FireEye Stories

Changing Tactics for Email-Based Cyber Threats

Malware such as ransomware and cryptocurrency miners commonly enter inboxes as attachments and have the potential to cause serious problems if downloaded; however, another type of email attack is on the rise. This often malware-less threat is known as CEO Fraud, or Business Email Compromise (BEC), and it is becoming increasingly popular among today’s attackers.

As an intelligence-based company, FireEye frequently analyzes email data to identify new trends and better the solutions that protect our customers. Recently, we released a report – Changes in Email Attack Tactics, Based on Data from July to December 2017 – that discusses current email attack trends, including how attackers are favoring malware-less attacks.

Unlike traditional email-borne threats that tend to distribute malware via attachments or links, impersonation attacks such as CEO fraud are typically malware-less. For these attacks, threat actors focus on impersonating a sender who is trusted by the receiver, such as a vendor, manager or executive. When the attacker feels confident that the receiver believes them to be the individual they are impersonating, they will then try to get the user to take a specific action, such as transferring money or providing access to confidential corporate information.

"In 2017, the IC3 received 15,690 [Business Email Compromise] complaints with adjusted losses of over $675 million."

-Internet Crime Complaint Center (IC3) 2017 Internet Crime Report 

Malware-less attacks are particularly dangerous as they are tougher for both users and email security solutions to detect, due to the lack of any traditional phishing or attack indicators. These attacks also use new techniques that a lot of security solutions have failed to keep up with, such as newly existing domains and friendly display names. An email sent from a newly existing domain within the first 24 hours is highly suspicious because legitimate email typically isn’t sent right after a domain is registered. And since mobile email clients tend to only show the display name (e.g. Mike Smith) instead of the email address, cyber criminals will take advantage of this fact by simply spoofing the display name – a fast and easy task.

The Changes in Email Attack Tactics, Based on Data from July to December 2017 report provides a detailed look at these tactics to help organizations understand what this threat evolution means for their organization’s email security. Some additional highlights from the paper include:

  • 86 percent of attacks seen from July 2017 to December 2017 were malware-less.
  • 60 percent of malware-less attacks blocked in August 2017 used a URL from a newly existing domain.
  • Phishing attacks increased during the holiday season (October to December).
  • The majority of traffic (66 percent) seen was considered spam or high risk.
  • Most attacks – both malware and malware-less – were distributed on a Tuesday, which is also the day most email is opened.

Read our report Changes in Email Attacks Tactics, Based on Data from July to December 2017 for more information on impersonation-based attack trends, and ensure your organization is prepared to defend against today’s most commonly seen email threats.

To learn more about impersonation attacks and changes in advanced email threat tactics, register for our live webinar on Thursday, June 21, at 8:00 a.m. PT/11:00 a.m. ET.