everything a “bad guy” needs to hook a phish including source code, images, scripts, spamming software, and sometimes, even lists of email addresses to target. In short, these kits make it easy for anyone with a bit of IT knowledge to clone a webpage and host their own look-a-like version. From there, attackers can (and do) effectively harvest data that unsuspecting victims enter into mirror versions of legitimate, branded login pages. Again, Microsoft tends to be a go-to, with 62 phishing kit variants used to target the brand’s users within an observation window of just 262 days. Of course, even without a phishing kit, it’s not terribly difficult to design a convincing email template that instills a sense of trust and confidence in targets to the point that they click a link, send a reply, or complete a form. What’s more, not all phishing schemes rely on look-a-like pages. Some attackers simply need to buy (or create) malware. Impersonation 101 As we’ve mentioned, at the core of every phishing attack is email impersonation. So, how do you successfully impersonate a person or brand? Let’s use the FedEx example and imagine that the only legitimate email address associated with the brand is [email protected] While cybercriminals can actually replicate that exact email address by spoofing the fedex.com domain, it’s risky. To start, many major brands have adopted DMARC email authentication, which could prevent someone from directly spoofing their domain. But, with risk comes reward. Recipients of emails that are sent from spoofed domains have no way of knowing that an email wasn’t actually sent from its apparent sender.
Nonetheless, it’s more common for attackers to use domain variations that in some way resemble the authentic email address. The easiest way is to simply change the display name. Anyone – yes, anyone – can change their display name via their email account settings. That means that someone using an email address that’s in stark contrast to [email protected] can still use the display name FedEx Customer Service.
Likewise, attackers can register domains with the specific purpose of impersonating a legitimate company. There are dozens of phishing domain tactics, which include registering domains with just a one letter difference to the authentic domain and creating convincing sub, top-level or root domains.
Playing the odds Once the email itself has been crafted, it has to be disseminated. Importantly, time is of the essence. Since phishing by definition relies on a large pool of targets, it’s vital that the email is sent to as many unsuspecting victims as possible before the domain and/or servers used by the attacker are blacklisted. Phishing campaigns can be identified by the IP address and domain they’ve been sent from, which means that once a domain or IP address is known to be associated with malicious emails, email systems will redirect the email to a junk folder or reject it altogether. Let’s consider the odds. Phishing attacks have a 3% click rate. If the email is sent to 100 people, only 3 of them are statistically likely to open a malicious link or a download malicious attachment. If the email is sent to 1,000 people, 30 of them might fall for the scam, and so on. More targets equal more opportunity for success. An introduction to payloads Cybercriminals go to great lengths to deceive their targets, almost always with the intent of extracting data or infecting computers. As we’ve mentioned, data can be “extracted” by way of look-a-like sites that rely on the victims themselves willingly (albeit unknowingly) following a link and entering information. But, the data can also be captured over an extended period of time via an attachment that’s downloaded or installed. In the world of cyber attacks, these harmful links and attachments are called malicious payloads. When these malicious payloads take the form of an email attachment, they often fall under the larger umbrella of malware. It’s important to note, though, that not all phishing emails rely on malicious payloads. Zero-payload attacks simply use coercive language to implore the target to reply to or action a request, whether that be handing over an account number for an invoice or sharing credentials to a security tool. These types of attacks – often seen in more sophisticated schemes – are especially disquieting because cybercriminals are able to circumvent and evade legacy tools, payload inspection systems, spam filters and secure firewalls. Needless to say, there’s more than one way for bad actors to get whatever it is they’re after – from money to credentials – and as these payloads become more sophisticated, they’re harder for people and security software solutions to spot. Consequences of a successful phishing attack Today, phishing attacks are the most persistent threat to cybersecurity, with a marked 250% increase in frequency from 2018 to 2019 according to Microsoft’s annual Security Intelligence Report. That means that this year, you’re almost 3x more likely to have a phishing email land in your inbox than you were last year. So, what happens if you’re one of the 3% that falls for a phishing attack? The consequences are virtually limitless, ranging from identity theft to a wiped hard drive. Unfortunately for the average person, the phishing business is becoming more and more profitable for cybercriminals as the price tag for personal information continues to increase. But the consequences for businesses can be even more devastating, especially when you consider that the average cost of a data breach in 2019 was an incredible $3.92 million, a 1.5% increase from 2018. Needless to say, phishing is the number one cause of these types of breaches. In particular, spear phishing, phishing’s more targeted, personalized, and often more damaging counterpart. Phishing vs. spear phishing At face value, phishing and spear phishing seem almost impossibly similar. After all, the intent is identical. But, there are two key differences. While a phishing campaign casts a very wide net and is relatively easy to execute, spear phishing campaigns are targeted at fewer people, and with more personalized correspondence. Spear phishing requires more thought and time to successfully execute. In addition to the tactics that we see employed in phishing, bad actors in these more customized attacks will use information from company websites, social media, news articles, and more to engineer an email that’s believable, even to someone who’s been through extensive security awareness training. Oftentimes, cybercriminals impersonate someone in an authoritative position – for example, the CEO or a line manager – because employees tend to be less likely to question their superiors, are generally keen to help someone in power, and tend to act with a greater sense of urgency.
Zero-payload attacks like the one shown above can be particularly effective because a bad actor is able to build rapport with the victim by posing as a co-worker or superior, sometimes over a series of emails. How can you spot and stop phishing attacks? Unfortunately, innovation in email hasn’t evolved in tandem with the fast-paced digital transformation, which is one reason why reports of phishing attacks have continued to increase year-on-year. 6.4 billion fake emails will be sent today alone. Because this number continues to grow, it’s quite clear that spam filters, antivirus software, and other legacy security solutions aren’t able to keep pace with attacks that are becoming more and more complex by the day. That’s why it’s so important that individuals are scrupulous and inspect attachments and links before they’re downloaded or clicked. In particular, we recommend that you: Review the email address of senders and look out for impersonations of trusted brands Always inspect URLs in emails for legitimacy by hovering over them before clicking Beware of URL redirects and pay attention to subtle differences in website content Genuine brands generally won’t ask you to reply divulging sensitive personal information. If you’ve been prompted to, investigate and contact the brand directly, rather than hitting reply But what about businesses? While staff training, blacklists, URL and attachment inspection systems, and legacy rule-based solutions may be enough to block some phishing attacks, they aren’t always capable of stopping the more sophisticated incarnations. Even Secure Email Gateways (SEGs) – which were designed to stop high-volume spam and keep inboxes safe from malicious emails – can’t always identify more advanced, targeted attacks, in particular zero-day attacks, zero-payload attacks, and spear phishing attacks.
Businesses need to protect their human layer The tactics employed by legacy solutions – namely identifying malicious payloads and flagging blacklisted domains – are simply ineffective against the advanced impersonation tactics used by cybercriminals in spear phishing attacks. When the attacker is pretending to be someone the target trusts, it becomes a human problem, not a filter or software problem. Hence why 86% of data breaches are caused by human error. Businesses, therefore, need an adaptive, highly personalized tool that can help them detect impersonations on email in order to protect their users. That tool is Tessian Defender, and it’s powered by machine learning (ML). By learning from historical email data, Tessian’s ML algorithms can understand specific user relationships and the context behind each email. This allows Tessian Defender to not only detect, but also prevent a wide range of impersonations, spanning more obvious, payload-based attacks to subtle, social-engineered ones. To learn more about how tools like Tessian Defender can prevent spear phishing attacks, speak to one of our experts and request a demo today.  
DLP Human Layer Security Spear Phishing
A Year in Review: 2019 Product Updates
By Harry Wetherald
01 January 2020
2019 was a big year for email security. While the world did see a record number of data breaches (up 33% from 2018) we also saw tighter security-related policies and regulations drafted and implemented, and, in general, an increased awareness amongst businesses about the importance of proactive security strategies. While we may be biased, it seems note-worthy that human error became more and more of a talking point in the cybersecurity space. In fact, human error and the importance of machine learning and artificial intelligence in protecting people has been one of the most talked about trends by analysts going into the new year. Similarly, companies are waking up to the fact that humans are their biggest risk. It’s about time. After all, misdirected emails – emails accidentally sent to the wrong person – have been one of the top data security incidents reported under GDPR according to the Information Commissioner’s Office. We believe it’s unreasonable to expect employees to do the right thing 100% of the time when it comes to making security-related decisions; people break the rules, people make mistakes, and people can be hacked. To err is human! What’s more, we have seen how quickly the threat landscape continues to evolve, which is why throughout 2019, we rolled out a series of important product updates that have kept our user base – which saw triple digit growth over the last 12 months – safe. Here are the most important product updates to Tessian’s Human Layer Security platform for 2019.
