Spear Phishing
Inside Email Impersonation: Why Domain Name Spoofs Could be your Biggest Risk
18 September 2019
Domain names are some of the most highly-prized assets for brands today. The trust placed in an authoritative domain name can lend organizations valuable legitimacy and support brand reputation. The problem? An attacker with a computer and a few minutes to spare can impersonate that domain over email, putting an organization’s hard-won reputation in danger. Email impersonation attacks have disastrous consequences for enterprises. Whether it’s the threat of severe financial loss, the leakage of sensitive data, or of deep damage to brands and reputations, the risks to businesses of impersonation and spoofing are ever-present, and growing by the day. The most worrying thing for cybersecurity leaders is that attackers do not have to execute especially difficult or sophisticated techniques for their cyberattacks to have an outsize impact on organizations. This blog will cover some of the simple methodologies cybercriminals are employing to impersonate domain names – a powerful impersonation technique that is used by attackers all over the world to target enterprises. (Read our previous blog in this series, on display name impersonation, here.) If you’re interested in learning how criminals infiltrate enterprise networks and extract money, data and credentials from organizations around the world, just read through this guide to domain impersonation attacks and how they impact email security.
What is a domain name? Let’s begin with what a domain actually does. It all starts with IP addresses, which are numeric codes used to identify network activity on individual computers. Domains were originally developed as a way of making IP addresses easier to remember and identify. Today, domain names are used to define ownership of particular properties on the internet, like websites and email addresses. Domains can be purchased and registered using a hosting site or registrar. (More on the different parts of domains, and their vulnerabilities, later). By registering a domain, individuals and companies can be sure that when someone visits the domain www.tessian.com, or sends an email to [email protected], they will be interacting or communicating with Tessian. Or can they? If only it was that simple. The struggle to secure domains Attackers penetrating organizations’ defenses by spoofing emails (i.e, forging an email by modifying the email address from which the email appears to have been sent) is a growing threat. Even as awareness of the threat grows, though, there are several ways for attackers to take advantage of lax enforcement of the protocols that govern domain identification. In 2000, SPF became the first protocol that allowed domain owners to specify which IP addresses could send email from a given domain. Recent years have seen growing adoption of newer authentication protocols, first DKIM (DomainKeys Identified Mail) and later DMARC (Domain-based Message Authentication, Reporting & Conformance). DKIM is a complex authentication protocol that uses cryptographic encryption to give each email sent from a domain a “signature”. The most recent protocol to have become a widely-accepted standard is DMARC. DMARC gives organizations that have already set up SPF and DKIM an extra level of security. DMARC validates that both SPF and DKIM authentications have completed successfully, and also lets senders tell other email providers what to do with emails that fail authentication. However, all is not as rosy as it seems. Key structural problems with authentication mean that it is very easy for malicious actors to work around protocols. First among these difficulties is the scale of adoption. As of 2019, roughly 80% of large enterprises have “no DMARC policy in place.” Because authentication protocols are in the public domain, it’s easy for attackers to identify which firms do or do not have policies in place. As Tessian’s Laura Brooks previously wrote in a blog on DMARC:
DMARC’s settings let sending domains tell recipients to quarantine, block or passively monitor any emails that fail SPF and/or DKIM authentication (ie, the emails that could be spoofing the sending domain). But having DMARC set up doesn’t necessarily afford enterprises the flexibility they need. Let’s use the example of a big bank that works with several different law firms. As is the case in many industries, relationships between banks and their professional services suppliers are often disclosed in press releases and other media coverage. It is very simple for an attacker to find out whether any of the bank’s legal partners have failed to configure DMARC correctly. The attacker would then be free to spoof these law firms’ domains and target the bank, knowing that any communications would be likely to reach their intended targets given the flaws in many traditional Secure Email Gateway (SEG) products. For businesses whose DMARC policies aren’t set to block or quarantine messages, emails that fail DMARC checks will still be delivered to their intended recipients. This threatens email security. But many businesses simply can’t risk missing important and legitimate communications by using DMARC’s quarantine or block settings. The only way the bank’s – or any other organization’s – email infrastructure can be truly secure is for all third party suppliers and partners to also have DMARC configured to reject or quarantine non-compliant emails. Working within these unrealistic conditions, the only way to reliably identify impersonations is to focus on behavioral and relationship patterns within email communications – something legacy security companies do not offer. While there are still such fundamental gaps in the security infrastructure of global businesses, this leaves enterprises vulnerable to many of the same issues that plague employees and security leaders – DMARC or no DMARC.
