Email is such an integral part of everyday life we tend to ignore, or simply be unaware, that it is the biggest single threat to cybersecurity. Yet almost all cybercrime is either email-based, or employs email as part of the process.
Criminals play on our emotions, especially concern, fear, love, trust and greed, seasoned with a twist of urgency. For every national or international disaster, there will be a thousand criminals trying to exploit it. Consider the Coronavirus spread. Within days of a serious outbreak in Italy, 10% of all Italian organizations had been targeted by a phishing email that (translated) said, “Due to the number of cases of coronavirus infection that have been documented in your area, the World Health Organization has prepared a document that includes all the necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message.”
This is an example of standard spray and pray phishing – the attack is simply targeted at as many people as possible in the knowledge that some will be tricked. It should not be confused with spear-phishing where a single person or small related group of people are targeted in a victim-focused fashion.
The emotions being played in the Coronavirus phish are concern/fear, trust (in the World Health Organization), and urgency (protect yourself before it is too late). The attached and appealing document was titled, “Coronavirus: Important information about precautions”. Reading it leads to the Ostap Trojan-Downloader which has been used elsewhere to download the TrickBot banking trojan.
Coronavirus is being used as the ‘lure’ – the bait that tricks you into responding to the email. Lures change depending on the current circumstances and the target. General lures – as in this example – are used in large scale phishing campaigns. More specific lures based on the known interests of the target are used in focused phishing known as spear-phishing. But phishing is not the only threat that arrives by email.
Statistics behind the threat
Email threat statistics vary slightly depending upon their source and how the details are measured. Nevertheless, we can confidently say that 90% or more of all company breaches involve emails; 90% or more involve successful spear-phishing; and 90% of all malware is delivered by email.
On the consumer side, the latest FBI figures for the U.S., published in February 2020, highlight business email compromise (BEC), elder fraud (highlighting that the elderly are particularly targeted in all forms of email scams), tech support fraud and ransomware as ‘hot topics’. The first no longer affects just businesses, but can also be targeted at any person thought to have resources. The last, while now affecting businesses, is still delivered to consumers by email. The other two are, or often involve, email correspondence.
An example of BEC fraud against an individual (although she has a small business) was the loss of $380,000 by ‘Shark Tank’s’ Barbara Corcoran in February 2020. An email apparently from Barbara’s assistant successfully instructed her bookkeeper to send $388,700.11 to a company in Germany. Barbara commented, “I was upset at first, but then remembered it was only money;” a comment that would only come from someone who could afford to lose $400,000.
The FBI report puts some figures to other threats (but remember the reality is likely to be worse since this only covers crimes reported to the FBI). A few examples include $475 million lost by victims of confidence and romance fraud; $160 million lost to identity theft; $111 million to credit card fraud; $100 million to advance-fee fraud (the so-called Nigerian fraud); $54 million to tech support fraud; and so on. This is in the single year, 2019.
Attack and defense
Scams come in three basic formats: an attempt to engage the victim in conversation with the attacker (such as romance scams, advance-fee scams, lottery scams, and more); an attempt to make the target click a link and visit a malicious site; and an attached malicious (weaponized) document.
To a degree, common sense can protect us from the first – but the elderly, the lonely, the housebound and the anxious are at risk. If we have a relative or neighbor like this, we can help simply by taking an interest and being a support.
The malicious attachment and the malicious link are the more widespread general threats affecting all of us. The body of the mail will contain a social engineering message designed to lure us into clicking a link in the message or opening an attached weaponized document. The link could lead to a malicious site that might persuade us to enter personal details or bank account passwords, while the weaponized document might seek to install malware directly – anything from an information stealer, or banking fraud malware to ransomware.
The more advanced email attacks will ‘spoof’ the source. They will appear to come from and lead to legitimate or genuine sources. For example, if you know or work with JoeBloggs @ xyz.com, criminals might attempt to register JoeBloggs @ gmail.com and email you under that guise. Similarly, they might register lookalike domains – such as bankofamericaco.com (currently available) for bankofamerica.com – and develop the site maliciously. The intent is to get you to trust both the sender and the link destination.