1. Human error, quantified. The new Tessian Dashboard gives customers an at-a-glance view of breaches and near-misses on email Keen to discover trends related to the number of breaches that were prevented by Tessian over the last 30 days? Our easy-to-navigate dashboard gives administrators a complete overview of activity, including any malicious and anomalous emails detected, misdirected emails prevented, and unauthorized email attempts thwarted. Module performance for Tessian Defender, Guardian, Enforcer, and Constructor are all visible on one page, and visual representations of data make it easy to monitor and drill down on activity day-by-day. If suspicious activity is spotted, you can quickly and easily generate a report without navigating off the page. The Tessian Dashboard also allows administrators to view user health at a glance, including the percentage of users active on the Add-in and Gateway and any connection issues across the network. This will help in-house security teams ensure every employee within their organization is protected by Tessian’s modules at all times. 2. Evolving algorithms. Tessian Defender can now detect and prevent more spear phishing attempts than ever Throughout 2019, Tessian Defender was improved through a series of subtle but impactful tweaks to our algorithms to be even more adept at detecting spear phishing attempts, including advanced, difficult-to-detect direct spoof attacks. The fact is, bad actors are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks. It’s imperative that we stay ahead of the curve, hence the regular updates. Tessian Defender has improved over time – and will continue to improve – enabling the detection and prevention of even the most advanced spear phishing attempts.
3. Thwarted first-attempts. It’s now even more difficult for employees to exfiltrate sensitive data Tessian Enforcer can now detect the first attempt an employee makes to exfiltrate data over email. How? By inferring what is and isn’t likely to be authorized communication based on the vast amount of data Tessian’s ML algorithm was trained on, which doesn’t necessarily rely on prior email history of a particular email address. For example, if an employee attempts to send an email to their personal, freemail account and that email address contains the employee’s first name or surname, Tessian Enforcer presents a warning to the user advising them that the behavior is potentially unsafe and prompting them to reconsider the action. Data exfiltration remains an incredibly unwieldy problem for businesses. Tessian gives businesses much-needed oversight of the problem over email.
4. In-situ learning opportunities. Employees have an opportunity to understand why an email is unsafe with contextual warnings While Tessian prides itself on low flag rates so that security doesn’t impede productivity, we wanted to maximize the opportunity to educate users through our warnings. This way, when users do see a notification, they understand why. Improved warnings across all four modules were designed for a more user-friendly experience that seamlessly reinforces any previous or ongoing security training. With more context included, employees can now see exactly why an email is being flagged as suspicious and – importantly – they can make their own decision on how to proceed. This is at the core of Tessian’s mission. Employees should be empowered by security solutions instead of burdened by them. 5. New detection capabilities. Customers can create rules that are specific to their environment Every business or enterprise is different and IT and Infosec security leaders need some flexibility in creating filter conditions that are applicable specifically to their operations. Because we’ve introduced new detection capabilities, users can now combine more conditions to create filters for their individual use cases; for example, scanning attachment content, identifying hidden fields in spreadsheets, and reading Azure Information Protect and other DLP labels. At the most basic level, these rules look something like this: If A and B, then C, except when D or E. These variables can apply to a number of elements contained in an email, from the recipient(s) to language patterns. One way an administrator might use these new detection capabilities would be to configure a filter which only allows the finance team, for example, to share spreadsheets with people outside of their organization if the recipient’s email address is recognized as a customer, except when the attachment contains a hidden row titled “social security numbers”. Protect your most valuable asset: your people Tessian is committed to creating the world’s first Human Layer Security platform and exciting developments lie ahead as we build out a holistic platform to protect people using email and, eventually, other interfaces frequently used in the workplace. Not yet a Tessian customer? Across four modules, Tessian protects the human layer by detecting and preventing both inbound and outbound threats. This includes advanced spear phishing attacks, accidental data loss, and data exfiltration. Tessian is quickly and easily deployed to Office 365, Exchange, and G-Suite, product updates are seamlessly rolled out for users and administrators, and the technology – which doesn’t disrupt workflow – was built with productivity in mind. To understand how Tessian can fit into your existing security framework, request a demo now.
Spear Phishing
Whaling Email Attacks: Examples & Prevention Strategies
12 December 2019
95% of all attacks on enterprise networks are the result of successful spear phishing. But spear phishing can take many forms. One form is whaling, and it’s on the rise.
What is the difference between a spear phishing and whaling attack? A whaling attack is a type of spear phishing attack targeted specifically at an executive like the CEO or CFO. Spear phishing is an advanced phishing attack directed at a specific individual or company, not necessarily an executive. Whaling attacks are designed to trick people into doing something like sending a wire transfer or clicking on a malicious link. Oftentimes, criminals will gather and use personal information about their target to personalize the email better and increase their probability of success. As a result, whaling attacks can be very convincing and difficult for both humans and email defenses to catch. It’s important to note that whaling and CEO fraud are not the same, even though they are sometimes used interchangeably. Whaling attacks target high ranking executives; they don’t necessarily impersonate them. CEO fraud (or CxO fraud) is a type of spear phishing attack where attackers impersonate a CxO or other senior leader.
Why are whaling attacks successful? Whaling attacks can be easy to pull off. Attackers don’t need much capital, special equipment or a particularly advanced skillset. They often just need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn. CxOs are incredibly busy and under a tremendous amount of pressure. They most certainly have access to significant amounts of sensitive information, and likely have their attention divided across many parts of the business. Working at a fast pace, on-the-go or outside work hours can lead to CxO’s to make critical mistakes on email and easily be duped into thinking a whaling email is legitimate. What’s more, CxO’s might be less likely to attend security awareness training due to their busy schedules. More and more companies are investing in training, but busy executives could prioritize educating the staff over themselves, which keeps the business at risk. After all, one employee misstep can have serious consequences for an organization. And CxO’s have a target on their backs due to the amount of sensitive company information that they hold. How can a successful whaling attack hurt a company? The motivation behind whaling attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Here are some of the main consequences of whaling attacks: Financial loss: Of course, a principal objective is to extract money from targeted organizations. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. Austrian aircraft parts manufacturer FACC AG lost €50 million when their CEO fell victim to a whaling attack and wired the money to what he thought was a trusted source. When second-order financial penalties like fines are taken into account too, whaling attacks can prove extremely damaging to organizations’ balance sheets. Data breach: Data breaches are rarely out of the press these days. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses. What’s more, data breaches are expensive to manage; the average cost of a breach is $3.86 million. Fines: It’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183 million after a 2018 data breach. Reputational damage: It’s harder to quantify on a balance sheet, but after a whaling-induced data breach, hard-won brand reputation could be put at serious risk. An email security failure can negatively affect an organization’s relationships with their customers. Another second-order effect could be knocking employees’ morale and denting confidence, making rebuilding work still more difficult. How can your organization protect against a whaling attack? Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound email threats, like whaling, SEGs commonly rely on the following— Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and can falsely increase user confidence. Spam and bulk-phishing prevention. Focus on past known attacks as well as basic email characteristics (e.g. domain authentication). These approaches rely on emails that contain blacklisted domains or IP addresses as well as they block bulk emails. These fail to prevent advanced impersonation, which is low-volume and often contains domain and IP addresses that have never been seen before. Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g. by detecting newly registered domains, different sender/reply-to addresses, etc) but attackers have learned to evade these rules. While SEGs can block malware and bulk phishing attacks, rule-based solutions struggle to stop advanced impersonation attacks and to detect external impersonations, common in whaling attacks. External impersonation is the impersonation of someone who belongs to a different organization than the target such as a supplier or vendor. Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. Tessian Defender stops advanced threats that legacy systems miss. Tessian Defender’s stateful machine learning retroactively analyzes historical email data in order to understand the difference between safe and unsafe emails being received. By analyzing multiple data points within email headers, body text and attachment data, Tessian Defender can detect and prevent threats in real time with minimal end-user disruption.
Spear Phishing
What is Spear Phishing? Defending Against Targeted Email Attacks
08 December 2019
With legacy tools trapping more scatter-gun approaches to stealing data and money from organizations, spear phishing has become increasingly popular amongst the cybercriminal community. Part of the appeal is that it is extremely difficult to detect.
What is spear phishing?