Classifying domain impersonations Impersonating an organization’s domain in a spear phishing email is just one way for attackers to get past organizations’ defenses. But what domain impersonations do attackers rely on? There are three main kinds of domain impersonation that are regularly exploited in cybercriminal scams. Root Before selecting a top-level domain, organizations usually stipulate which root domain they want to represent them. Put simply, this is the “branded” part of a web address – the “tessian” in tessian.com. However, even owning a root domain does not prevent impersonations. Attackers may substitute characters in the root domain (see the image below, where an “l” has been turned into a “1”), or even by using characters from other alphabets. The Cyrillic alphabet’s “а” looks identical to an English “a” but will not be treated as such by a computer. Another strategy might be to register a domain that appears to be an “extension” of the targeted company’s regular root domain. Using dashes, for example, attackers can give the appearance of a functional subdomain that could easily trick a busy or distracted employee. At Tessian, we’ve registered the root domain to demonstrate the value of defending against these kinds of impersonations. Otherwise, attackers could add “company” subdomains to the root domain and easily create a convincing impersonation.
Top-level Top-level domains are the parts of web addresses that follow root domain names. Some of the most widely-known are .com, .net, .org, and so on. In recent years, many more top-level domains have come to market. Individuals and organizations can register domains using extensions like .work, .finance or even .pizza. The example below shows a potential domain impersonation where an attacker has registered the .io domain. If the organization in question has not configured DMARC, the name of the organization being impersonated can be absolutely identical to the “genuine” brand name. Just because a brand might own the .com and .co.uk top-level domains doesn’t mean it automatically owns all possible alternatives. Attackers thereby have more opportunities than ever to register and impersonate “legitimate” root domains with new top-level domains. Finding and registering a top-level domain that ties in with the purpose of the organization in question – .finance might work for a bank, for instance – gives attackers a simple way to impersonate that company and target its employees, customers or suppliers.
Subdomain Subdomains can be employed to distinguish different services from one another within an overarching website structure. They are separated from the main root domain with periods. If you’ve ever visited an online property with a prefix like , you’ll have interacted with a subdomain. Using subdomains also raises the likelihood of confusing which domain constitutes the original “root”. A good example might be the address <[email protected]>. The root domain, , is positioned directly before the .com top-level domain. Here, “tessian” is a subdomain, but as it appears first and potentially looks legitimate, the address could be convincing to an employee. As with root domains, owning a domain name does not prevent malicious actors from deploying authentic-looking subdomains. Registering , for instance, might give attackers a legitimate-seeming but separate domain by which to impersonate employees and third parties affiliated with the company in question. A cunning example of subdomain impersonation is shown in the below example. Here, someone impersonating a third party supplier has used subdomains to break a legitimate company’s brand name into two, creating the domain.
Domain impersonations: summary The bottom line of all this? Effectively, anyone in control of an email server can dupe recipients into thinking a fraudulent email is legitimate, easily bypassing SEGs and other security protocols. In many ways, email attacks have never been easier. It might seem alarming that impersonating a domain is so easy to accomplish. The reason impersonations are so surprisingly simple is down to deficiencies in the legacy email security services many organizations employ to defend against them. Attackers know all about the flaws and loopholes in SPF, DKIM and DMARC, and about the ways in which domain registrations can be exploited. These email threats are not going away. Organizations need to move away from network and endpoint security frameworks and embrace technologies that tackle the heart of the issue: the impersonation itself. Tessian Defender takes into account factors like an email’s language, and the historic relationship between the email’s sender and receiver, in order to judge whether an email could be the product of an impersonation. If Tessian judges that an impersonation is taking place, real-time contextual notifications are placed within the email client, warning the employee that something looks fishy. The final decision on whether or not to proceed as normal is down to the employee. Tessian learns and adapts to threats by focusing on people’s behaviors and relationships, preventing advanced impersonation spear phishing attacks and other forms of security risk like data exfiltration and data breaches caused by human error. Speak to an expert and learn more here.
Spear Phishing
Inside Email Impersonation: the Danger of Display Names
18 September 2019
A single spear phishing email can deeply damage your organization’s cybersecurity. After a data breach, credentials could be compromised and systems left unguarded, all as the result of someone’s failure to detect an impersonation of a colleague, supplier or partner. What makes the threat of impersonation especially worrisome is the fact that you don’t have to be a highly skilled cybercriminal to impersonate someone on email. In fact, many kinds of impersonation are startlingly simple. In this post we’ll cover display name impersonation, perhaps the easiest way for an attacker to dupe employees and extract money, data and/or credentials from enterprises.
What is display name impersonation? Display name impersonations involve attackers setting deceptive display names on their email accounts in order to mislead recipients. The display name is not part of the email address itself: it’s the name affiliated with the account that usually appears before the email address in inboxes. Display name impersonations are often combined with domain impersonations to execute sophisticated impersonation attacks, which use social engineering to threaten organizations’ most sensitive data and systems. How do attackers manipulate display names? Even for people with little or no technical knowledge, impersonating a display name is very easy: the operation can be carried out within almost all major email clients. Here, we’ll take you through how to do this with Gmail:
This approach is especially effective on mobile devices (pictured above), because the From: email address is hidden on mobile screens. Very little work has gone into creating a potentially convincing impersonation that could fool busy, distracted employees – especially if the sender being impersonated is a high-ranking executive or a demanding supplier. With CEO fraud losses totalling more than £14m in the UK in 2018, organizations should be aware of the growing threat of executive impersonations. Attackers can also change a sender’s display name to include both a genuine-seeming name and email address, such as “Thomas Edison <[email protected]>”. In this case, the attacker is betting the target won’t notice that the email address they see first isn’t actually the address from which the email was sent.