If you think things are bad today, it’s only going to get worse in the future. Artificial intelligence and machine learning are touted as great security solutions. But they are also great attacker tools.
Machine learning is a technology where actions are learned from examining and analyzing masses of data – nowadays known as big data. Criminals have access to the algorithms that are used in machine learning. They also have access to huge amounts of data to teach their machines.
At some point soon, criminals will use automated machine learning against the billions of stolen credentials available on the dark web to learn targets and attack consumers at scale and automatically. The targeted attacks we currently call spear-phishing will be delivered at the scale of current ‘spray-and-pray’ phishing campaigns.
Email and browser filters
Major email providers and browsers attempt to filter out threats. Built-in ‘spam filters’ will quarantine and later remove the obvious attacks. This is great for removing a lot of the junk that arrives by email – but it cannot be relied upon to eliminate all phishing – or even any spear-phishing – attacks.
Similarly, major browsers will block us from visiting known malicious sites. But remember that criminals can produce new malicious sites faster than the good guys can find them. So, again, this is a help but not a solution.
Anti-malware is essential. Ignore the claims that it cannot detect all malware. That may be true, but it can and does detect the vast majority of malware. A good, up-to-date, mainstream anti-malware product will protect you from all but the most advanced attack technologies with the latest unknown malware.
But you cannot rely on it for total safety. Anti-malware is just the important starting point for your defense against the email threat.
DMARC and BIMI
DMARC (Domain-based Message Authentication, Reporting, and Conformance) and BIMI (Brand Indicators for Message Identification) are technologies that should be implemented by all companies operating on-line. DMARC is a technology that works between companies and email providers that will detect attempted brand name spoofs. If fully installed, DMARC will block all false emails apparently coming from legitimate companies.
DMARC is growing in usage, but only a tiny percentage of companies have as yet adopted it. Consumers are left with a problem: while it does stop spoofs from those companies who are using it correctly, the end-user could falsely believe that the emails received are legitimate when they are not (because the sender isn’t using DMARC).
A solution to this can be found in BIMI. Companies that have installed DMARC can use BIMI with the email provider to add a company logo adjacent to DMARC-protected emails. If this logo appears with the delivered email, it is a strong indication that the email is genuine.
While technology can reduce the email threat, it gets nowhere close to eliminating it. The final defense must be ourselves and our behaviors – we must be aware that we are all constantly under attack. All emails should be reviewed from a standpoint of initial skepticism.
The first advice is to reverse the Russian proverb, “Trust but verify”: we should now verify before we trust. If there is anything in the email that jars – spelling errors, grammatical errors we wouldn’t expect, or an attachment from someone we don’t know or doesn’t normally send us attachments – take a pause and look closer. A good tip is to hold the cursor over the sender name and see the email address being used.
Here’s one I received recently. All I see is the sender: Support Team. But examining the address by holding the cursor over that name I see the real sender: ‘360GM67M.360GM67M@24b1t2t7.us’. I don’t think so.
The same process can be used with links embedded in the email body. What you see might simply be ‘Click Here’. If you hold the cursor over the link – without clicking – you will see the actual address. It may obviously be malicious, or it may be disguised via a bitly-style link shortening service. If the latter, ask yourself whether it is reasonable for the sender to use bit.ly.
But a word of caution – be very careful if you do this on a mobile phone or laptop with a touchpad. Some touchpads are so sensitive that it is easy to click a link while all you intend to do is hover the cursor over it.
In the final analysis, the best single piece of advice for handling email threats is to adapt Benjamin Franklin’s comment, “Don’t put off until tomorrow what you can do today,” to ‘Don’t do now what you can as easily do later’. Inserting a delay between receipt of an email and reaction to that email will allow you to more easily see inconsistencies and hidden threats in the message.