What is the difference between phishing and spear phishing? On the face of it, phishing and spear phishing attacks may seem similar, however there are many differences. Phishing emails are sent in bulk and are relatively easy to execute by those with nefarious intent. Phishing attempts are generally after things like credit card data or login credentials and are usually a one-and-done attack. On the other hand, spear phishing is significantly lower in volume and much more targeted. A spear phishing attack is usually targeted at a specific individual within the organization and is highly personalized. What makes a spear phishing attack so effective is that it’s more difficult to spot that the email is malicious as it often convincingly impersonates a trusted source known to the target. Spear phishing is an attack that isn’t as difficult to pull off as you might assume. The research required for an effective attack isn’t much of a barrier either due to the abundance of data that is available online. It is no exaggeration to say that spear phishing is the number one security threat facing businesses today. While every spear phishing attack is unique by its very nature, we will discuss some of the characteristics that can be seen in a spear phishing attack: the target, the intent, impersonation and the payload.
The target Spear phishing attacks often target staff with access to financial resources, critical internal systems, or sensitive information. Spear phishing attacks commonly target specific employees or groups that have access to money, sensitive systems or important people within the organization. In addition to selecting their target by the department, attackers will also select a target by their job title. New hires are also a frequent target for attackers as they tend to be a bit more eager to please their superiors than colleagues who have been employed for some time. There is an abundance of valuable data available online for criminals to exploit to identify the best targets, from LinkedIn career updates to new employee details on company websites. Finally, new hires tend to have a lack of understanding about what normal email communication looks like within the company, meaning they have less knowledge of how internal email address should look and less insight into who the organization usually communicates with. Once they have identified their target, the attacker can easily undertake further research to find out who the target regularly communicates with. Here, social media sites such as Facebook and Twitter can provide valuable information about roles, responsibilities and professional relationship structures within an organization. With this information, the attacker can create a credible narrative and personalize the email they send. This makes the victim far more likely to fall for impersonation.
The intent The intent of the spear phishing email usually falls within three specific areas. Extract sensitive information Install malware onto the network Wire money to accounts that belong to the attackers Criminals are on the hunt for sensitive information, like login credentials, medical records or bank codes, because any information – regardless of its type – has a value on the dark web. To get this data, attackers can use different tactics. They may try to deploy malware in the form of ransomware or keyloggers in order to invoke widespread havoc. Or attackers may use spyware, which is designed to sit, undetected, in the background and mine valuable data. Alternatively, attackers can take a more direct approach: request a wire transfer in a well-crafted email impersonating a familiar colleague, supplier or customer.  Attackers can also build relationships with their victims long before making any requests for money or information. Or, they may send a very simple, casual email — “are you in the office?” — which can easily initiate an email exchange. Only after that do they strike with a follow up email include requests for the target to wire money, send confidential information, or click on a payload. Generally, the email will contain deliberate language to establish context and intent within both the subject header and body copy, to create a feeling of urgency that helps trick the target.
The impersonation There is always an element of impersonation in a spear phishing attack. Whether it is impersonating an authoritative figure within the organization (for example a CEO or CFO), someone external (such as from a trusted supplier or valued client), or a business unlikely to cause suspicion (such as Microsoft or PayPal). The spectrum of impersonation tactics is broad, ranging from display name and domain manipulations to the specific language used within the body of the email. Furthermore, the very fact that modern organizations generally deal with so many counterparties offers limitless possibilities to impersonate vendors or suppliers (external impersonations), making them very hard to detect. Impersonating a display name is easy for even those with little technical knowledge and can be done quickly within almost all major email clients. Display name impersonation involves attackers setting a authentic-looking display names on their email account in order to mislead recipients. This approach has proven to be especially effective on mobile phones, as the email address of the sender is generally hidden when a user is accessing their inbox through a smartphone.
Domain impersonations are another popular technique, in which attackers spoof or impersonate an organization’s domain in order to appear legitimate. They look to circumvent security filters by impersonating recognized, trusted domains whether at the root (i.e. [email protected]), top-level (i.e. [email protected]) or subdomain (i.e. [email protected]). Such complex domain manipulations are very hard for both humans and rule-based security solutions to detect. For instance, a commonly used rule is to calculate the number of different characters between 2 domains: “If the difference is smaller than 2, block the email.” Attackers have learned to use a complex domain manipulation to evade such a rule.
The payload A payload is a malicious link or attachment contained in an email. Examples of payloads include: attachments that deploy malware or ransomware when opened; or embedded links that drive to fake login sites that farm credentials. It is important to note that not all spear phishing emails contain a payload. Historically, attackers have leveraged payloads in phishing attacks. Because of this, certain email security solutions have been developed in order to detect them. These solutions analyze and sandbox attachments, inspect links as well as look at the website that the links are pointing to in order to see if they’re malicious. As these security solutions become more popular, attackers have learned to execute attacks without links or attachments and instead are utilizing coercive language and social engineering to ask the target to share confidential data or wire money.
Why is spear phishing still a problem today? Today, employees are the most important data processors in any company. The reality is that just one employee misstep can have serious consequences for an organization. With the information they manage to obtain, fraudsters can reveal commercially sensitive information and steal large amounts of money from organizations. Employees likely receive more security awareness training than in the past, but their workloads have become greater and more complex. They are busier than ever and expected to maintain the same pace of delivery. Because of this, people can make mistakes and be deceived. No amount of training will change this. While training is well intentioned, it simply isn’t enough to prevent increasingly sophisticated spear phishing attacks. Companies can’t rely on people spotting every attack. While SEGs can block malware and bulk phishing attacks, they cannot stop spear phishing emails that don’t include a payload. Email is the main communication channel for enterprises today, however the openness of email makes it easy for attackers to exploit. Data continues to be lost and systems continue to be compromised via email, with spear phishing increasingly being the attack vector of choice. Recent headline-grabbing attacks include: volunteers for Hillary Clinton’s presidential campaign were targeted as part of one attack; City officials in Ocala, Florida were tricked into sending over $742K to what they thought was a construction company; Australia National University was targeted by a spear phishing email that led to attackers silently monitoring the university’s activity as well as stealing the credentials of staff and students.
How can machine learning help stop spear phishing attacks? The common root of all spear phishing attacks is impersonation—an attacker is pretending to be someone the target trusts. Companies therefore need to identify impersonations on email in order to protect their users, and importantly, their data and systems. But detecting impersonation is not easy. To do so, you need to understand human relationships and human behavior. Machine learning (ML) is the perfect tool to do this. By learning from historical email data, Tessian’s ML algorithms can understand a company’s users relationships and the context behind each email. This allows them to detect a wide range of impersonations, from obvious payload-based attacks to subtle social-engineered ones. To learn more about how Tessian Defender prevents spear phishing attacks for organizations like Arm, talk to an expert today.  
Human Layer Security Spear Phishing
It’s the Most Fraudulent Time of the Year
30 November 2019
With Black Friday just around the corner, the holiday shopping season is upon us and retailers will face their busiest time of the year. In the last six weeks of 2018, for example, UK retailers and US retailers saw sales of £79.7bn and $719.2bn, respectively, as shoppers rushed to scoop up the best deals. No wonder, this window is often referred to as the “Golden Quarter”. But retailers and their customers may get more than they bargained for as this surge of shoppers makes the “Golden Quarter” a golden time for cybercriminals to launch phishing campaigns. We often think about consumers as the main victims of retail-related phishing attacks in the holiday shopping season. And quite rightly; shoppers receive hundreds of emails from retailers promoting their latest deals around peak shopping days like Black Friday and Cyber Monday. It’s a ripe opportunity for cybercriminals, who are looking to steal personal data and payment details, to “hide” in the noise, pose as legitimate brands and prey on individuals who are not necessarily security savvy. However, it’s also important to remember that retailers themselves are at greater risk of phishing attacks during this time, as well. In fact, our latest report reveals that nearly two thirds of UK and US retailers (64%) receive more phishing attacks in the three months leading up to Christmas, compared to the rest of the year. Black Friday, in particular, is a prime time for seasonal scammers as UK retailers (56%) and US retailers (57%) saw an increase in the number of phishing attacks during the Black Friday / Cyber Monday weekend last year. Given that phishing attacks have only grown in frequency and severity since then, there is no doubt that phishing will continue to be a persistent threat for retailers this year too. It’s also concerning to see that 70% of IT decision makers at UK retailers and 65% at US retailers believe their staff are more likely to click on phishing emails during the holiday shopping season. The reason? Employees are at their busiest and working at a much faster pace, meaning they are less likely to check the legitimacy of the emails they are receiving. Hackers will take full advantage of the fact that security won’t be at the front of mind for busy and stressed retail workers, and will craft sophisticated spear phishing campaigns to encourage individuals to click on malicious links, download harmful attachments or wire huge sums of money. On top of this, staff will also receive more emails at this time. Consider how many colleagues, temporary workers, customers and third party suppliers retail workers engage with during the holiday shopping season. Knowing inboxes will be filling up with timely requests and orders, hackers can easily deceive employees and get them to comply with their requests via spear phishing emails that convincingly impersonate colleagues, senior executives or trusted suppliers. With the average phishing attack now costing a company $1.6 million, there are significant financial consequences for a retail worker being duped by a phishing attack. It’s understandable, then, that the IT decision makers we surveyed said that “data breaches caused by human error” are the number one threat to their business in the final quarter of the year. Phishing came in a close second, with one in five IT decision makers in retailers believing phishing is the greatest threat to their organization during the holiday shopping season. Given the people-heavy nature of the industry, retailers are, sadly, an easy target for cybercriminals. Our report clearly shows that retailers need to do everything they can to build robust defenses and minimize incidents of human error that could lead hackers to steal data and compromise systems this holiday season.  
