Cyber criminals increase email trickery and falsehoods to gain access to precious data
Phishing remains the most prominent and ubiquitous online threat and has increased dramatically throughout the year of the pandemic. Phishing is the use of malicious emails that appear to have been sent from a legitimate source but are designed to steal sensitive information from the target – usually password credentials and/or sensitive data (bank details, medical records etc). The same techniques of email trickery and falsehood used in phishing can also be used to deliver malware. In both cases, sophisticated social engineering arguments are used to fool the victim into thinking the email is genuine and any attachment is benign.
Almost all corporate breaches start with a social engineering attack; it is estimated that between 70% and 90% of breaches start in this manner. Phishing is the most prolific form of the two attacks. If a hacker can obtain a user’s credentials, he or she can bypass any access control defences in place. In this article we are going to discuss how social engineering is used to deliver phishing and email malware attacks, and how we can protect against them.
Recognising social engineering
Any phishing or malware delivery attack needs to do four things: make it to the inbox, grab the user’s attention, incentivise the target to act and get that target to give up sensitive data or detonate the payload. If any of these steps fails, the attack fails – so, recognising them either visually or with technology is essential.
First, the phishing email needs to bypass spam filters, so it isn’t automatically deleted. There are two places we or spam filters might notice a dangerous link – in the email header or within the body of the email. Attackers can forge the email header so that it appears to come from a legitimate sender, or they can register and use a lookalike domain (purely as an example, paypai.com could be used for paypal.com). Lookalike domains can similarly be used within the body of a phishing email – but a link to badhacker.com could also be shown as its hexadecimal IP address (an approach widely used in 2020), or an octal number, or an integer/DWORD. The success of social engineering attacks demonstrates how effective such trickery can be.
Once delivered, social engineering needs to manipulate the target into action, using a mixture of deception and emotional persuasion. The email needs to appear as if it comes from a legitimate or known source to fool the victim, whilst also giving a strong, urgent incentive to act. The latter requires a psychological trigger, usually greed or fear or urgency, to prompt the target into giving up personal information, visiting a malicious website or downloading from a malicious attachment.
For phishing, the usual intent is to persuade the target to visit a disguised but malicious website, where further social engineering techniques are used to persuade the victim to enter his or her username/password credentials, consent to an auth0 application or enter other sensitive data, such as banking details – which are then sent to the attacker.
Malware attacks usually involve a disguised or weaponised attachment. Such malicious attachments increasingly use a form of fileless malware contained in a macro or script. Social engineering is used to persuade the victim to open the attachment and consent to the macro being run. The malicious script triggers upon the endpoint, leveraging existing applications (such as PowerShell) to download and execute malware within the system’s memory. This is done without dropping any file onto the disc system, living and working in memory until persistence can be established.
Microsoft Office documents are a prominent vehicle for fileless malware, but because the document itself is not initially malicious – only when the hidden macro code within the document is executed – it becomes very difficult for traditional anti-malware solutions to detect.
Cyber criminals are always ready to exploit current events to make social engineering more effective, and the COVID-19 crisis is a dramatic example. The pandemic gives new opportunities to prey on users’ emotions – especially fear and urgency – while Government initiatives and business responses to COVID-19 can provide lucrative targets for fraudsters.
A freedom of information request on the BBC revealed in November 2020 that the BBC had received an average of 6.7 million spam and scam attacks each month during the year, with the highest amount received in March during the first peak in the COVID-19 pandemic.
The National Cyber Security Centre (NCSC) has revealed in its 2020 review that its new suspicious email reporting service (SERS) received 2.3 million reports in its first four months, at an average of 133,000 every week. It also noted that over the last year it has blocked 260 SMS Sender IDs believed to be involved in pandemic-related malicious SMS campaigns. In partnership with Netcraft, it took down more than 15,000 COVID-related malicious campaigns.
The review also noted that the Russian state-related Cosy Bear attack group used “a variety of tools and techniques, including spear-phishing and custom malware known as ‘WellMess’ and ‘WellMail’” to steal valuable intellectual property.
In the UK, personal details obtained through phishing emails or bought on the dark web have been used to fraudulently obtain loans from the Bounce Back Loan Scheme, an initiative intended to give businesses funds to help recover from the loss of revenue caused by COVID-19 and lockdown. The scheme has paid out over £40 billion in loans, with no way to measure how many pay-outs were fraudulent.