Why are impersonations so easy to carry out? Email is an extraordinary tool that offers effectively free communication to billions of people around the world. But email was never designed to cope with the sheer volume of traffic we now see on a daily basis (almost 125 billion business-related emails were sent per day in 2018). Simplicity is a core ingredient of email’s success. But being so simple means it’s dangerously easy for malicious actors to take advantage of inbuilt vulnerabilities. Email as a channel has many vulnerabilities, but despite being a multibillion-dollar industry in its own right, email security products – and the protocols that underpin email infrastructure more generally – have historically done a poor job of preventing impersonations. Organizations that have spent energy configuring DMARC, DKIM and SPF cannot rest on their laurels: authentication tools like DMARC are limited in their scope and are unable to prevent display name impersonation attacks. The legacy tech problem For decades now, Secure Email Gateway (SEG) products have defended organizations’ networks from attacks. The main methods of defense employed by SEGs are: Payload inspection like scanning URLs and attachments. (Attackers know that zero-payload attacks, which rely on social engineering techniques to persuade targets to take dangerous actions, are much more likely to evade SEGs’ defenses.) Spam and “bulk” phishing prevention. (By focusing on past known attacks and basic email characteristics like domain authentication, these techniques fail to prevent advanced impersonation, which is low-volume and crafted to evade such systems.) Rules to prevent impersonation. (Basic rules can prevent simple email impersonation attacks by detecting newly registered domains, different sender/reply-to addresses, etc.) SEGs were designed to protect networks and devices from inbound cyberattacks. More or less, they still do a good job of defending against the bulk spam and phishing scams that were so prevalent years ago. The problem? They are not flexible and intelligent enough to identify anything but the most basic impersonations. Being able to inspect suspicious URLs and attachments doesn’t help when an advanced impersonation spear phishing attack consists only of persuasive, urgent language to coerce an employee into taking a dangerous action like transferring money. Blacklisting known examples of names and addresses used in phishing attacks only prevents attacks that have been reported already; any new spear phishing or impersonation attack will bypass these perimeters. Meanwhile, rule-based email security services are limited by the ability of system administrators to continually update rules based on new edge cases and evolving threats. Static rules do not equip enterprises with the ability to identify and predict new anomalous email attacks in real time. SEGs find it hard to deal with advanced email threats, and even “simple” display name impersonations pose them serious challenges. Using rudimentary logic to determine whether a display name is “close” to the display name of an employee doesn’t work for external impersonations, for example. In addition, rules that trigger when (for example) a display name has one or two characters that are different from a genuine employee’s name are inherently limiting. Attackers are able to easily reverse engineer SEGs and find ways around their defenses. So should enterprises be looking elsewhere to defend their email environments? Display name impersonations: a summary For attackers, changing a display name is startlingly easy. The combination of display name impersonation with domain impersonation can lead to very sophisticated spoofing attacks that can have seismic repercussions for enterprises and the sensitive information they control. Cyberattacks continue to evolve and become more dangerous. But security products like Tessian Defender offer a way to combat display name (and other) impersonations. Using machine learning, Defender learns and adapts to threats by analyzing behavioral and communication patterns on email, preventing advanced impersonation spear phishing attacks before they wreak havoc within organizations. Every email employees receive is analyzed for anomalies: this might be the use of language, prior communications with the email’s recipients, discussion of sensitive topic areas, and many more factors besides. (This applies whether the email is from a colleague or from an external partner.) With this information to hand, Tessian’s algorithm predicts which emails represent a danger to the employee and the organization. Real-time notifications let employees take the right course of action before the threat can harm their employer’s defenses. Organizations need to respond by investing in products that are designed to deal with a newly advanced generation of cyber threats. Speak to an expert today to learn more.
Spear Phishing
How to Catch a Phish: a Closer Look at Email Impersonation
20 August 2019
Today, 95% of all cyber attacks launched on businesses start with a spear phishing email. What’s more, spear phishing attacks increased 250% last year as bad actors have discovered more and more ways to outwit email users (busy people) and defenses (legacy technology). The motivations behind attacks are straightforward: deploy malware or defraud the target of money or credentials. The tactics, however, vary greatly and are becoming increasingly more difficult to spot. What is spear phishing? A variety of terms are used to describe inbound email attacks ranging from spoofing, phishing, spear phishing and whaling. While some people use the terms interchangeably, they are, in fact, different. Here’s a breakdown of the terminology: Email spoofing: the creation of email messages with a forged sender address or display name. It is common for spam and phishing emails to use spoofing tactics to mislead a target about the origin of the communication. Phishing: the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by pretending to be a trusted entity. Occurring predominantly via email or text messaging, phishing is typically bulk in nature and not personalized for an individual target. While phishing attacks can be successful, most are often easy for clued-up individuals or email security policies to detect. Spear Phishing: advanced phishing attacks directed at specific individuals or companies. Similar to phishing attacks, these too, are designed to trick people into doing something like sending a wire transfer or clicking on a malicious link. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. Because they are more sophisticated in their construction and convincing in execution, spear phishing emails are harder to catch. They work best when they impersonate someone the target trusts. Whaling: a highly targeted phishing attack aimed at senior executives or employees with access to particularly valuable assets. Whaling emails are more sophisticated than generic phishing emails as they often target chief (“c-level”) executives and board members.