Spear Phishing
7 ways to Survive this Black Friday
15 November 2019
Shoppers are expected to smash previous Black Friday spending records this weekend, with experts forecasting global sales of around $36.9 billion on Friday alone. With over 165 million people heading to stores or shopping online during the frenzy that follows Thanksgiving, retailers will be busier and more distracted than ever. And this makes them a prime target for cybercriminals. Here are our top tips for your business to survive the Black Friday weekend: 1. Think before you click on email Phishing is the biggest risk for one in five IT decision makers at UK and US retailers during the holiday shopping season. No wonder – over 60% receive more phishing attacks during this time than any other point in the year. Peak shopping days like Black Friday, Small Business Saturday and Cyber Monday are a golden opportunity for hackers to hide in chaotic inboxes and take advantage of individuals who are not security savvy. Is your business defending against this risk? 2. Keep calm and carry on When dealing with throngs of shoppers, processing thousands of orders and meeting overwhelming sales targets, retail staff will be under pressure to deliver. With more emails being sent and received and with staff working at a fast pace for long hours, mistakes will inevitably happen. In fact, 67% of IT decision makers at UK and US retailers believe staff are more likely to click on a phishing email during the holiday shopping season. Put measures in place to protect your people, especially when security is the last thing on their mind. 3. Train temporary staff on the threat Temporary seasonal workers play a critical role in helping retailers out during this busy time but they rarely benefit from the cybersecurity training that full-time employees receive. This makes them more vulnerable to threats like phishing. If just one employee falls for a scam, the retailer could face a security breach exposing the personal and financial data of thousands of consumers. Make sure all staff are trained on the phishing threat and know what action to take should they receive one. 4. Keep customer service teams alert Over a quarter of retail IT practitioners are concerned that customer service workers will fall for phishing attacks during this peak shopping season. Hackers will target these teams with phishing emails that contain malicious attachments or links, knowing that staff will need to deal with every customer enquiry they receive. Stay on high alert: encourage customer service teams to flag any messages that look suspicious. 5. Protect your customers from seasonal scams Consumers will be inundated with emails touting Black Friday deals this weekend. It’s a golden opportunity for cybercriminals looking to steal personal data and credit card information to pose as legitimate retail brands and lure consumers to fake sites. We increasingly see hackers impersonating brands in sophisticated spoofed emails; it’s surprisingly easy to do if the company doesn’t have email authentication records like DMARC in place. Worryingly, a third of retailers we surveyed do not have these checks in place. The problem is that consumers are more likely to click on malicious links or download harmful attachments when an email looks like it comes from a legitimate brand and email address. Protect your customers by protecting your brand. 6. Be wary of spoofed suppliers Not only can hackers target your third-party suppliers to gain access to company information, but they can also impersonate suppliers’ domains and send seemingly legitimate emails to your staff, asking them to wire money or share credentials. Nearly one in three retailers say employees have received spear phishing emails impersonating an external supplier. Always examine what the sender is asking you to do—are you being asked to carry out an urgent request? If this isn’t normal, it may be a fake request. 7. Don’t rely on tick-box training Don’t make cybersecurity training a one-off exercise. Continually teach and reinforce safe email behavior so that your staff are able to make the right cybersecurity decisions both at work and in their personal life. Our handy cheat sheet will help. Encourage your employees to print it and keep it on their desk so that they can identify the cues of a malicious message. To find out more about how to avoid seasonal scams, read our report.
Human Layer Security Spear Phishing
Types of Email Attacks Every Business Should Prepare For
14 November 2019
Corporate email continues to rule in the world of business. Today, the average office worker receives 120 emails every day.  While many of these emails pertain to business as usual, not every email is quite what it seems. Now more than ever, organizations are on the receiving end of advanced email attacks that aim to steal money, pilfer data or compromise systems.
What is an email attack?
What is the purpose of an email attack? Email attacks can take many forms but are typically deployed by cybercriminals in order to steal money or data. In order to keep organizations secure, it is important that employees are able to recognize the most common types of email attacks and understand the potential impact that they could have.
Most common types of email attacks Cybercriminals can leverage email in multiple ways to attack people and systems. There are a variety of tactics that range from being very broad to very targeted: Spam. Spam is known as a high volume commercial messaging sent over email.Despite several tools to filter out unwanted email, spam remains a significant challenge for organizations large and small. 56 percent of all email traffic is made up of spam; so while spam is not always the vector of attack, its sheer volume helps obfuscate real attacks, such as spear phishing. Phishing. Phishing is a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by pretending to be a trusted entity.Phishing attacks are sent in high volume, and the legitimate look of the email can trick users into accidentally opening an attachment or clicking on a malicious link. However, phishing emails are not personalized and tend to start with generic greetings like “hello” or “dear sir.” What makes phishing attacks successful is that even though a small percentage of targets fall for the attack, the sheer number of people receiving the email means that the attacker is likely to have some success.
Spear phishing. Spear phishing is an advanced phishing attack that is targeted at one or a few individuals. This type of attack targets a specific individual and tries to impersonate a person or an entity that they trust. Before the attack is launched, the attacker spends time researching their target to gain information such as their name, or suppliers that the target uses in order to make the email appear legitimate. Because spear phishing emails are more sophisticated in their construction and convincing in execution, they are harder to catch.
Business Email Compromise (BEC) is when a relationship is hijacked through email – an attacker tries to trick someone into thinking they are a trusted contact in order to steal money or information. BEC can be accomplished through spear phishing or account takeover. Read more about BEC here. According to the FBI, BEC attacks cost organizations $26bn between 2018 – 2019. In fact, BEC attacks have now overtaken both ransomware and data breaches as the main reason that companies file a cyber-insurance claim according to insurance giant AIG.
Consequences of email attacks There are a variety of outcomes that can occur from the above email attacks. Here they are: Malware: Malware is a computer software that has a malicious intent. Some of the different types of malware include ransomware and spyware, which have the goal of gaining control of infrastructure, farming credentials or gaining access to passwords. Ransomware is a type of malware that essentially holds a target hostage; attackers will demand a fee in exchange for unencrypting the target’s systems. Like malware, ransomware is a payload that is often deployed by phishing or spear phishing emails. Ransomware can have a significant impact, as seen with the WannaCry attack, which was estimated to have affected more than 200,000 computers across 150 separate countries. The financial outcome of ransomware has made it attractive for attackers, with over $1 billion being racked up by criminals annually. Businesses and governments continue to get inundated with ransomware attempts and reports even suggest that more than 600 US government entities have been hit with ransomware so far this year. Credential Theft. Credential theft occurs when an attacker is able to steal the credentials of the target by executing a successful phishing or spear phishing attack. Often, the email will include a link which will take the target to a fake login page where the target’s credentials are ultimately harvested. Wire-transfer fraud. Wire-transfer fraud is when a target wires money to an attacker’s account. Wire-transfer fraud can be accomplished by the attacker including bank details in a phishing or spear phishing email, and requesting the target to pay a specific amount. Another way that this can be achieved is if the attacker tricks someone into changing the details of the bank account to which a recurring payment is paid.
