Immunising against the spear phishing plague
By John Wilson, Field CTO, Agari
Email has become the primary tool of communication for organisations, both within the business and externally with customers and third parties. But with this proliferation, email has also been tirelessly exploited by sophisticated cyber-criminals. With no security authentication built in, there is a fundamental flaw in the architecture of email that means anyone can send a message pretending to be from another person or brand. More worryingly, illegitimate emails are carefully formulated, well written, seem to come from a trusted source and relate to actual issues making it very difficult to tell sophisticated phishing emails apart from their genuine counterparts.
An increasingly popular form of email attack – spear phishing – is becoming a growing threat to businesses globally. Spear phishing is a highly-targeted email attack and is currently thriving due to people becoming comfortable with revealing a wealth of personal and behavioural data on the Internet. Attackers tap into an individual’s personal information to profile victims and create email messages crafted to appear to have come from a trusted source in a context that puts the targeted victim at ease. The end game is usually to get the selected employee to share confidential business information or transfer money into an unknown account. Last year, the FBI reported that losses from one type of spear phishing, Business Email Compromise (BEC) scams, alone totaled more than $1.2 billion. So how can we start to recognise these scams?
The fingerprint of a spear phisher
BEC scams involve attackers that impersonate an executive of the organisation and email an employee with specific instructions or requests. The most common example being the so-called CEO wire fraud scam. The scam begins with an email “from” the CEO to the CFO, explaining that she needs an urgent wire transfer and that she’ll provide the details shortly. In these attacks, the From: address of the email has been spoofed, and a Reply-To: header has been added to the message so that replies will route back to the fraudster. The criminal sets the display portion of the Reply-To address to be the CEO’s name, and since most email software displays only this text, rather than the actual email address, the victim cannot detect the deception visually.
The email generally ends with a simple question, such as “When is the cut-off to get this completed today?” or “What information will you need to process my request?”. The purpose of the question is to elicit a response from the CFO. The fraudster provides the receiving bank account details for the wire only after receiving a response to his initial email. This reduces the chances of his bank account details being exposed to the police should the victim catch on to the scam.
The perpetrators of these scams utilise distinctive tradecraft. This fingerprint can tie attacks back to the same threat actor. After examining email data from just three clients, Agari observed the same fingerprint in attacks targeting all of them. This particular threat actor uses free webmail addresses as the Reply-To addresses. The subject lines are always short, such as “Hello John”, “Today”, or “Urgent”. Finally, this criminal sends several messages, spaced over the course of 2 or 3 weeks. Given the prolific nature of this threat actor’s work, we suspect he uses automation to craft and send at least the initial attack messages.
With the FBI reporting a 270% increase in reported global losses from January to August 2015 due to these types of scams, financial firms need to be vigilant with their email security.
Agari research also found that more than 85 percent of spear phishing attacks are enabled by legitimate cloud services, and the majority do not contain a malicious link or attachment, which make them a lot harder to detect as fraudulent. Ultimately, no single email should be sufficient to move money and no one person should be able to initiate and approve a bank transfer. Savvy organisations need to ensure that there is a mixture of inbound and outbound channels that can be used to verify any request for confidential or financial information.
As the spear phishing threat continues to grow, organisations need a solution that considers sophisticated data science and email security intelligence in order to reinstill trust into the email ecosystem. Protecting corporate and customer data requires constant attention, and having an insight into the entirety of an email ecosystem is crucial. There is not a single solution available that can solve the breadth of the email security problem. What’s needed is multiple controls – a cocktail of complementary solutions that provides a multi-layered approach to cyber security where prevention, early detection, attack containment, and recovery measures are considered collectively. Only then can spear phishing be stopped before the problem becomes a plague.