What does a spear phishing email look like?
Spear phishing emails have four key components: Target: spear phishing attacks are directed at specific employees or groups, oftentimes those with access to money, sensitive systems or powerful people. For example, accounts payable departments and executive administrators are frequently targeted. Criminals may also target new hires and other “quick-to-click” employees, exploiting their desire to act fast on any requests or assignments. Criminals don’t have to search long and hard to identify good targets. There is an abundance of valuable data online, from Linkedin career updates to employee details on company websites. Intent: in both the email subject line and body copy, the attacker will use deliberate language to establish context and intent; they want the recipient to do something now. In sophisticated attacks, fraudsters will initiate normal conversations but not mention any requests. With this approach, they invest time in developing a legitimate dialogue and establishing trust with the target over multiple emails. As a result, any subsequent requests﹘like a wire transfer﹘will appear authentic and usually get the target to complete the desired action. [Read more on how trust can be manipulated by tech in our report “Why People Make Mistakes”] Impersonation: at the heart of every spear phishing attack is impersonation. The attacker is pretending to be a person or entity that the target knows and trusts. The spectrum of impersonation tactics is broad, ranging from display name and domain manipulations to the specific language used within the body of the email. In general, criminals often impersonate an influential or powerful person﹘like a CEO﹘or a trusted company﹘for example, Microsoft ﹘in order to establish a sense of legitimacy or urgency. Tessian refers to sophisticated impersonation attacks as advanced impersonation spear phishing. Payload: spear phishing emails may contain some form of payload to engage the target. Basic impersonations include obvious payloads like links and attachments that appear legitimate, but which are in fact malicious. Advanced impersonation tactics are more discreet; they rely on text alone to elicit a desired action. For example, “please wire payment to this account: 123-4567” or “Can you please buy 10 Apple gift cards for our clients and send me the voucher codes as reference ASAP?” By omitting conspicuous payloads, these advanced threats (aka zero payload attacks) can more easily slip through standard email defenses.
Advanced impersonation spear phishing falls into three categories.
Why is spear phishing so dangerous? Spear phishing isn’t difficult to pull off. Attackers don’t need capital, special equipment or a particularly advanced skillset. They just need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn. Spear phishing is particularly effective because busy professionals are easy to trick on email. Today, the average worker spends nearly a third of their working week on email, sending and receiving around 124 emails every day. The pressure to be constantly connected and on-the-go means that employees are more likely to be distracted and make mistakes on email. A shift towards becoming a mobile workforce hasn’t helped the situation either. Verizon research has shown that people are significantly more susceptible to social attacks received on mobile devices; this is a result of mobile design and people’s tendency to multitask on mobile devices. Businesses globally have lost $12.5bn over the past five years as a result of phishing scams. Advanced impersonation spear phishing has emerged as one of the most popular and successful attack methods being leveled at businesses – small and large – around the world. Rewards for attackers are high, and the damage to organizations can be catastrophic, resulting in wire payment fraud, file sharing, credential theft and eventual systems takeover. How do you prevent advanced impersonation spear phishing? Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound threats, SEGs commonly employ machine layer methods: Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and can falsely increase user confidence. Spam and bulk-phishing prevention. Focusing on past known attacks and basic email characteristics (e.g. domain authentication), these fail to prevent advanced impersonation, which is low-volume and crafted to evade such systems. Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g. by detecting newly registered domains, different sender/reply-to addresses, etc). While SEGs can block malware and bulk phishing attacks, rule-based solutions cannot stop advanced impersonation attacks and are incapable of detecting external impersonation. Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. Defender stops advanced threats that legacy systems miss. Tessian Defender’s stateful machine learning retroactively analyses historical email data in order to understand the difference between safe and unsafe emails being received. By analyzing multiple data points within email headers, body text and attachment data, Defender can detect and prevent threats in real time with minimal end-user disruption. To learn more about Tessian or book a demo of Tessian Defender, contact us here.
