Executive Perspectives

Customers’ Biggest Email Security Concerns (Part Two)

To get a sense of what email topics are top of mind for cyber security professionals, we surveyed our customer advisory board (CAB) in the second quarter of 2019. Here is what these customers found most concerning:

  1. Impersonation, BEC (business email compromise).
  2. User email account compromise. Stolen accounts used to spoof accounts payable (AP) department.
  3. Phishing emails that appear to be from a trusted third-party.
  4. User uncertainty about whether an email is a phish.
  5. User ability to spot phishing emails on a mobile device.

In the first post of this two-part series, we described why impersonation and user email account compromise are concerns for our customers, and also provided recommendations to address these pain points. In this second post, we’re talking about all things phishing.

Targeted Phishing Attacks

As long as email is here to stay, phishing and spear phishing campaigns will continue to be a top concern for IT security professionals and organizations alike. While some phishing campaigns are quite sophisticated, such as this intrusion campaign possibly by APT29, other email-borne attacks are quite simple in comparison and yet still have a high success rate.

Our Q1 2019 Email Threat Report found a 17 percent rise in phishing attempts compared to the fourth quarter of 2018, so it doesn’t surprise us that three of our five top customer concerns relate to phishing. As seen in Figure 1, since 2017, we’ve observed an increase in malware-less emails (such as emails with URLs that lead to phishing sites) and a decrease in emails with attachments containing malware. This trend extended into 2018 and continues today.


Figure 1: Malware-less versus malware-based emails (source: All It Takes is One infographic)

As shown in Figure 2, the phishing attack landscape covers a large spectrum. On the left end, attackers use untargeted, high-volume phishing campaigns. They count on the broad spray and pray approach to achieve their ROI (return on investment). Moving to the right, cyber attackers use social engineering to identify and target victims. They exploit readily available online information such as LinkedIn profiles and Facebook accounts to develop portfolios of their targets (Figure 3).


Figure 2: Phishing attack landscape


Figure 3: A bad actor performs reconnaissance using LinkedIn

The attackers use the information gathered from the internet to identify employees in relevant departments such as accounting. The bad actors then personalize the content of the emails and include credential phishing links. They send the personalized emails to targets who have specific roles or administrator rights, or who are at specific organizations. Targets that have roles within accounting or information technology departments often have privileges that can be of use to attackers. The bad actors aim to manipulate the unsuspecting recipient into, for example, clicking a link to a hosted phishing site and ultimately stealing their credentials.

While there’s an upfront investment of time required to gather the unwitting victim's information, the more targeted approach typically leads to a higher success rate. The personalized email seems legitimate and psychologically manipulates targets to share confidential information.

Phishing Emails That Appear to Be From a Trusted Third Party

The prevalence of cloud-based applications such as Microsoft Office 365 has made the associated login pages a target for credential phishing. This was another trend highlighted in the Q1 2019 Email Threat Report. Each Microsoft application, including Outlook and OneDrive, has a different login page, which is why in our report Microsoft was the most spoofed brand (Figure 4). One reason these spoofed (phishing) pages are so convincing is that the emails containing URLs leading to the phishing page appear legitimate and sent from a trusted brand.


Figure 4: Most common brands detected in phishing attacks, Q1 2019 (generic and spam phishing emails do not feature a brand)

User Uncertainty About Whether an Email Is a Phish

User uncertainty about whether an email is legitimate or a phish was one of the top concerns highlighted by our CAB in the first quarter of 2019, and with good reason.

While individually customized emails provide a high ROI, many cyber criminals have discovered a more efficient technique. By including a phishing link in an impersonation email campaign, attackers can send out vaguer emails to a broader and larger number of people and still benefit from a similar open rate. Attackers spoof the friendly-display name to make it look like it’s sent from someone who is familiar (Figure 5). For example, an email address of a trusted payment company (companypayments.com) appears in the friendly display name area, which would normally be Joe Smith. Many times the user does not notice the real email address of badactor@adversary.com, or thinks it’s another recipient added to the thread that is legitimate. The user senses something isn’t quite right, but cannot pinpoint exactly what it is amiss. This leads a user to be uncertain about whether an email is legitimate or a phish.


