By Lior Kohavi, Chief Strategy Officer & EVP Advanced Solutions, Cyren
Malicious emails are one of the biggest threats facing organisations around the world today. Cybercriminals are continuing to target the workforce as the weakest link in any company’s defences, and enough of these attacks are hitting the mark that email has continued to reign as one of the most successful and lucrative attack methods.
Phishing emails, along with variants such as smishing and vishing which use text and voice channels, were by far the most prominent type of cyber attack reported in the most recent FBI IC3 report, with over 241,342 reported to the agency in the course of 2020. Criminals continue to successfully deceive their victims into sharing login credentials and other data, paving the way for major cyberattacks like ransomware, fraud, and a multitude of other crimes. Attackers know that if they can get past email security solutions, the same handful of tricks will work against their human targets.
The most dangerous form of malicious email is Business Email Compromise (BEC) attacks where the criminal will assume the identity of a trusted contact within the company, usually a senior executive. The FBI reported losses of $1,866,642,107 due to BEC over the last year, dwarfing any other kind of attack.
The growing email threat
Email has long been the favourite delivery method for cybercriminals for precisely the same reason legitimate sales and marketing teams rely on it – it’s a low-cost and accessible way to message thousands of contacts without any need for a prior relationship. The prominence of malicious emails has only increased in recent years as organisations progress their digital transformation agendas.
With the COVID-19 pandemic drastically accelerating the need to digitise business operations, email attacks also saw a huge boost. Google reported a record two million new phishing sites in 2020. In the UK, HMRC saw a 73% increase in phishing emails as criminals took advantage of the confusion and sought to scam individuals and businesses seeking financial support.
Even once the initial tumult of the pandemic settled down, the new digital environment proved to be fertile ground for cybercriminals. Remote workers are more susceptible to social engineering tactics as they are often more isolated and cannot simply turn to their colleagues and ask them to look over their shoulder at a suspicious email.
The increased digital presence of businesses has also been a boon to the fraudsters. Thanks to a booming market of accessible, low-cost cloud hosting services, it has never been easier for a business to get online and connect with prospects and customers. Cybercriminals are exploiting these same services to disguise themselves as legitimate, trusted companies.
Exploiting legitimate web tools
Website builders and content management service (CMS) platforms such as Wix, Weebly and Squarespace are simple, accessible, and inexpensive. Even the smallest and least-tech savvy businesses can quickly get online and build an attractive and simple web page.
However, these platforms offer a number of opportunities for exploitation in email attacks, including both compromises affecting the platforms themselves, or simply using them to covertly host a phishing site.
One benefit for the fraudsters is that domains like wix.com are widely recognised and have a decent reputation. They tend to rank highly in things like the Alexa Top 500 list and have a high level of traffic and engagement. Accordingly, they are usually categorised as trusted by email security gateways and other security systems which have often been tuned to ignore them in order to reduce the number of false positives.
Using legitimate platforms gives the fraudsters a number of attack options. Most often this will involve crafting a fake login portal. Victims are directed to the site by phishing emails impersonating the brand, and the attacker can then harvest data. Banks and other financial services are a popular choice as a successful sting may grant attackers direct access to financial information. Such tactics are also often used as the first step in more complex cyber-attacks, gathering login credentials which can then be used in Business Email Compromise attacks, to infiltrate the network, or sold for a profit on the dark web.
Example one: Exploiting Wix.com
Imitating IT services is a particularly common approach for these attacks. Attackers may assume the guise of the company’s IT support personnel or may impersonate a service platform directly. Microsoft platforms such as SharePoint are the usual choice, given their ubiquitous nature in the workplace.
In one example recently examined, the attackers used the Wix website builder to create a fake Microsoft login portal and then sent out phishing emails with the title “Microsoft Urgent Message”. The email warned the recipient that 20 of their incoming messages had been blocked because their inbox needed to be verified, before providing a link to the fake login portal.
The message doesn’t quite line up with the way Microsoft handles account details, but the attackers are counting on busy and non-technical staff to respond to the threat of losing their emails and overlook these details. The attackers are playing the odds and the odds are usually in their favour. Clicking on the link and submitting login credentials will enable cybercriminals to access the account and exploit it for any number of damaging cyber attacks.
Example two: A multistage attack through Weebly.com
While many attacks use these basic but effective tactics, some scammers will use more sophisticated and inventive approaches, creating multistage attacks that combine multiple elements. In another example analysed, the perpetrator sent out emails alerting the victim to a newly shared encrypted document, encouraging them to click a link to view it. Again, the attacker is counting on the victim overlooking any discrepancies to ensure they don’t miss out on a potentially crucial work file. Sharing files via services like SharePoint and Google Docs has also become a standard part of most working days, email gateways have been configured to trust these services and so few staff would question such a message in their inbox.
Clicking the link would lead the recipient to a fake SharePoint page hosted on the website builder Zyro. The page displays a message that the visitor has multiple unread files to view and provides a “preview document here” button. Clicking the button leads to a false Office365 login page, this time hosted on Weebly, and prompts the user to confirm their details.