Spear Phishing
Why DMARC is Not Enough to Stop Impersonation Attacks
By Laura Brooks
30 July 2019
The UK’s National Cyber Security Centre (NCSC) reported that in the past year, it has stopped 140,000 phishing attacks and taken down more than 190,000 fraudulent websites. In its second annual report on the Active Cyber Defence (ACD) program, the NCSC details how its use of Synthetic DMARC has stopped sophisticated phishing operations, including one in which hackers used a gov.uk domain to impersonate an airline organization. While this approach of synthesising DMARC records has proven to be effective in stopping spoof email campaigns so far, the NCSC’s report also describes it as “an evil hacky kludge,” adding that more needs to be done to express policy ownership in domain hierarchies. Here, we address the shortfalls of DMARC and email authentication records, and consider what more can be done to stop strong-form impersonation attacks. A necessary first step 95% of all attacks on enterprise networks are the result of successful spear phishing, which often involves an attacker directly impersonating the email domain of the receiver. For example, any attacker could send an email from your business email domain to an employee at your business, and the recipient would have no way to validate the sender’s authenticity in the absence of authentication records. SPF and DKIM are email authentication records that, in short, allow email clients to validate the domain name of an inbound email. DMARC enables organizations to specify how the client responds to emails that fail SPF or DKIM checks (generally reject, quarantine, or no action.) SPF, DKIM, and DMARC are essential for preventing direct impersonation of your organization’s email domain. All email domains – especially those of trusted brands – are at risk of direct domain impersonation, regardless of past threat activity. The darker side of DMARC However, DMARC has its downsides. And while the NCSC has encouraged more UK businesses and government agencies to adopt DMARC, the report doesn’t shy away from bringing these shortfalls to light. 1. DMARC configuration is time-consuming and resource intensive The NCSC report states that “for any enterprise of a decent size, implementing DMARC is often a long process”  and that “implementing DMARC is a lot harder than people will have you think.” Strict DMARC policies can, if misconfigured, block the delivery of real, legitimate emails. As a result, the ACD recommends organizations take time to digest DMARC reports and investigate the nuances of their mail infrastructure, before gradually moving to a more protective DMARC policy. Unfortunately, this process takes many organizations well over a year. 2) DMARC records are publicly available; attackers can work around them DMARC, SPF, and DKIM records are inherently public information – they need to be so that receiving mail clients can authenticate a sender’s domain. Attackers can see not only if your organization has a DMARC policy, but also how strictly you have configured it. Before trying to impersonate your email domain directly, a sophisticated attacker will check if you have a strict DMARC policy in place. If you do, the attacker can still carry out an advanced spear phishing attack. For example, DMARC doesn’t protect against indirect impersonation, or domains that are similar to yours (e.g. @tassian.com, @tessian.outbound.com, @tessian.email). There are thousands of ways an attacker can make a new domain look similar enough to your domain to fool members of your organization. These new, legitimate domains are unprotected by DMARC. Perhaps because of DMARC’s public nature and the vulnerability of indirect impersonation, ACD data has yet to establish a causal link between increased DMARC adoption and decreased phishing. 3) External domains remain a threat Configuring DMARC and other email authentication records are necessary measures for preventing attackers from directly impersonating your organization’s email domain. Unfortunately, a high percentage of the emails your employees receive likely come from the domains of other organizations, such as partners, vendors, customers, and government bodies. Given that other organizations are unlikely to have authentication records in place, employees remain vulnerable to direct impersonation of their external contacts. Email authentication records and policies, then, are only a small piece of the puzzle for protecting your organization against spear phishing attacks. Impersonation is a difficult problem to solve. To accurately detect it, you need to understand what is being impersonated. You need to be able to answer the question, “for this user, at this point in time, given this context, is the sender really who they say they are?” Tessian Defender uses stateful machine learning models to analyze historical email data and understand relationship context, which means we can automatically detect the impersonation of both internal and external parties.
Spear Phishing
Why Financial Services Firms are Most Likely to Fall for Phishing Attacks
10 July 2019
Recent reports show that the number of cyber incidents reported by financial services firms to the Financial Conduct Authority (FCA) skyrocketed from 69 in 2017, to 819 in 2018. Ransomware and phishing attacks topped the list of reported cyber attacks, making the financial sector one of the most targeted industries for phishing crimes. With the threat of phishing and spear phishing attacks only growing in severity, being aware of potentially malicious emails and impersonation scams has never been more important. However, our report – Why Do People Make Mistakes? – worryingly suggests that people in financial services are the most likely to fall for phishing scams. We found that nearly one in three financial services workers has clicked on a phishing email at work, making it the sector with the highest percentage of people falling for these attacks. The problem is that people in financial services are under huge amounts of stress and pressure – and this often leads to mistakes online and puts cybersecurity at risk. For example, nearly half of the people we surveyed from financial services (49%) described their current workload is either ‘overwhelming’ or ‘heavy’, while 70% said there is an expectation within their organization to respond to emails quickly. Furthermore, an overwhelming majority 89% said they feel stressed at work, with nearly nine in 10 admitting they make more mistakes when stressed – significantly higher than the UK average of 71%. Stress and overwhelming workloads can, ultimately, increase vulnerabilities to threats given that a person’s ability to spot anomalies in a phishing email becomes influenced by other tasks requiring their attention at the same time. With so much going on, overworked employees will likely rely more on habitual behaviors that inform their decision making, rather than engaging in rational, analytical thinking. Tiredness, too, also impacts our ability to question the legitimacy of messages we receive, leading to what could be a costly mistake for any business. Mistakes are inevitable, especially when people are tired, stressed and facing a never-ending to do list. Cybersecurity is the last thing on their minds but it just takes one click on a malicious link or one response to a hacker’s request to compromise data and ruin a company’s reputation. So, as cybercriminals continue to hone their skills and make spear phishing attacks more targeted and more believable, businesses need to consider how to prevent the inevitable mistakes. Consider how best to protect your people. Alert them to potential threats and provide them with the information they need – in real-time – to think before they click.