Why are email attacks so successful? Phishing and BEC attacks are difficult to detect because cybercriminals are utilizing social engineering techniques in order to build trust. The attacker manipulates the target by posing as a trusted individual or organization and will oftentimes engage in a conversation over several emails, before requesting the target to divulge credentials, confidential data, or to wire money to an account they own. Social engineering is what contributes to the success of these attacks because attackers use convincing language to get people to act instinctively, not rationally. For example cybercriminals were able to access payroll information of 700 current and former employees at social media behemoth Snapchat by posing as CEO Evan Spiegel in an email and tricking a junior employee into sending them the confidential data. Email impersonation can take on a variety of forms, such as display name impersonation where the attacker sets a deceptive display name on their email account, or spoofing where an attacker forges an email to make it appear as if it’s been sent from another email address. Email authentication protocols such as DMARC, DKIM and SPF have been introduced over the years as an attempt to stop spoofing. The problem with these three protocols, though, is that many organizations have yet to adopt them and weaknesses can be exploited. For example, 80% of Fortune 500 companies do not have DMARC policies set up. As well, this email authentication only prevents an employee’s individual domain from being spoofed but it does not prevent them from receiving emails that have been spoofed. Finally, it’s easy for attackers to figure out which counterparties don’t have email authentication set up as DMARC records are publicly available.
Email attacks continue to cause sleepless nights for IT administrators everywhere. Although many organizations have implemented employee training programs into their security strategy, these programs often are not designed to account for human error. Human error is the main cause for the majority of data breaches, and it can easily occur because employees can become distracted or tired which leads to mistakes being made over email. The assumption that employees can become an effective line of defense after undertaking just a few hours of security training is unrealistic. Security teams need to implement the right technology to support employees without getting in the way of their day-to-day business.
How can machine learning help stop sophisticated email attacks? Defending against targeted email-borne threats requires superior email security. Legacy tools have not been able to keep pace with evolving email attacks. Rule-based systems may be able to block simple impersonations, but struggle to detect more complex ones. Complex impersonation attacks cause more damage for organizations. It is time for organizations to adopt a more intelligent approach to inbound threats – one that understands historical email relationships and communication patterns, and can therefore, automatically detect anomalies and threats. Tessian’s stateful machine learning engine learns the difference between normal and abnormal email communications. In real time, Tessian automatically prevents the most advanced forms of spear phishing, accidental data loss and data exfiltration. This ensures that organizations can stay ahead of attackers and protect the data that they hold most dear. To learn more about how Tessian is helping organizations like Arm keep data safe, talk to one of our experts today.
Spear Phishing
Business Email Compromise – What it is & How it Happens
11 October 2019
This question should be standard issue at any cybersecurity pub quiz: What increased by 108% one day in September 2019? It’s not the number of data breaches experienced around the world. It’s not even the proportion of businesses now targeted by cyberattacks. No: it refers to the total amount of money stolen from businesses thanks to Business Email Compromise scams, according to the FBI. The Bureau’s flagship figure of $12.5bn was revised upwards by more than 100% on September 10th, hitting a staggering $26bn. The two figures don’t cover identical timespans. But if anything, comparing the periods of time used to arrive at the totals generates even more alarm. The original $12.5bn figure was derived from business losses over a five-year period between 2013 and 2018. The new figure of $26bn is the product of just three years of criminal activity, covering June 2016 to July 2019. So how are attackers able to extract such large sums of money from enterprises? And what can be done to stop them? Perhaps part of the reason Business Email Compromise (BEC) has been so successful is that everyone has a slightly different definition of what it means, and no clear solution to stop it…
What is Business Email Compromise? Business Email Compromise (BEC) is when a trusted relationship – between colleagues or counterparties – is hijacked through email. BEC can be accomplished in two ways: email impersonation (i.e. spear phishing attacks) email account hacking Conveniently for attackers, account takeover is often achieved after a successful spear phishing attack. BEC is a catch-all term often conflated with other kinds of email attacks, like phishing, spear phishing and account takeover. Account takeover (ATO) attacks, for instance, are often described as identical to Business Email Compromise. However, ATO attacks see the attacker literally gain access to an individual’s genuine account, potentially by using brute force “credential stuffing” hacking techniques. BEC attacks, meanwhile, are geared around impersonation. An attacker “compromises” an email account by convincingly impersonating a trusted counterparty of the target. What is being “compromised” in a BEC attack is the trust between the target and the impersonated counterparty. Because BEC scams rely on people making mistakes and being tricked, attacks can be relatively simple or extremely complex. The initial step involves fraudsters identifying a company they intend to target. Once this is done, before executing the attack itself, the attackers must first impersonate an employee or one of the company’s external counterparties. (Attackers might choose to impersonate a display name or a domain in order to fool their target. To understand more about the different types of email spoofing and impersonation exploited by cybercriminals, head to the this Tessian blog.) To execute a BEC attack, attackers will send spear phishing emails to targets within the company. Building trust over time comes down to communicating authentically. Although you might have read about spear phishing campaigns convincing people to click on malicious links or attachments, this is no longer a necessity. “Zero-payload” attacks, a growing phenomenon, build trust with targets over time using entirely innocuous communications. The request, when it comes, may be made in writing without the suspicious links or attachments that are easier for traditional security programs to flag. This example shows an attacker impersonating a CEO, Thomas Edison, asking an employee to change invoicing details. There is no link or attachment required, only text:
It’s clear that subtle and hard-to-detect techniques can have a potentially damaging effect on enterprises. So what are the main methods by which attackers compromise this trust in BEC attacks? What are common BEC techniques? Supplier / vendor fraud The dangers of external impersonation are becoming better understood, but there is still a learning curve for security leaders within enterprises. Every business has a finite number of employees, which makes it easier for security products to keep on top of potentially suspicious activity on “employee” email accounts. But all businesses have networks of suppliers and vendors, which dramatically increases the number of people attackers might choose to impersonate. (Download Tessian’s guide to email impersonation to see this effect in action.) CEO fraud CEO fraud is a type of spear phishing attack where attackers impersonate a CEO, CFO or another high-level executive. Attackers aim to trick the executive’s colleagues into carrying out actions that place data, money and/or credentials at risk. As with other BEC scams, the usual aim is to extract money from the targeted business by coercing an employee into making illicit wire transfers. Whaling Whaling is related to CEO fraud, with a key difference: instead of impersonating senior executives and targeting lower-ranking employees, attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective. Because they tend to be very busy, and because of their access to key systems, senior executives can be especially profitable targets for attackers. Account takeover As covered above, ATO describes the unauthorized takeover of someone’s actual email account, using brute force hacking to harvest credentials before sending a fraudulent email from the target’s own account. ATO attacks are understandably extremely hard for traditional technologies to identify as the “genuine” email account is in use. Institutional impersonation Some of the most impersonated parties around the world are not necessarily businesses at all but institutions. Emails from entities like the IRS (HMRC in the UK), or a communication from a court, have the potential to worry people and cause them to react instinctively, rather than rationally. (It’s worth pointing out that the big tech companies, such as Microsoft and Netflix, are invariably among the most impersonated brands in the world, despite both companies employing DMARC to defend against spoofing.) The consequences of BEC As we’ve seen, the main motivation behind BEC attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Here are some of the main consequences cybersecurity leaders should be wary of. Data breach / credential harvesting Data breaches are rarely out of the press these days. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses. Financial losses Of course, a principal aim of BEC attacks is to extract money from targeted organizations. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. When second-order financial penalties like fines are taken into account too, BEC can prove extremely damaging to organizations’ balance sheets. Fines Nowadays it’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. Currently, for instance, Yahoo is tackling an enormous class action suit with estimated damages of more than $100m. And legislation designed to make fines more than a slap on the wrist is now ramping up all over the world. In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183m after a 2018 data breach. Reputational damage It’s harder to quantify on a balance sheet, but after a BEC-triggered data breach, hard-won brand reputations could be put at serious risk. An email security failure can cause share prices to fall and affect organizations’ relationships with their customers. Another second-order effect could be knocking employees’ morale and denting confidence, making rebuilding work still more difficult. There are a wide range of reasons for businesses to protect themselves against Business Email Compromise, which raises the question: why are most business unprepared to defend against this threat?
Why rule-based technology does not stop BEC Simply put, security products have not moved as quickly as cyberattackers in predicting and preventing new and emerging threats. Secure Email Gateways do a great job of preventing run-of-the-mill spam and “bulk” phishing attacks, but they do this with static lists of rules that can only stop attacks the software has already seen. They simply aren’t cut out to defend against increasingly sophisticated attackers deploying social engineering techniques and exploiting human frailties in order to trigger dangerous actions. BEC attacks are highly targeted towards particular individuals within organizations. Even the most vigilant employees can be foxed by a spear phishing scam if it is sent on a busy day, delivered in a particular tone, or perceived to be from an authoritative source. Indeed, some threats are confined to IP addresses hidden in email headers – undetectable by employees. That’s why organizations must invest in technology that explicitly protects theirpeople. And that’s where Tessian’s software, trained on over 1 billion emails, comes in. Our stateful machine learning engine learns what “normal” email communications look like within complex organizations. Using historical patterns and behavioral signifiers to understand relationships between internal and external parties, Tessian Defender identifies malicious impersonations before they have the chance to deceive employees. If you’re interested in learning more about Defender or our other Human Layer Security products, sign up for a demo here.