Figure 5: Display name spoofing as seen on a Outlook desktop client

User Ability to Spot Phishing Emails on a Mobile Device

While the percentage of emails read on mobile devices varies depending on the source, one thing is certain, they have become the primary way we view email, outpacing both webmail and desktop clients.

As seen in Figure 5 and Figure 6, the legitimate email address is badactor@adversary.com and the friendly display name of joe.smith@companypayment.com provides the illusion at a glance that the email originated from companypayments.com. The friendly email display name is a user-defined label to provide a recognizable description of the sender. The mobile Outlook client defaults to show only the friendly display name, which happens to be joe.smith@companypayments.com instead of a typical Joe Smith display name.


Figure 6: Display name spoofing on a mobile Outlook client


Figure 7: Display name spoofing on a mobile Outlook client

As shown in Figure 7, when viewed at a glance on a mobile email client the message preview makes the display name even more convincing – when in reality the email is from badactor@adversary.com.

The real email address used by the imposter is not easily viewable in many mobile email clients as they default to the friendly display name view for convenience (Figure 8).

Although very convenient, mobile devices have a disadvantage: the much smaller display makes it tougher to distinguish legitimate web pages from phishing pages. For example, a phishing page may feature a trusted brand’s logo, but with a slight design variation that is tough to notice on a small screen.


Figure 8: The real email address is exposed, and the user typically has to tap the display name to see the real email address


Figure 9: Phishing for corporate credentials

Similarly, it might be tough to see that a URL has been spoofed to include an extra letter (typosquatting) or a visually similar number in place of the correct letter (homoglyph). The mobile user is not able to hover over the URL, making it difficult at a glance for many users to distinguish between legitimate and cloned websites for stealing credentials. As shown in Figure 9, a highly successful tactic bad actors use is to clone login pages for cloud services such as Office 365 to steal corporate credentials.

Attackers take advantage of psychological authentication where the recipient uses their imagination to paint a picture of with whom they are communicating. In the initial communication, the mental picture the recipient forms is based on what they see, which is the friendly display name.

Another challenge with mobile devices occurs when a phishing attack is wrapped in an impersonation package. A bad actor can easily manipulate the friendly display name (such as Joe Smith in Figure 5 and Figure 6) to impersonate a company executive. Because the friendly display name is usually the only information shown about the sender by default on mobile devices, a user could be tricked if they’re not careful. Figure 5 shows the email when viewed from a desktop client, revealing the phony email address.

When we believe we are communicating with a trusted individual, such as our boss, a company executive, friends or family, we are far more likely to click a URL or attachment in an email – and attackers know it. Those actions can lead to malware being distributed to the endpoint or credentials being harvested, making this an effective tactic with low risk.

FireEye has seen this tactic utilized not only by opportunistic attackers, but global threat actors as well. International cybercrime group FIN7 is a prime example of an actor that uses these tactics to compromise high-value targets in almost every industry. FIN7 has previously impersonated trusted businesses and government entities to ensure a higher click-through rate on their phishing URLs.

Recommendations

A two-pronged approach that includes technology and user education is the best defense against targeted phishing attacks. An email security solution reduces the human factor that leads to downloading malware or clicking on a malicious URL; however, if a suspicious email slips through to a user’s inbox, employees trained to err on the side of caution become a second layer of defense.

Organizations can be better prepared to defend against attacks. It is critical to choose an email security solution that:

  • Invests in malware-less threat protection
  • Evolves as quickly as the threat landscape to detect the newest impersonation techniques and phishing attacks
  • Builds detection capabilities based on real-time knowledge gained from the frontlines

Secondly, organizations need to take the time to educate users on how to spot phishing emails, and train them to ensure they are communicating with the right person and not an attacker.

Take a self-guided tour to learn how FireEye Email Security detects and blocks the latest advanced threats, including impersonation techniques.