Spear Phishing
Ed Bishop: Spear Phishing and the Dangers of Impersonation
09 July 2019
Tessian CTO Ed Bishop runs through the most dangerous forms of spear phishing and email impersonation attacks threatening organizations. Email allows us to interact freely. If you know someone’s address, you can send them an email, regardless of where in the world they are located or what device they’re using. Even if you don’t know someone’s email, it’s often relatively easy to guess. Email is also open by default. This openness has taken masses of friction out of global commerce, and is vital to our businesses. But there’s a tension here. An open network inevitably means risk to individuals and businesses alike. Organizations around the world handle sensitive material every day. Vigilance will always be important. But striking a balance between empowering employees and cracking down on suspicious activity has to be done sensitively. Strong-form spear phishing is a particularly dangerous threat. Spear phishing takes advantage of email’s openness using advanced impersonation techniques undetectable by most filters and safeguards, creating significant headaches for information security leaders. It is the most insidious threat to email communication, and is the number one form of attack threatening enterprises today. The FBI now tracks Business Email Compromise (BEC), whereby spear phishing is used to extract large sums of money through illegitimate or unauthorized wire transfers. In 2018, the FBI estimated that in the previous five years, Business Email Compromise (of which spear phishing is an important component) had cost enterprises as much as $12.5bn. So how did this threat emerge? The birth of phishing Email was introduced in the 1970s. It didn’t take long for it to attract a parasite: spam, which arrived in 1978. Spam allowed emails to be sent to large numbers of recipients with minimal personalization. Originally invented for marketing purposes, it soon led to innumerable scams. By 2017, spam made up 55% of all emails received globally.  In response to spam detectors and blockers, attackers started to work harder. They turned to phishing. Phishing mimics the identity of trusted people and services in order to extract sensitive information, such as passwords or account numbers. Although they remain a threat, generic bulk phishing attacks can usually be prevented by legacy email security solutions. The problem, though, is that attackers have refined their approach over the years. They have invested more time and energy into targeting specific individuals, and have turned to public-domain information from sites like LinkedIn to personalize emails. As phishing has grown in popularity, other cybercrime strategies like ransomware and fraudulent online purchases have also become more prevalent. In 2017, hackers stole a staggering £130bn from consumers through these schemes. And information security professionals have their work cut out. Targeted, personalized attacks are constantly evolving. At Tessian, we see impersonation-based spear phishing as the next stage in this email arms race. High-ranking employees are most at risk From a technological perspective, spear phishing is much more difficult to filter out than run-of-the-mill spam or bulk phishing. This is because it is highly targeted towards particular individuals within organizations. Even the most cynical and risk-aware individuals can be foxed by a spear phishing scam if it is sent on a busy day, delivered in a particular tone, or perceived to be from an authoritative source. Indeed, some threats are confined to IP addresses hidden in email headers – undetectable by employees. This is not confined to mid-ranking employees: ‘whaling’ scams specifically target C-level executives, for instance. These nefarious tactics are not going away any time soon. Secure Email Gateways: solving the problem? To combat attackers, enterprises have traditionally used Secure Email Gateways to monitor attachments and URLs. Today, almost every email provider or legacy Secure Email Gateway (a guard against malicious emails) will include a spam filter. However, there are always ways for attackers to get around these rule-based technologies. Cybercriminals may employ malware that evades software programs’ screening capabilities, for instance: alternately, organizations might fall victim to a zero-payload attack that doesn’t represent a threat for weeks or months. So how have Secure Email Gateway structures attempted to address spear phishing issues? Display address irregularities Secure Email Gateways are designed to catch irregular display addresses. These occur when the target’s display address doesn’t exactly match the genuine address (changing an ‘n’ to ‘m’ and making ‘bank’ ‘bamk’, for instance). This check looks for instances where a reply-to address may be different from the sender’s own address. Domain monitoring Here, the Secure Email Gateway checks whether the sending domain has been recently registered, or whether it is registered as inactive. The protective measures mentioned here can only ever be partially effective. That’s because they are focused on providing static, rule-based solutions: attackers can easily reverse engineer these rules and circumnavigate them. So how are cybercriminals evading Secure Email Gateways? At least in part by focusing on strong-form techniques. Attackers are becoming more subtle Attackers have a variety of ways to break down organizations’ defences, but strong-form tactics are especially hard for Secure Email Gateways and other rule-based systems to detect. We’ve already covered reply-to modifications, for instance. This is an example of weak-form phishing which relies on targets not realising that the reply-to address of an email has been changed from the original ‘sender’. With strong-form phishing tactics, the reply-to address can appear to be exactly the same as the sender’s address. This has the potential to confound simplistic rule-based systems. A strong-form attack could be a homograph impersonation of a ‘trusted’ external counterparty, such as a law firm or an accountant. Here, other alphabets can be used to deceive targets into believing a domain or