Spear Phishing
Spear Phishing Demystified: the Terms You Need to Know
10 October 2019
Jargon is a hallmark of all industries. Cybersecurity is no different, but using the right security terminology has a real impact. When an organization’s data and systems are threatened by spear phishing attacks, being aware of evolving trends and the definitions of key terms could be the difference that helps prevent the next threat. Spear phishing is the number one threat facing businesses today, but research still suggests that “lack of knowledge and awareness about cyber-attacks could hinder the growth of the spear phishing protection market.” In this article we define and explain key spear phishing concepts and terms. (To learn more about how to prevent spear phishing attacks with machine-intelligent technology, read about Tessian Defender.) Spear phishing definition, and other attack types Although media outlets and security companies rightly pay a lot of attention to spear phishing, advanced impersonation spear phishing attacks come in many forms. Once you’ve read our breakdown of different key terms and what they mean, you’ll come away with a clearer understanding of the range of sophisticated inbound email threats. Spear phishing Spear phishing describes an advanced impersonation phishing attack directed at specific individuals or companies. (Head to the “Other useful terms” section below to see a definition of regular “bulk” phishing.) Similar to “bulk” phishing, spear phishing attacks are designed to trick people into taking an action like transferring funds or clicking on a malicious link. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. Because spear phishing emails are low-volume as well as more sophisticated in their construction and convincing in execution, they are far harder for traditional email security products to catch. CEO fraud / executive fraud CEO fraud is a type of spear phishing attack where attackers impersonate a CEO or another high-level executive. Here, attackers aim to trick the executive’s colleagues into carrying out actions that place data, money and/or credentials at risk. Attackers often use social engineering techniques (see “Other useful terms” below) to convey urgency and prevent targeted employees from thinking twice about following the instructions of the “CEO”. A notorious example of this kind of fraud saw an impersonation of Pathé France’s CEO lose Pathé €19.2m. Whaling Whaling is related to CEO fraud, with a key difference: instead of impersonating senior executives and targeting lower-ranking employees, attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective. Because they are many times more likely to be targeted than rank-and-file employees, because they tend to be very busy, and because of their access and influence, senior executives can be especially profitable targets for attackers. Forms of impersonation used in spear phishing attacks Although all spear phishing attacks revolve around impersonation of some kind, impersonation itself can take many forms. Attackers impersonate people on email in order to: • Steal money, data and credentials • Compromise systems • Take over accounts Essentially, all spear phishing attacks use impersonation as a strategy. Mechanisms differ from the easy (display name impersonation) to the complex (direct spoofing). Here’s how we break impersonations down: Business Email Compromise According to the FBI, Business Email Compromise (BEC) attacks cost organizations $1.2bn in 2018 alone. BEC is closely related to spear phishing – and commonly confused with it – but is potentially still more damaging and severe. Attackers impersonate employees or external counterparties and send spear phishing emails to people within the organization being targeted, using social engineering techniques to convince targets to wire funds outside the organization or to click on dangerous links that risk compromising systems and/or data. Readers should bear in mind that there are several different interpretations of BEC. For example, it’s often confused with Account Takeover (ATO): ATO describes the unauthorized takeover of someone’s actual account, using harvested credentials or “brute force” hacking. Domain impersonation These attacks involve attackers spoofing or impersonating an organization’s domain in order to appear legitimate. There are three main kinds of domain impersonation: root, top-level and subdomain. Below is an example of each of these impersonations, using the domain companyinc.com as a starting point: • Root: [email protected] OR [email protected] • Top-level: [email protected] • Subdomain: [email protected] Display name impersonation Display name impersonations involve attackers setting deceptive display names on their email accounts in order to mislead recipients. This might mean impersonating a senior executive within a company, or the name of a key supplier or partner. The technical skill required is effectively zero: most mainstream email clients offer users ways to change display names in their account settings. Display name impersonations are particularly effective when received on mobile devices, as the sender’s actual email address is usually hidden.
Attackers can also change a sender’s display name to include a genuine-seeming email address, such as “Thomas Edison <[email protected]>
Freemail impersonation Freemail impersonation describes spear phishing attacks where criminals use the fake personal email address of a senior-level executive. An attacker impersonating the CEO of a company – let’s use Thomas Edison again – could send an email from [email protected] to an employee working in the finance department, for example, requesting an urgent transaction. Here’s the example from before:
Automatic “Out of office” replies are a useful tool for attackers planning freemail spear phishing campaigns. By probing lists of contacts, attackers can learn when a particular executive is out of the office. Details volunteered in OOO autoreplies may tell them how long the executive is out of the office for, and even where they’ve gone. With this knowledge, attackers are free to impersonate the executive’s personal email account (or simply register an authentic-looking freemail address) and target the executive’s colleagues with a convincing impersonation.
Other useful terms Credential harvesting Credential harvesting is often an end goal of spear phishing attacks. Attackers will use coercive emails to direct recipients to fake login pages or other websites, where credentials can be harvested. Attackers can monetize credentials by selling them, or by using stolen account information to make purchases. In an enterprise environment, compromised credentials can also place entire systems at risk, doing significant financial and reputational harm to the business. Having harvested credentials, attackers can even take over email accounts and begin targeting victims’ contacts. Payload Many spear phishing emails contain a payload: on email, this might be a malicious link or attachment that, when opened, triggers malware on affected devices or systems. Increasingly, spear phishing attacks don’t have a payload at all, relying on persuasive language to coerce an employee into making a mistake. In turn, this makes these attacks especially hard for traditional security tools to defend against. Phishing Generally, phishing attacks are sent in bulk to a large audience, meaning the attackers’ language is relatively untargeted and unpersonalized. While phishing attacks can be successful, most attacks can be identified by traditional email security tools. This is why attackers have evolved to rely on spear phishing to extract money, data and credentials from organizations. Ransomware Ransomware attacks are growing in popularity and also need little or no technical skill to carry out. In a ransomware attack, an attacker holds an organization “hostage” by deploying malicious software across critical infrastructure. The attacker will threaten to steal money or data, or to cripple the organization’s systems unless a ransom is paid. Perhaps the most famous example of such an attack is the NotPetya worm which crashed systems around the world in 2017. Many ransomware attacks start with a spear phishing email containing a dangerous payload. Social engineering Social engineering describes the techniques attackers use to persuade people to take a dangerous action. Attackers may rely on the seniority of the person they are impersonating, or the illusion of urgency being created, to prompt a lower-ranking employee to take a desired action. Often, attackers will build trust with a target by communicating ‘normally’ for periods of time, using entirely innocuous language: this heightens the effect of coercive language when an attack is finally launched. Spoofing A spoof describes an impersonation where an attacker forges an email by modifying the email address from which the email appears to have been sent. (Many people don’t know that it’s possible for anyone with their own mail server to specify any From: address when sending an email, a loophole often leveraged by more sophisticated attackers.) As an industry, cybersecurity is responding to a rapidly evolving threat landscape and growing more complex every day. It’s vital to understand the range of different concepts and terms that surround the exploding spear phishing crisis. A reminder: if you have further questions about spear phishing, speak to a Tessian expert.
Spear Phishing
CEO Fraud Email Attacks: How to Recognize & Block Emails that Impersonate Executives
01 October 2019
You’re sitting at home when your phone lights up. It’s an email from the CEO. Subject line: “Urgent”. Your heart rate rises a little. It’s after hours – it must be something serious. And aren’t they meant to be on holiday this week? “Hi – I’ve just had a call from Supplier X in France. We need to change the account details for the invoice that’s due to be paid tomorrow. I’m OOO so can’t look at it. Could you help? Sorry for late message.” You check the accounting platform. The invoice is there, ready to go tomorrow. It takes less than two minutes to amend the details. You notify the CEO that the job’s done. (Maybe they’ll mention to your boss how you helped them out!) The reply comes: “Excellent – thanks for sorting this. Great job.” A good evening’s work, right? Unless your “CEO” isn’t who you think it is. What is CEO fraud?
CEO fraud is a form of Business Email Compromise (BEC). It’s just one part of an epidemic of email impersonations that are responsible for billions of dollars in losses around the world. Collectively, Business Email Compromise scams have been responsible for $26bn in enterprise losses. According to the FBI, “Between May 2018 and June 2019 there was a 100% increase in identified global exposed losses.” CEO fraud and other BEC attacks can cause extreme harm to organizations. A particularly common outcome, as with most BEC scams, is to extract money from the business by coercing an employee into making a wire transfer to a cybercriminal-controlled bank account. However, CEO fraud attacks can also seek to extract sensitive information like contact data and credentials, and even disseminate malware into an organization.
