The September Email Threat Report published by cybersecurity company FireEye has cast light on the latest tactics being used by cybercriminals to fool end users into disclosing sensitive information such as login credentials to online bank accounts and email services.
Phishing attacks continue to dominate the threat landscape and cybercriminals have been refining their techniques to achieve a higher success rate. Standard phishing emails, sent in huge batches to random recipients, require no prior research on an individual or company and can be effective if they reach an inbox. However, spam filtering solutions are now much better at identifying these ‘spray and pray’ email attacks and end users can identify these emails as malicious with relative ease if they do reach an inbox. Many phishers are now spending more time researching targets and are conducting much more sophisticated attacks to improve their success rate.
One of the most typically pieces of advice given to employees in security awareness training sessions is never to click on a link or open an email attachment that has been received from an unknown sender. If an email is received from a known person, it is much more likely to be trusted. It is also much more difficult for spam filtering solutions to identify these emails as malicious.
These impersonation attacks involve the attacker pretending to be a known contact, such as the CEO or a colleague. In order to pull off a scam such as this, the company must be researched to identify an individual within the company and to find out their email address. That individual’s email address is then spoofed to make it seem like the email has been sent from that individual’s email account.
Better still, if an email account of an employee can be compromised, it can be used to send phishing emails to colleagues from within the organization. These Business Email Compromise (BEC) attacks are even more difficult to identify as malicious, and if the CEO or CFO’s email account can be compromised, employees are much more likely to respond and open a malicious attachment or click an embedded hyperlink.
Rather than having to craft a message for one target, if access to an email account is gained, it becomes much easier to fool large numbers of people with general phishing emails. “By including a phishing link in the impersonation email, cybercriminals realized they could send out a vaguer email to a larger amount of people while still seeing a similar open rate,” wrote FireEye in the report.
This tactic works well if the email account has been compromised, but it is also effective if the display name is spoofed to show an individual’s real name rather than just the email address. Similarly, if the display name is doctored to show a real email address used by the company, many employees will believe the messages has come from that individual and will not conduct further checks to determine whether the email is genuine. An alternative tactic is to register a domain name that is highly similar to one used by a company – with two letters transposed for instance – which can be enough to fool many employees.
These types of impersonation attacks are known as friendly name spoofing and are often effective. FireEye notes that there has been a major increase in these types of phishing attacks in the first half of the year. Further, many of these emails are being delivered – 32% according to the FireEye report.
The study shows not only how important it is to implement an advanced spam filtering solution to block these emails, but also how important it is for employees to receive security awareness training to help them identify attacks such as these and to condition employees to conduct further checks on the true sender of an email prior to taking any action.