Time to lock the door AND the windows: Understanding the spectrum of phishing attacks

null

The simplification of email attacks can make us think of them as one type of problem and so we often look for one solution. The reality is more complex; email is a vast open network and a range of fundamental solutions need to be in place for an organisation to be considered secure. Here, we explore the different types of email attacks, what tools and techniques can reduce the risk against each of them and where the DMARC protocol has most impact.

Sometimes people deem DMARC as ineffective because it doesn’t cover all threat vectors for phishing attacks. But in email security, just as in other areas of security, there’s no silver bullet. As an example, for home security it is not enough to simply put a lock in the door - we know that we have to secure the door AND we have to lock the windows.

For each threat, we will offer a four-point overview to help you quickly understand what each threat means to your organisation.

●        Probability - This is the likelihood of you, or your company, receiving such an email
●        Plausibility - This is the likelihood of someone falling for a such a scam if they have undergone some basic training
●        Pain - This is the scale of devastation these attacks tend to cause if the recipient falls for it, whether a loss of money or data, or a malware attack
●        Protection - The steps you can take to protect yourself against the pain

Not-so-lovely spam!

Offers that are too good to be true

●        Probability: 5/5

●        Plausibility: 1/5

●        Pain: 2/5

●        Protection: Training, procedures, decent spam filter

At the least sophisticated end of the phishing spectrum we find spam, somebody trying to sell a service using a well-known brand or phrase to catch people’s attention. The sender’s name can contain phrases like “Amazon Rewards”, “Remortgage Quote” or “Fast 5K Loans”. They are mostly sent in bulk to hundreds of thousands of addresses and usually use a more reputable email address (i.e. an existing email user that they’ve compromised. When that address gets blacklisted they move to another one. Some of these emails are harmless (the harm is done to the domain owner); others can include fraudulent content.

An email from the Prince

●        Probability: 4/5

●        Plausibility: 1/5

●        Pain: 3/5

●        Protection: Training, procedures, decent spam filter

At this end of the spectrum we also find the scams where an individual, usually with a fake identity, sends bulk emails. In this group, we find emails like the “Nigerian Prince” who will share his fortune if you help him retrieve it by making a “small” deposit to a legal firm. In the same list falls the fake inheritance and the international lottery amongst many others. These attacks are more specific in their message and people who engage with the scammers can be groomed over a period of several weeks or months until they part with their money.

These scams were much more popular several years ago but today such attacks are caught even by the most basic filters that are built into consumer email-receiving servers and as such, are sent to the spam folder. If not, they are relatively easy to spot by most users who have become increasingly aware of how they work.

Gone phishing

Here is where things get more interesting. As attacks get more sophisticated they increase their focus on organisations and specific individuals in those organisations and this is where the concept of spear-phishing starts to arise.

Spear-phishing is a particular type of targeted email attack. Criminals use public information (LinkedIn, Angel List, Crunchbase etc) to understand critical reporting lines in an organisation as well as the names of key people in order to deliver impersonation attacks that target specific individuals. These attacks include things like financial fraud, ransomware, and theft of critical data.

Every organisation should be training its staff on how to recognise these emails and be wary of the requests they make, for that reason I will avoid listing trainings as a solution to the types attack in the list below. Instead I’ll focus on the technical solutions available to you.

Spear-phishing (Basic) - Fake address from a free email provider

●        Probability: 3/5

●        Plausibility: 3/5

●        Pain: 3/5

●        Protection: Training, procedures, decent spam filter, anti-phishing solution

In this version criminals create an email address via a free email provider (Gmail, Yahoo, AOL, etc) using the name of the person they want to impersonate, then send an email to someone who would recognise the person being impersonated. This modality allows for communication back and forth and has been made well known through a number of cases, one of the most recent ones the one from the CEO of Barclays, Jes Staley. Even though the attack was a prank from an unhappy customer, it became an embarrassment to the bank and highlighted the vulnerability of their email communications.