CEO fraud vs. whaling CEO fraud and whaling are closely related, but far from identical. The key difference is that in a whaling attack attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective. Whaling is seen as an effective attack vector because senior leaders themselves are perceived to be “easy targets”. Leaders tend to be extremely busy, and they often enjoy access to the most sensitive information an organization holds. Verizon research has suggested that senior executives are 12x more likely to be the target of attacks such as phishing than other employees. CEO fraud, meanwhile, uses the seniority of those high-level executives to exploit other employees within organizations. So what are the methodologies information security practitioners have to watch out for?
The most common CEO fraud techniques As with so many email threats, at the heart of every CEO fraud attack is impersonation. This type of attack most often occurs by way of display name or domain impersonation. (We’ll also cover freemail impersonation, another important technique to be aware of.) Display name impersonation Display name impersonations involve attackers setting deceptive display names on their email accounts in order to mislead recipients. The display name is not part of the email address itself: it’s the name affiliated with the account that usually appears before the email address in inboxes. Impersonating a display name is extremely easy, and works especially well on mobile devices, where the actual email address used to send the email is unlikely to be visible. The image below shows an impersonation of an example CEO, Thomas Edison. Anyone can change their display name to Thomas Edison and send a potentially convincing email on mobile devices with nothing looking amiss:
Domain impersonation Domain impersonation attacks involve attackers spoofing or impersonating an organization’s domain in order to appear legitimate. Attackers can produce convincing impersonations of a genuine CEO email address in three ways. Root domain impersonations change aspects of the company’s domain – an example might be te55ian.com. Top-level domain impersonations involve changes being made to the .com or .co.uk parts of a domain: an attacker might exploit an unregistered or less common domain like .io or .work. Additionally, attackers can add company-branded subdomains to a completely separate and abstract domain (eg company.email-outbound.com). Just because a company owns the more popular .com or .co.uk top-level domains does not mean they own every variation on those domains. CEO fraud attacks can exploit any inconsistencies in security infrastructure, leveraging online properties unclaimed by the organization in question in order to create a compelling spear phishing email.
Freemail impersonation Freemail impersonation describes spear phishing attacks where criminals use the fake personal email address of a senior-level executive. An attacker impersonating the CEO of a company – let’s use Thomas Edison again – could register an email address on Google and send an email from [email protected] to an employee working in the finance department, for example, requesting an urgent transaction. Here’s an example of this in practice:
Impersonations come in many shapes and sizes. CEO fraud attacks can rely on any one of these techniques to exploit the trust of employees, with potentially devastating consequences for enterprises. But why do employees click on these spear phishing emails in the first place? Social engineering has a lot to do with it. CEO fraud and social engineering Of all types of BEC attack, CEO fraud might be the type that relies most on social engineering. Social engineering describes the techniques attackers use to persuade people to take a dangerous action. Attackers may rely on the seniority of the person they are impersonating, or the illusion of urgency being created, to prompt a lower-ranking employee to take a desired action. Often, attackers will build trust with a target by communicating “normally” for periods of time, using entirely innocuous language: this heightens the effect of coercive language when an attack is finally launched. There are a range of social engineering levers attackers can pull to affect their target and coerce them into sending assets like money or data outside the organization: Seniority It might sound obvious, but emphasizing the nature of a CEO or senior executive’s work can be an effective tactic in coercing an employee into action. Emails that ask for work to be done ahead of a board meeting, or which appear to be critical to the success and/or health of a business, underscore their importance and encourage people to act swiftly (perhaps without thinking carefully). Trust While most early spear phishing attacks contained malicious links or attachments, a growing proportion of attacks now contain no payload at all. This has the advantage of being harder for traditional security tools to detect, but sending innocent, non-fraudulent emails also helps to build a rapport with the target. A history of “regular” email communication raises the chances of the target taking the bait when the key, malicious email is sent. Urgency If there isn’t much time to act on a given request, targets may not think as critically about the motivations behind that request. By centering the message on time sensitivity, attackers hope that they will force targets to think instinctively (not rationally), particularly if the message comes from a trusted senior colleague. Let’s return to an example we used earlier, this time focusing on the content of the email rather than the display name. It concerns a supplier payment that’s due “tomorrow”, making the request appear to be a high priority:
How to defend against CEO fraud Part of the challenge for IT and security professionals is the sheer number of options in the cybersecurity marketplace that promise to help combat advanced impersonation attacks. The rising number of data breaches every year is testament to the fact that legacy security tools are not able to defend against sophisticated email impersonations. Traditionally, security products have depended on extensive lists of rules to operate. Although rule-based software has been able to defend organizations against predictable, unsophisticated spam and “bulk” phishing attacks, more agile and sophisticated techniques have rendered Secure Email Gateways (SEGs) and other rule-based software programs ineffective. When criminals are changing their angles of attack all the time, legacy tech just can’t keep up. Organizations frequently extol the benefits of training and awareness in combating sophisticated spear phishing attacks. However, placing the onus on employees to defend against cyberattackers detracts from the reason they were brought into the business in the first place – to be empowered to do their own specialized work. Too many organizations still rely on unintuitive training sessions that don’t focus on real-world issues the firms in question are facing every day. Instead of placing all their chips on training, organizations must invest in understanding the patterns that betray CEO fraud and other impersonations. Spear phishing emails have certain key components that, when analyzed together, can help detect the attack that’s taking place. Target: Spear phishing attacks are invariably directed at specific employees or groups of people. Criminals don’t have to search long and hard to identify good targets. There is an abundance of valuable data online, from Linkedin career updates to employee details on company websites. Intent: In both the email subject line and body copy, the attacker will use deliberate language to establish context and intent. They want the recipient to do something now. In sophisticated attacks, fraudsters will initiate normal conversations but not mention any requests. With this approach, they invest time in developing a legitimate dialogue and establishing trust with the target over multiple emails. As a result, any subsequent requests﹘like a wire transfer﹘will appear authentic and usually get the target to complete the desired action. Impersonation: At the heart of every spear phishing attack is impersonation. The attacker is pretending to be a person or entity that the target knows and trusts. Payload: Spear phishing emails may contain some form of payload (a malicious attachment or link) to engage the target. Advanced impersonation tactics are discreet; they usually rely on text alone to elicit a desired action. For example, “please wire payment to this account: 123-4567” or “Can you please buy 10 Apple gift cards for our clients and send me the voucher codes as reference ASAP?” By omitting conspicuous payloads, these advanced threats (aka zero payload attacks) can more easily slip through standard email defenses. Here’s a view of these components laid over a potentially suspicious email: Attackers can be incredibly subtle in crafting their messages, and it is unreasonable to expect busy employees to identify potentially threatening aspects of an email straight away. That’s where Tessian Defender, our security software built to detect advanced impersonation spear phishing, comes in. It’s a given that email security software needs to analyze email headers, IP addresses and other information that’s normally hidden from the end user. But to prevent CEO fraud and other spear phishing attacks, software must also be able to analyze natural language and compare the message in question to as much historical comparison data as possible. Even the content employees can see – perhaps particularly the content employees can see – is designed to trigger a dangerous action on the part of the target. Using 12 months of archival email data to establish what “normal” looks like, Tessian understands how different people inside and outside a given organization communicate with each other on email. Analyzing behaviors and communication patterns, Tessian can identify whether the content of each new email appears suspicious. If an email to an employee is deemed a potential risk to security, Tessian generates a notification which sits above the message itself in the employee’s email client and explains what could be amiss. With all the salient information on hand, the employee can choose whether to reply to the message or to change their course of action and flag the threat. With Tessian’s technology keeping email safe, employees can get on with their work without the pressure of feeling like they are the first line of defense against cyber threats. Security leaders, meanwhile, can be sure that employees are dealing with fraudulent emails in an appropriate way. Technology that stops threats and educates workforces: is this the route to eradicating the threat of CEO fraud? CEO fraud: in summary Security practitioners need to be extremely mindful of the risk of CEO fraud and other BEC scams. Impersonation-based cybercrime continues to extract billions of dollars from organizations each year. Attackers are constantly evolving their methodologies and showing that legacy email security software is increasingly outdated. The way to take on the threat of CEO fraud is to look at the fundamental technique at the heart of any such attack: someone with bad intentions impersonating a senior leader on email. Software that understands the email relationships between different stakeholders, and that is built to look for this kind of impersonation, is vital for any organization looking to minimize harm from data loss, financial penalties and reputational damage. Learn more about Tessian Defender on a call with a Tessian security expert here.
