Cyber security professionals are always thinking about the next big thing, be it a brand new attack or a concern with defenses. Email security is one topic that will never stop being a priority since everyone uses it and the email threat landscape is so vast. To get a sense of what email topics are top of mind for cyber security professionals, we surveyed our customer advisory board (CAB) in the second quarter of 2019. Here is what our these customers found most concerning:
- Impersonation, BEC (business email compromise).
- User email account compromise. Stolen accounts used to spoof accounts payable (AP) department.
- Phishing emails that appear to be from a trusted third party.
- User uncertainty about whether an email is a phish.
- User ability to spot phishing emails on a mobile device.
In this two-part blog series, we’ll discuss each of these pain points and provide recommendations to address them. This first post starts with the top two on the list, and check out Part Two for the rest.
The Most Popular Attack Vector is Here to Stay
A note before we get started: Modern businesses depend on email – it is the primary form of communication for most companies, and an overall incredibly useful tool. Like it or not, email isn’t going away any time soon.
Unfortunately, it happens to be the main entry point for attackers, contributing to more than 90 percent of all breaches. In fact, about one in every hundred and one email messages sent are malicious in nature. On the surface that may not sound like a significant number; however, when billions of emails around the globe are sent every day, it begins to add up. One interaction with a malicious email is all an attacker needs to possibly get through, and that can lead to significant financial loss and the organization becoming a headline in the news.
Impersonation attacks, such as business email compromise (BEC) and CEO fraud, are becoming a go-to for cyber criminals. These attacks often trick users into making a fraudulent wire transfer or giving away company information. The emails appear to originate from a trusted source, usually imply a sense of urgency, and are typically text-based and appear as regular traffic, making it difficult for email security solutions and users to recognize their inauthenticity. For example, a bad actor would impersonate a senior manager or supply chain partner to trick an employee into taking an action such as authorizing a fraudulent payment.
During the recent FireEye CAB meeting, enterprise customers noted impersonation is a problem as it relates to email. The consequences of impersonation attacks had included user and executive frustration, as well as financial loss. Our customers shared many examples of impersonation attacks that had affected their organizations. One set of customers ranked protection against impersonation (CEO fraud, BEC and supply chain) as the most important area to invest in during a simulated “Buy a Feature” game.
FireEye is seeing a significant increase in the use of impersonation techniques, and bad actors are innovating to stay ahead of evolving security defenses. New variants are described in our Q1 2019 Email Threat Report. One of these examples is a CEO fraud email directed to the Payroll Department (Figure 1). In this variant, the bad actor poses as an executive and requests the form necessary to change direct deposit instructions.
Figure 1: CEO fraud email directed to the payroll department
Another new variant is supply chain impersonation. In this case, bad actors compromise or impersonate a trusted partner that routinely interacts with users in the target organization to gain access to information or steal funds.
Malicious emails using these techniques are typically malware-less. The Display Name or mail header is simply manipulated. Email security defenses relying on attachment and URL analysis are unable to detect messages manipulated in this way. Because these techniques are difficult to detect, an organization may lack awareness that these types of messages are getting through, especially if the email security solution lacks the detection capability. Even if an organization isn’t seeing impersonation attacks today, it’s a problem the board will eventually read about in the news and question what’s being done to protect against it.
User Email Account Compromise
Cyber criminals are always innovating to find the best methods to trick users into doing their bidding. Sometimes the manipulated Display Names seen in impersonation attacks is enough, but sometimes a little more is needed. That’s when user email account compromise comes into play, turning an email attack from possibly suspicious into wholly convincing.
Our customers indicated that user email account compromise is a big concern. In particular, it’s the idea of attackers luring staff into sharing their email login credentials. For example, a bad actor sending an email with a URL that leads to what appears to be a legitimate-looking login page, but is actually a phishing site.
Once an attacker compromises a legitimate, trusted email address, the account is taken over and can be used for all sorts of malicious activity. One thing we regularly see attackers do with compromised legitimate accounts is send an email from that corporate end-user account to the organization’s accounts payable (AP) department requesting a fraudulent wire transfer.
Because wire transfer fraud has become so prevalent, many organizations have modified their internal controls so that two individuals are required to sign off on wire transfers above a specified limit. We also recommend organizations put procedures in place to confirm any requests from employees to change their personal details such as direct deposit instructions. Additionally, regular security training can help by bringing awareness about the latest email threats, including those posed by impersonation attacks and user email account compromise.
As seen on the list at the top of this post, our customers had several concerns related to phishing. Stay tuned for our second blog post in this series to learn all about this popular email attack vector. In the meantime, check out more about FireEye Email Security.