Bad News - Attackers Are Launching Email Based Cyber Attacks As Never Before
Just as in 2016 and 2017, cyber criminals, malicious hackers and nations keep on targeting email inboxes this year. Corporate email accounts have always been a favorable target and according to security experts, the BEC industry alone will grow during 2018, resulting in $9 billion in damages compared to $5.3 billion at the end of 2016. In its recent survey “What CISOs Worry About in 2018”, Ponemon found that almost 70% of CISOs believe their organization is likely to fall victim to a cyberattack or data breach in 2018, with email being overwhelmingly considered to be the most likely source for a potential breach.
Their worries make sense if we look at what happened during 2017. Roughly two thirds of all reported security incidents started with phishing emails or malicious attachments sent to company employees. The main reasons why emails are easy pickings for cybercrooks is that because it is simple, does not require massive resources and focuses on the weakest link in the organization “people”. Furthermore, companies have a hard time detecting and mitigating security incidents quickly and accurately. Last but not least, employees use their BYOD for business and private use. When it comes to phishing, two simulations yielded a near 100% click rate: one that masqueraded as a database password reset alert, and another that claimed to include an updated building evacuation plan. It underpins how effective social engineering is.
Furthermore, as the Yarrow Point cyberattack shows, aging systems in e.g., municipalities and governments combined with untrained staff, make easy targets for hackers. As part of an email scam, the Yaron Point, Wash.’s financial coordinator received an email that seemed to come from the town’s mayor asking to transfer money. He promptly wired $49,284 to an unidentified cybercrook. The email was sent by “Richard” although the mayor always used his nickname “Dicker”. A few months later, Yarrow Point fell victim to a ransomware attack, which locked down some of the town’s computer systems. Employees were denied access to files and in the end, nearly $10,000 in bitcoin was paid in ransom.
That’s why email attacks are not going away anytime soon. Hackers will keep on using it to proliferate malware and ransomware, to trick users to browse to malicious websites with the purpose to steal sensitive data or fool employees to transfer money.
Let’s have a quick look at some of the attacks that took place during the first two months of this year.
Especially Business Email Compromise (BEC) attacks use email to impersonate, spoof and spear-phish to trick employees to wire millions of dollars to the hackers’ shell corporations and corresponding bank accounts. (To learn more about BEC attacks, feel free to download our free white paper)
On the bright side, there are some policies that organizations can deploy to prevent email attacks:
Although these measures will help, they are not enough to prevent email attacks. The best approach is to conduct a “security assessment” to expose the vulnerabilities within the organization by using a breach and attack simulation (BAS) platform.
That’s why Cymulate has developed its E-Mail module. This module (as part of its BAS platform) tests how prepared organizations from all industries really are when it comes to handling these threats. The simulation deploys offensive and defensive actions to expose critical vulnerabilities, such as sending emails containing ransomwares, worms, Trojans, links to malicious websites etc. to see if these emails would bypass the organizations’ first line of defense and reach their employees. During the next step, they can also test their security awareness regarding receiving such socially engineered emails that try to phish the employees into opening malicious attachments, disclosing their credentials or clicking on malicious links.
Eyal is the VP of Customer Success at Cymulate. During the last 15 years Eyal performed in a number of critical roles in the information and cyber security fields, providing services for global organizations in a wide range of sectors.