address is genuine. The English language ‘a’, for instance, is very similar to a Cyrillic small letter ‘a’. This visual trick can be used to create alias addresses that could well deceive targets. It might seem surprising that anybody can send an email pretending to be anyone, but current email protocols allow for this. Email authentication methods like SPF, DKIM and DMARC have been designed to try and confirm sender identities. The problem is that this can only be truly effective when every company in the world publishes its own email authentication record. Unfortunately, this is far from being the case: many Fortune 500 companies still have not published the recommended email authentication records. This gives attackers the means to find, through public domain data, any external counterparties without correct authentication records, and simply send emails pretending to be them. It’s clear that hackers are thinking about more subtle ways to breach organizations’ defences. As such, it’s important to understand how spear phishing works in practice. The tip of the spear: breaking down intelligent phishing attacks Understanding how spear phishing attacks are constructed is fundamentally important to the success of an information security team’s defences. So what are the key components of a spear phishing attack? Target The target could be any employee within your organization, but attackers may focus on high-ranking executives or members of the finance department. Cybercriminals can spend significant amounts of time researching and identifying the most vulnerable individuals. Impersonation The impersonation of another person or company is the core tenet of spear phishing attacks. Once a target is identified, the attacker may choose to impersonate a colleague or a trusted third party external to the organization (possibly someone who works at another organization they interact with regularly and trust). Intent Successful spear phishing attacks all manage to get the email recipient to take a particular kind of action. This could be wiring money to an attacker’s bank account, divulging login details or other sensitive data, or installing malware or ransomware on a device. Often, requests for action exploit organizational pressures to maximize urgency and time sensitivity.
Hacking the human One successful spear phishing attack can result in the extraction of millions of dollars, devastating data loss, and incalculable reputational damage. While some enterprises are able to stop basic spear phishing, these attacks are becoming more sophisticated all the time. This isn’t surprising. The history of email security shows us that phishing attacks only become more advanced and personalized with time. In industries where many firms still rely on only traditional technologies like Secure Email Gateways to operate, the threat level is potentially even more potent. The rewards for attackers are large, and the risk for companies still larger. There is much to be done before organizations can be said to have the upper hand against these bad actors. By acknowledging the people that are at the heart of this battle, and by building products that understand and protect them, I’m confident that we can make significant progress. *Interview condensed from Modern Law Magazine supplement, May 2019.
Spear Phishing
Why Law Firms are Falling for Phishing Attacks
By Cai Thomas
17 June 2019
Phishing is now the most common cyber attack affecting legal sector. Last year, nearly 80% of law firms reported phishing attempts and, according to Osterman Research, the number of mass phishing attempts getting through to end users increased by 25% while spear phishing attempts rose by 26%. Sadly, hackers are also getting more successful in their attempts; the amount of money stolen from law firms as a result of phishing scams, in the first quarter of 2017, was 300% higher than the year before. The simple fact is that law firms are a lucrative target for spear-phishing attacks because they hold many confidential secrets and deal with large financial transactions. It’s a problem that law firms have to tackle, else face the devastating consequences that phishing scams can have to highly sensitive client data and the firm’s reputation. However, worryingly the Solicitors Regulation Authority (SRA) has stated that it is unrealistic to expect staff to identify all phishing emails. So what do you need to look out for? What are the techniques hackers are using to try and trick employees in their spear-phishing attacks? Here are the most recent trends: 1. Leveraging the LinkedIn treasure trove Simply put, spear-phishing attacks are more sophisticated impersonation attempts, whereby an attacker skillfully leverages social engineering techniques to manipulate the targeted individual. To do this successfully, criminals gather publicly available information about a firm’s business in order to masquerade as a reputable employee or counter-party. Today, there is so much valuable data for criminals to easily access online – from your LinkedIn career updates to employee details on company websites. In the case of law firms, savvy criminals have also realised that any lawyer regulated by the SRA must legally ensure their contact details are publicly available online. With this information at their fingertips, criminals are quickly able to understand the most effective strings to pull. Falling for the deception, some firms have unknowingly transferred anything between £5,000 and £1m to cybercriminals. And by the time these law firms realised they’d been successfully attacked, it was too late. 2. Identifying prime targets New joiners are an attacker’s ideal prey; fresh into the firm, they have an energy to act upon request and prove themselves. But this could be their, and your firm’s, downfall. One firm, for example, experienced an unfortunate incident whereby a new Finance Manager – just two months into the job – was fooled into transferring £60,000 to an impersonated supplier. Security awareness training on these types of attack, therefore, must take place as soon as an individual joins the firm. However, it’s not just new joiners that you need to be wary of. Leavers, too, pose a threat. A quick update on LinkedIn tells opportunist criminals of that person’s departure from a company, and we’ve seen that fraudsters are quick to piggyback this move – creating freemail impersonations of leavers to request credentials or documents or to change their bank details. In this case, staff should notify IT when a supposed leaver gets in contact to confirm the identity of the sender. 