Example three: Using a compromised WordPress site
Rather than investing the time and resources needed to create a convincing new phishing site, attackers may also hack an existing one by exploiting a vulnerability. New vulnerabilities are discovered on a constant basis, and previously unknown “zero day” exploits are especially effective. However, even when an issue is known and the service host has issued a patch, it can still be exploited if website owners have not applied the fix.
WordPress, one of the most popular site hosting platforms, has been particularly prone to exploits, thanks in part to the large number of plugins it supports. For example, the ProfilePress plugin enables admins to create and edit user profile pages, as well as frontend registration forms for users. However, a recent upgrade didn’t include safeguards to prevent users from supplying arbitrary metadata while inputting details. This created the opportunity for threat actors to exploit the system and escalate their privileges to achieve admin access. The issue was patched just a few days after it was reported to the plugin developer but is still exploitable in unpatched sites.
Another recent issue enabled attackers to exploit the File Manager plugin to reach the Wp-content folder, which essentially serves as the main directory for the site and its contents. The exploit allowed hackers to upload images containing hidden webshells, enabling them to run commands on the site. From here they could upload more malicious scripts and compromise other areas of the site.
Techniques like these can provide fraudsters with a variety of malicious powers, such as harvesting the data of visitors or infecting them with malware. Hackers can also manipulate a compromised site to redirect to their own malicious copy. This means they can deceive victims by sending them a link to a completely legitimate site, thereby bypassing email security tools, only to redirect them to a phishing site afterwards. Similar tactics are used for delayed activation attacks, where a completely legitimate link is included in the email but is redirected at a later date.
Knowledge is power – but is it enough?
If you know where to look, most deceptive email attacks contain various clues that expose them as fraudulent imposters. For example, spoofing tactics that change the displayed “From:” line in the email can be exposed by simply hovering the cursor over the name to reveal its real identity. Likewise, if a page claims to be a SharePoint login portal but the URL contains Weebly.com, clearly something is not right. There will also likely be multiple clues when a fraudster is impersonating a known contact, such as a different font, lack of email signature, and odd tone.
However, while all malicious emails have flaws, attackers are counting on their targets being too busy, apathetic, or uninformed to notice the discrepancies that will expose the message as a scam.
Deceptive email attacks count on end users being the weak link in the security chain. To combat this, organisations need to focus on improving the ability of their staff to identify and report malicious emails in their inboxes.
As email security solutions have improved, attackers have switched to more subtle social engineering techniques that are harder to filter out from legitimate emails. As a result, many organisations have turned to security awareness training (SAT) to counter the threat.
But as the costs keep mounting, it is clear businesses need to implement more effective solutions to stem the tide. Security Awareness Training (SAT) is a common solution to this problem, with the aim of improving the workforce’s ability to spot the tell-tale signs of a malicious message. These courses usually cover the most common attack tactics, as well as best practice for activities like sharing data or credentials which could expose the company to cyber risk. SAT sessions are often accompanied by phishing tests that send fake emails around to test awareness and response levels.
While this knowledge is important for fighting email attacks, training is ineffective in isolation. Most employees will tend to forget their learnings over time as they don’t have the chance to internalise them. Even if an individual is tricked by a simulated phishing email, this is a fairly isolated incident and will likely not change their habits.
For many, such training sessions are more of a bother than anything – a distraction that is keeping them from their actual role. Even for those individuals who take the lessons to heart, few people can spare the time to play detective and scrutinise every email in their inbox for signs of a fake.
Creating a crowdsourced approach
Instead of corralling them into annual training sessions, organisations need to make their employees an active part of the fight against email attacks. Alongside gaining the knowledge to identify phishing and BEC emails, individuals need to be armed with the tools to quickly and easily verify and report their suspicions.
Providing all personnel with the ability to scan their inboxes for malicious emails as and when they need to will help them to verify their suspicions without having to pause their busy workday to go through each message with a fine-toothed comb. Once the tool looks behind the scenes to identify signs of a malicious email, potentially dangerous messages are then reported to the IT security team for further investigation.
This creates a crowdsourced approach to email security. Not only will each worker be solving the email problem in their own inbox, but data from reported messages can also be used to detect and automatically eliminate similar messages across the organisation before they are even opened. Not only is the process very quick and unobtrusive for busy personnel, but it also demonstrates that they are providing tangible value in helping keep the entire company safe from attack. Unlike exercises using fake emails, this is no mere test – every action is making a real difference.
The crowdsourced data also provides valuable intelligence to aid in threat hunting activities by the security team. The more threat data end users report, the more information there is to train machine learning tools that can be used to quickly analyse large volumes of emails for similar attacks. This allows security practitioners to automate more of the investigation process, enabling them to be more efficient and focus on more high-value activity.
As cybercriminals continue to refine their email attacks and exploit legitimate resources such as website builders to aid in their deception, organisations need to build a new line of defence. Equipping personnel with the means to quickly and easily scan potentially malicious messages will help them to transform from being a weak link to an active part of the defence against email attacks.