In 2019, over 8.5 billion records of user credentials were compromised, giving phishers a huge resource for spreading fraudulent emails. Phishing is often the first step in large-scale credential-stuffing attacks, where compromised login details from one service are used to try and compromise account security for other websites. Such attacks have surged during the COVID-19 crisis. Nintendo users have been among the biggest victims of these, with over 300,000 accounts compromised due to credential-stuffing between April and June. Even the food industry has been hit with credential-stuffing attacks; hackers have exploited new online ordering systems, implemented to protect customers and staff from COVID-19 as far as possible, in order to purchase food with other customers’ money.
There is no single solution to the dual threat posed by phishing and malware delivery via social engineering. Prevention is always better than cure, but that largely depends on the user being able to recognise the attack. Consistent user awareness training is the first and fundamental step. But while this training is essential, the empirical evidence provided by the continued success of phishing shows it is not enough. Technological solutions must also be employed.
The first is threat intelligence, to know what is happening in regard to the latest threats and provide the potential to stop attacks before they succeed through the use of additional solutions leveraging that threat intelligence.
The second is the ability to detect malware that is successfully delivered. The original anti-malware products will generally not be able to detect fileless malware execution. It is now necessary to adopt what is known as next-gen anti-malware. Such products use behaviour analysis, AI and machine learning to learn and detect how fileless malware operates. Sometimes this can be used to stop the malicious scripts as they move from the attachment to the computer system’s memory or be able to halt further stages of the attack. At other times they can detect the potentially malicious behaviour of the script as it executes and attempts to download additional malicious payloads into memory.
The final step to stopping the detonation of socially engineered threats is to interpret and act on the alerts generated by defences such as next-gen anti-malware and leveraging threat intelligence feeds. This is best done via a security information and event management system, better known as a SIEM. The difficulty for many companies, however, lies in the cost and skill set required to successfully manage this combination of products and processes. The solution here is to adopt a managed security service capable of maintaining the SIEM solution itself, whilst creating detection rules based on the latest emerging threat and being able to investigate and respond to those threats in a timely manner.
Top tips to spot a social engineering email:
- Is there an urgent call to action? Hackers and scammers need you to react emotionally. Is the email making you panic or tempting you with an incredible limited-time offer? That’s usually a sign that you should take a deep breath and check especially closely for the other signs of a phish.
- Does the email use your full, accurate name? This doesn’t always mean an email is safe, but legitimate services will contact you using the name you gave when signing up. A generic greeting like “dear valued customer” is often a sign of a fake email.
- Does the message request anything sensitive? Most companies will never ask for login credentials, financial information or personal data via email. If you think there is still a chance it could be real, contact the sender’s customer support to make sure they really did request such information from you.
- Is the message definitely from a trusted source? You shouldn’t only be on the lookout for generic or random-looking sender addresses here; remember that phishers may use lookalike addresses or imitate people in your contact list. Be on guard if you know david.atkins(@)business.com; phishers may try to fool you with david.atkins(@)gmail.com.
- Does the message link to an obfuscated URL? You should always take care to check where links are taking you before you click. In most browsers, hovering over a link will show you the destination in the lower left of the screen. If you recognise it – and it definitely isn’t a spoofed or lookalike URL – the email may well be safe. If it shows up as an unfamiliar website or links to a URL shortening service, like bit.ly, you should assume it is unsafe.
- Does the message include an attachment you were not expecting? If so, contact the sender by phone for confirmation of its authenticity.
CyberGuard Technologies – Raising Visibility, Managing Threats
CyberGuard Technologies provides a full range of IT security services from its UK security operations centre. Our cyber defences protect against the potential devastation of an attack from cyber-criminals including defending your finances, identity, reputation, data and your customers’ confidential information.
Working with leading technology providers in the cyber security sector, including Microsoft, Kaspersky Lab, Palo Alto Networks, WatchGuard and Carbon Black, among others, we protect our customers from end-to-end through; Security Testing, Managed Detect & Respond Services, Security Awareness Training and Cyber Certification, and provide reassurance in the event of an attack through fast and effective Cyber Incident Response, built upon sound threat intelligence gathered by our own team of cyber analysts coupled with intel from various global sources.
CyberGuard Technologies is CREST accredited, offers Cyber Essentials Plus certification, is a member of the IASME Consortium and Tigerscheme, which is a commercial certification for technical security specialists backed by University standards and approved by the National Cyber Security Centre (NCSC). It also holds ISO 9001 and 27001 standards.