Bad News - Attackers Are Launching Email Based Cyber Attacks As Never Before
Just as in 2016 and 2017, cyber criminals, malicious hackers and nations keep on targeting email inboxes this year. Corporate email accounts have always been a favorable target and according to security experts, the BEC industry alone will grow during 2018, resulting in $9 billion in damages compared to $5.3 billion at the end of 2016. In its recent survey “What CISOs Worry About in 2018”, Ponemon found that almost 70% of CISOs believe their organization is likely to fall victim to a cyberattack or data breach in 2018, with email being overwhelmingly considered to be the most likely source for a potential breach.
Their worries make sense if we look at what happened during 2017. Roughly two thirds of all reported security incidents started with phishing emails or malicious attachments sent to company employees. The main reasons why emails are easy pickings for cybercrooks is that because it is simple, does not require massive resources and focuses on the weakest link in the organization “people”. Furthermore, companies have a hard time detecting and mitigating security incidents quickly and accurately. Last but not least, employees use their BYOD for business and private use. When it comes to phishing, two simulations yielded a near 100% click rate: one that masqueraded as a database password reset alert, and another that claimed to include an updated building evacuation plan. It underpins how effective social engineering is.
Furthermore, as the Yarrow Point cyberattack shows, aging systems in e.g., municipalities and governments combined with untrained staff, make easy targets for hackers. As part of an email scam, the Yaron Point, Wash.’s financial coordinator received an email that seemed to come from the town’s mayor asking to transfer money. He promptly wired $49,284 to an unidentified cybercrook. The email was sent by “Richard” although the mayor always used his nickname “Dicker”. A few months later, Yarrow Point fell victim to a ransomware attack, which locked down some of the town’s computer systems. Employees were denied access to files and in the end, nearly $10,000 in bitcoin was paid in ransom.
That’s why email attacks are not going away anytime soon. Hackers will keep on using it to proliferate malware and ransomware, to trick users to browse to malicious websites with the purpose to steal sensitive data or fool employees to transfer money.
Let’s have a quick look at some of the attacks that took place during the first two months of this year.
- February 13, 2018. The City of Savannah, GA was hit by a cyberattack originating from an employee opening a malicious email containing malware. It caused interruption to customer service.
- In the week of February 12, the City of Allentown, PA was hit by a cyberattack originating from a malicious email containing malware dubbed Emotet. The self-replicating malware stole credentials such as passwords of city employees. The municipality was forced to shut down some financial and public safety operations. The total costs will be around $1 million, including $800,000 to $900,000 for repairing the damage that the virus has done.
- During February 2018, it was discovered that Fortune 500 companies are being targeted by an email scam luring authorized employees to transfer money to the attackers. This BEC attack comes from a Nigerian IP address and uses a phishing kit to create spoofed DocuSign login pages on more than 100 compromised websites.
Especially Business Email Compromise (BEC) attacks use email to impersonate, spoof and spear-phish to trick employees to wire millions of dollars to the hackers’ shell corporations and corresponding bank accounts. (To learn more about BEC attacks, feel free to download our free white paper)
On the bright side, there are some policies that organizations can deploy to prevent email attacks:
- Educate employees about the risks to prevent social engineering.
- Make sure that systems and software are updated.
- Use an intrusion detection system that can flag e-mails with extensions that are (too) similar to the corporate e-mail extension.
- Flag e-mail conversations where the “reply” e-mail address is different from the “from” e-mail address.
- Color-code e-mails from employee/internal accounts in one color and e-mails from non-employee/external accounts in another color.
- Apply two-factor authentication requiring two different employees for all wire transfers.
- Use phone verification by dialing the telephone numbers registered in the system (and not the one in the email).
- Scrutinize all e-mail requests for suspicious transfer of funds.
- Implement the Domain Message Authentication Reporting & Conformance (DMARC) standard that verifies the domain of an email message.
Although these measures will help, they are not enough to prevent email attacks. The best approach is to conduct a “security assessment” to expose the vulnerabilities within the organization by using a breach and attack simulation (BAS) platform.
That’s why Cymulate has developed its E-Mail module. This module (as part of its BAS platform) tests how prepared organizations from all industries really are when it comes to handling these threats. The simulation deploys offensive and defensive actions to expose critical vulnerabilities, such as sending emails containing ransomwares, worms, Trojans, links to malicious websites etc. to see if these emails would bypass the organizations’ first line of defense and reach their employees. During the next step, they can also test their security awareness regarding receiving such socially engineered emails that try to phish the employees into opening malicious attachments, disclosing their credentials or clicking on malicious links.