To reduce the risk, Barclays has since implemented alerts in the email client when employees email someone from outside the organisation. A similar solution has been recently implemented in GSuite and other tools. These alerts should be easy to spot for people who are paying attention.

Spear-phishing (Medium) - Cousin domains

●        Probability: 3/5

●        Plausibility: 4/5

●        Pain: 4/5

●        Protection: Training, procedures, decent spam filter, anti-phishing solution, DMARC

In this type of attack criminals create a domain that is similar to your domain but replace some similar characters - for example, replacing the letter L with the number 1 (apple.com with app1e.com). Then they use these domains to create email addresses and communicate with their victims. These attacks can be directed towards the staff of the organisation being impersonated but also outside the organisation, namely their clients, users, investors, and the general public.

If you need to mitigate this risk, the recommendation here is to buy the domains that look similar to your own and also the country domains in the regions where you operate. After you own all those domains you can park them with a DMARC reject policy and an exclusive SPF record so nobody can send emails using them.

Spear-phishing (Advanced) - Fake emails that use your actual domain

●        Probability: 3/5

●        Plausibility: 5/5

●        Pain: 5/5

●        Protection: DMARC, decent spam filter, anti-phishing solution, training, procedures

On the most sophisticated side of the spectrum we find criminals using a real email address from your organisation. This is possible due to a loophole caused by a fundamental vulnerability in the email protocol that allows anyone to impersonate a domain very easily. As an example, I just sent an email to my account from deathstar.com. I didn’t use a business domain so I don’t single out anyone, but you might be surprised to learn that most FTSE 250 organisations are not DMARC protected and their domains can thus be used to send fake emails using the simple technique illustrated above.

Variants of this type of attack are whaling, clone phishing. They are categorised by the FBI as BEC (Business Email Compromise).

Here is a screenshot of an email from reception@deathstar.com that I sent to my email address.

This technique is used mainly to send CEO to CFO email scams. The FBI has reported USD 2.3 billion in losses due to CEO email fraud between 2013 and 2016. For these types of attacks criminals also use public information and identify their targets; the difference in this case is that the email looks real since it comes from the real email address of the impersonated individual. They usually ask someone in finance to transfer funds regarding a new deal, citing the proposed transaction as extremely important and urgent. Variations of this attack include installation of ransomware, theft of sensitive information and password harvesting.

The best solution here is to implement DMARC and configure properly your SPF and DKIM records. Once your configuration is complete move your DMARC record to p=reject.

Mass phishing attack using your actual domain

●        Probability: 2/5

●        Plausibility: 4/5

●        Pain: 5/5

●        Protection: DMARC, decent spam filter, anti-phishing solution, Training, procedures

An additional and critical use of this type of attack is to send emails to a vast number of potential customers or users via a real domain. The most well know example in the UK is HRMC (the UK tax authority). HMRC was the number one spoofed brand in the country (2nd in the world). Since HMRC implemented DMARC in 2016 they blocked 300 million phishing emails.

The solution here, as proven by the HMRC case, is also have a DMARC policy that’s in reject mode.

What next?

Overall, there is no silver bullet or single solution that solves all cases of email-based attacks. The solution should comprise initiatives in these 3 areas:

-          Staff training and clear procedures

-          Anti-phishing solution

-          DMARC in “reject” mode

The DMARC protocol is an extremely effective way to take control of the emails that use your domain. With a proper DMARC implementation an organisation can effectively block third parties that try to send email using their domain. This blocks CEO to CFO scams because criminals wouldn’t be able to send an email from the CEO’s account; similarly, this would block any scam that uses any other account from the organisation targeting the organisation’s staff - e.g. it@your-organisation.com - asking to click a link to implement the new security product, which could of course be ransomware. Not only that but it also blocks anyone trying to use an organisation’s domain to send emails outside the organisation, to clients, investors and the general public.

If you don’t already know if your organisation has DMARC deployed you can check your DMARC status using a free online tool and if the answer is “no” then it’s time to start building your business case before the phishers strike.

Gino Coquis, Product Strategy Director, Red Sift
Image source: Shutterstock/wk1003mike