Email-based impersonation attacks aimed at key personnel are a major cyber threat to every organization. Cyber criminals impersonate business owners and executives using email tactics to steal money, data, or other sensitive information. According to Gartner, impersonation attacks are increasing due to the amount of trust users place on the identity of incoming email. Limiting significant financial loss depends on effective impersonation email filtering, improved sender and recipient relationship identity, and end-user training and education.
Impersonation attacks are usually text-based and appear as normal email traffic, making them extremely difficult to detect. Once delivered to the inbox, any email or content is left up to the user to determine if it is authentic.
Since 2016 the global financial loss from impersonation attacks, specifically Business Email Compromise (BEC) is more than $26 billion, according to the FBI’s public service announcement in September 2019. Because this is a growing problem, an email security solution must be able to effectively detect and block these types of threats.
To help organizations effectively combat impersonation threats, in the first quarter of 2019 we released FireEye Email Security Impersonation Detection for Server and Cloud Editions. The feature enables customers to upload their high-value targets (e.g. executive staff), ensuring emails that spoof these targets are thoroughly examined, significantly reducing the chances of an impersonation attack.
Impersonation Attacks Continue to Rise in Q2
As seen in Figure 1, we saw a 25 percent increase in impersonation attacks throughout the second quarter of 2019.
Figure 1: Impersonation attacks, Q2 2019. Source: The 3 Ts of an Email Attack: Tactics, Techniques, Targets.
Adaptive Impersonation Tactics
In the last few months, we have observed a shift in the impersonation trend. Alongside an increase in executive impersonation attacks, many companies have experienced supply chain impersonation attacks that involved their vendors being spoofed. In this highly targeted attack, hackers spoof a legitimate vendor, which does business with the targeted company, to intercept a bank transaction or wire instructions to get a hold of funds or sensitive information. The sophistication in these attacks has improved significantly, and many of the employees involved are easily tricked into “pulling the trigger” and following the fraudulent instructions.
As you can see in the email example from Figure 2, the message appears to be from Clarence DeCEOzar in the accounting and billings team at Steeling Savings Bank with a legitimate business issue and contains information relative to the recipient, Steve Jenkins in the Accounts Payable Department.
Figure 2: Impersonation email example
Figure 3 shows the same email on a mobile device. This is even more convincing as usually only the friendly display name is displayed, leaving out critical details about the sender’s true identity, which are not automatically displayed on most mobile devices.
Figure 3: Impersonation email example on a mobile device
The majority of fraudulent supply chain management emails are formulaic and iterated continuously over time. However, there are some core elements present in the majority of these emails, such as:
To an unsuspecting user, this email appears to be an innocent request and can trick them into making the payment, causing damaging financial loss.
In order to deal with this unique problem, FireEye recently introduced supply chain impersonation detection, which allows organizations to protect from fraudulent activity between an organization and its vendors. This feature applies behavioral analysis patterns alongside intelligence from our cloud detection engines, strengthening our impersonation protection specific to supply chain vendors.
Looking at the scenario in Example 1, we can see a legitimate communication between a company and a vendor on how to wire a payment for shipping services. This first example shows how legitimate communication is initiated between the company and the vendor.
Example 1: Relationship established between legitimate vendor and customer
Example 2 shows a similar communication pattern, but with much different intent. A spoofed vendor (Clarence) attempts to send an email to the customer (Steve) and our supply chain impersonation detection identifies three portions of the email as BAD and denies the email:
- Bad sender domain
- Suspicious content and URL detected
- No existing relationship
Example 2: Email relationship from bad actor denied
Here are some of the enhancements we’ve added to introduce this feature:
- We identify behavioral data upon customer deployment, then
- Observe new domains and review domain reputation (Figure 4) to determine which entities communicate with the customer and in what frequency
- When our solution recognizes a communication pattern that is different from the data we collected, we send the data to our cloud detection engines to add more details on the domain and email.
- Our cloud detection engines combine the data collected on the new domain with the email headers and pass the extended information back to the appliance.
- The appliance combines the data gathered with the email content analysis and decides whether the email is malicious or not based on all the factors.
Figure 4: Newly registered domain (Note: the registered-on date is usually hours or up to a day or so before targeted BEC emails are sent)
Impersonation email attacks are on the rise and three ways of reducing the chances of a breach via impersonation attack include: user education, implementing social graph impersonation filtering, and improved identification of suspicious email activity within the email workflow. The added supply chain impersonation detection feature to FireEye Email Security – Server Edition expands our overall impersonation protection across cloud and on-premise deployments.
Take a self-guided tour to learn how FireEye Email security detects and blocks advanced threats. To enhance visibility into login sources such as on-premise Active Directory or Office 365 to detect unauthorized activity, take a tour of our cloud-hosted security operations platform – FireEye Helix. Finally, enhance overall security with Expertise On Demand – a flexible, pay-per-use access to FireEye’s industry-recognized security expertise and threat intelligence.