Spear Phishing
Inside Email Impersonation: Why Domain Name Spoofs Could be your Biggest Risk
18 September 2019
Domain names are some of the most highly-prized assets for brands today. The trust placed in an authoritative domain name can lend organizations valuable legitimacy and support brand reputation. The problem? An attacker with a computer and a few minutes to spare can impersonate that domain over email, putting an organization’s hard-won reputation in danger. Email impersonation attacks have disastrous consequences for enterprises. Whether it’s the threat of severe financial loss, the leakage of sensitive data, or of deep damage to brands and reputations, the risks to businesses of impersonation and spoofing are ever-present, and growing by the day. The most worrying thing for cybersecurity leaders is that attackers do not have to execute especially difficult or sophisticated techniques for their cyberattacks to have an outsize impact on organizations. This blog will cover some of the simple methodologies cybercriminals are employing to impersonate domain names – a powerful impersonation technique that is used by attackers all over the world to target enterprises. (Read our previous blog in this series, on display name impersonation, here.) If you’re interested in learning how criminals infiltrate enterprise networks and extract money, data and credentials from organizations around the world, just read through this guide to domain impersonation attacks and how they impact email security.
What is a domain name? Let’s begin with what a domain actually does. It all starts with IP addresses, which are numeric codes used to identify network activity on individual computers. Domains were originally developed as a way of making IP addresses easier to remember and identify. Today, domain names are used to define ownership of particular properties on the internet, like websites and email addresses. Domains can be purchased and registered using a hosting site or registrar. (More on the different parts of domains, and their vulnerabilities, later). By registering a domain, individuals and companies can be sure that when someone visits the domain www.tessian.com, or sends an email to [email protected], they will be interacting or communicating with Tessian. Or can they? If only it was that simple. The struggle to secure domains Attackers penetrating organizations’ defenses by spoofing emails (i.e, forging an email by modifying the email address from which the email appears to have been sent) is a growing threat. Even as awareness of the threat grows, though, there are several ways for attackers to take advantage of lax enforcement of the protocols that govern domain identification. In 2000, SPF became the first protocol that allowed domain owners to specify which IP addresses could send email from a given domain. Recent years have seen growing adoption of newer authentication protocols, first DKIM (DomainKeys Identified Mail) and later DMARC (Domain-based Message Authentication, Reporting & Conformance). DKIM is a complex authentication protocol that uses cryptographic encryption to give each email sent from a domain a “signature”. The most recent protocol to have become a widely-accepted standard is DMARC. DMARC gives organizations that have already set up SPF and DKIM an extra level of security. DMARC validates that both SPF and DKIM authentications have completed successfully, and also lets senders tell other email providers what to do with emails that fail authentication. However, all is not as rosy as it seems. Key structural problems with authentication mean that it is very easy for malicious actors to work around protocols. First among these difficulties is the scale of adoption. As of 2019, roughly 80% of large enterprises have “no DMARC policy in place.” Because authentication protocols are in the public domain, it’s easy for attackers to identify which firms do or do not have policies in place. As Tessian’s Laura Brooks previously wrote in a blog on DMARC:
DMARC’s settings let sending domains tell recipients to quarantine, block or passively monitor any emails that fail SPF and/or DKIM authentication (ie, the emails that could be spoofing the sending domain). But having DMARC set up doesn’t necessarily afford enterprises the flexibility they need. Let’s use the example of a big bank that works with several different law firms. As is the case in many industries, relationships between banks and their professional services suppliers are often disclosed in press releases and other media coverage. It is very simple for an attacker to find out whether any of the bank’s legal partners have failed to configure DMARC correctly. The attacker would then be free to spoof these law firms’ domains and target the bank, knowing that any communications would be likely to reach their intended targets given the flaws in many traditional Secure Email Gateway (SEG) products. For businesses whose DMARC policies aren’t set to block or quarantine messages, emails that fail DMARC checks will still be delivered to their intended recipients. This threatens email security. But many businesses simply can’t risk missing important and legitimate communications by using DMARC’s quarantine or block settings. The only way the bank’s – or any other organization’s – email infrastructure can be truly secure is for all third party suppliers and partners to also have DMARC configured to reject or quarantine non-compliant emails. Working within these unrealistic conditions, the only way to reliably identify impersonations is to focus on behavioral and relationship patterns within email communications – something legacy security companies do not offer. While there are still such fundamental gaps in the security infrastructure of global businesses, this leaves enterprises vulnerable to many of the same issues that plague employees and security leaders – DMARC or no DMARC.
Classifying domain impersonations Impersonating an organization’s domain in a spear phishing email is just one way for attackers to get past organizations’ defenses. But what domain impersonations do attackers rely on? There are three main kinds of domain impersonation that are regularly exploited in cybercriminal scams. Root Before selecting a top-level domain, organizations usually stipulate which root domain they want to represent them. Put simply, this is the “branded” part of a web address – the “tessian” in tessian.com. However, even owning a root domain does not prevent impersonations. Attackers may substitute characters in the root domain (see the image below, where an “l” has been turned into a “1”), or even by using characters from other alphabets. The Cyrillic alphabet’s “а” looks identical to an English “a” but will not be treated as such by a computer. Another strategy might be to register a domain that appears to be an “extension” of the targeted company’s regular root domain. Using dashes, for example, attackers can give the appearance of a functional subdomain that could easily trick a busy or distracted employee. At Tessian, we’ve registered the root domain to demonstrate the value of defending against these kinds of impersonations. Otherwise, attackers could add “company” subdomains to the root domain and easily create a convincing impersonation.
Top-level Top-level domains are the parts of web addresses that follow root domain names. Some of the most widely-known are .com, .net, .org, and so on. In recent years, many more top-level domains have come to market. Individuals and organizations can register domains using extensions like .work, .finance or even .pizza. The example below shows a potential domain impersonation where an attacker has registered the .io domain. If the organization in question has not configured DMARC, the name of the organization being impersonated can be absolutely identical to the “genuine” brand name. Just because a brand might own the .com and .co.uk top-level domains doesn’t mean it automatically owns all possible alternatives. Attackers thereby have more opportunities than ever to register and impersonate “legitimate” root domains with new top-level domains. Finding and registering a top-level domain that ties in with the purpose of the organization in question – .finance might work for a bank, for instance – gives attackers a simple way to impersonate that company and target its employees, customers or suppliers.
Subdomain Subdomains can be employed to distinguish different services from one another within an overarching website structure. They are separated from the main root domain with periods. If you’ve ever visited an online property with a prefix like , you’ll have interacted with a subdomain. Using subdomains also raises the likelihood of confusing which domain constitutes the original “root”. A good example might be the address <[email protected]>. The root domain, , is positioned directly before the .com top-level domain. Here, “tessian” is a subdomain, but as it appears first and potentially looks legitimate, the address could be convincing to an employee. As with root domains, owning a domain name does not prevent malicious actors from deploying authentic-looking subdomains. Registering , for instance, might give attackers a legitimate-seeming but separate domain by which to impersonate employees and third parties affiliated with the company in question. A cunning example of subdomain impersonation is shown in the below example. Here, someone impersonating a third party supplier has used subdomains to break a legitimate company’s brand name into two, creating the domain.
Domain impersonations: summary The bottom line of all this? Effectively, anyone in control of an email server can dupe recipients into thinking a fraudulent email is legitimate, easily bypassing SEGs and other security protocols. In many ways, email attacks have never been easier. It might seem alarming that impersonating a domain is so easy to accomplish. The reason impersonations are so surprisingly simple is down to deficiencies in the legacy email security services many organizations employ to defend against them. Attackers know all about the flaws and loopholes in SPF, DKIM and DMARC, and about the ways in which domain registrations can be exploited. These email threats are not going away. Organizations need to move away from network and endpoint security frameworks and embrace technologies that tackle the heart of the issue: the impersonation itself. Tessian Defender takes into account factors like an email’s language, and the historic relationship between the email’s sender and receiver, in order to judge whether an email could be the product of an impersonation. If Tessian judges that an impersonation is taking place, real-time contextual notifications are placed within the email client, warning the employee that something looks fishy. The final decision on whether or not to proceed as normal is down to the employee. Tessian learns and adapts to threats by focusing on people’s behaviors and relationships, preventing advanced impersonation spear phishing attacks and other forms of security risk like data exfiltration and data breaches caused by human error. Speak to an expert and learn more here.