3. Testing the waters Another common technique is attackers masquerading as Managing Partners, starting emails with trivial subjects such as ‘How was your weekend?’ or ‘Do you have five minutes?’ in order to test a firm’s security. These introductory emails have no URL, attachment or payload included; they sail through a firm’s defences in order to start a conversation. In one particular incident, an email was sent to a law firm, supposedly from the ‘Managing Partner’, asking recipients to meet him at the local shop – you’d be surprised how many lawyers actually waited outside a corner shop! The reason for this technique? If an attacker notices weak layers of defence by receiving many responses from a particular firm, it signals that it is a target worth pursuing. The attacker is, then, more likely to deliver the real fraudulent email a few weeks later. If criminals find that they don’t get a bite from the initial bait email, however, they will likely move on. Another reason for this approach is that attackers tend to use the content within any bounce-backs and OOO emails to craft future impersonation attacks. Information such as the length of time a particular person is out of the office or the name of the person to contact in their absence helps an attacker build a legitimate impersonation attack, making the message seem more believable. 4. Posing as a position of authority In a number of cases, lawyers have been fooled by emails, supposedly from the High or Supreme Court, that includes a false link to a ‘new legal case’. All too often, hackers will impersonate positions of trust and authority to convince victims to fulfill their requests. The problem is that, with the continued development and ubiquitous deployment of new technologies, the way in which trust develops online has shifted. Without the typical behavioral cues available to us when we interact with someone in person, trust is more easily manipulated and the believability of a message or online persona increases. Protecting your people As you can see, with our ever growing digital footprint, cybercriminals are using a number of impersonation techniques to deceive unwitting victims into transferring finances or handing over credentials. These are just some of the recent approaches; there are many more and firms need to be able to protect their people and, consequently, their data from all of them. Solely relying on rule-based phishing solutions will certainly protect your firm from some of the weak-form phishing attacks and impersonation techniques attackers are using. Training, too, will arm staff with the knowledge they need to identify the cues that signal a potential threat. However, it’s the strong-form impersonation and social engineering attacks, that are becoming more prevalent across the legal sector, that you need to worry most about. Attackers are only becoming smarter in their approaches to evolve the threat, bypass secure legacy email gateways and craft more convincing and persuasive messages. Firms, therefore, need to find ways to help their people spot the good from the bad and think before they click, in order to protect their data and systems. Post originally appeared in Information Age.
Spear Phishing
Attackers are Using Microsoft Forms to Exfiltrate Data
22 February 2019
Attackers are using Microsoft Forms links to get past email URL protection and steal sensitive information. We were alerted to this new tactic by one of our clients in the financial services sector. They recently received a spear phishing email containing a Forms link. In an attempt to protect firms from credential pharming and malware, several email security providers including Proofpoint, Mimecast and O365 Advanced Threat Protection re-write and scan URLs within emails to verify that the URL is safe to visit. The effectiveness of this approach has been questioned before, and now a new vulnerability involving the use of Microsoft Forms is being exploited by attackers. How are they exploiting Microsoft Forms? Microsoft Forms is an online tool for creating quizzes and surveys and automatically collecting the results. Forms were fully released to enterprise users of Office 365 in 2018. Here’s how they work You create a survey or quiz via Microsoft Forms and distribute it to your audience by embedding a link in an email. To fill out the form, a recipient will click the link within the email and be directed to a Microsoft Form containing fields that capture whatever data the form is designed to collect. Crucially, because the links direct users to a genuine Microsoft site, Forms links are trusted by the URL protection from Secure Email Gateways and ATP. Attackers have become aware of this and are now using authentic Microsoft Forms to collect sensitive information from unwitting targets. Any data input into the form is automatically sent to attackers, bypassing security defenses.
Many enterprises have become overly reliant on URL protection to prevent spear phishing attacks. To make things worse, with URL protection in place, employees begin to trust the links they receive in their inbox and become less vigilant to attacks. As attackers become more sophisticated they are finding simple ways to get past URL protection. Instead of focusing on the URL or on other payloads that can be sent in a spear phishing email, enterprises should aim to identify the actual impersonation behind the attack. This will not only reduce their vulnerability to attacks like this one, but also protect them from zero-payload attacks such as Business Email Compromise. We have reported this attack to Microsoft and have recommended that unique client IDs are used in the Forms URLs to allow enterprises to build custom policies to warn users when the client IDs do not match. We will update you when we hear from Microsoft.
Page