Blitzkrieg - changing tactics in the email security wars

By John Leonard
23 May 2014 View Comments
blitzkrieg

"As a result of last week's hacking incident it is feared that a number of customer records may have been compromised or stolen. We strongly urge you to check your details and change your password now. Click here to login."

Actually don't unless you want to lose your data for real. Or worse.

Further reading

Effective phishing attacks go to great lengths to be convincing. They vary their message according to news stories and real events and go on to use a variety of media, methods and psychology to achieve their goals. These methods include social engineering, infected web pages, watering hole attacks, disgruntled or greedy insiders, compromised servers and botnets and vulnerabilities in the supply chain - such as the recent attack on retail giant Target, which began with a targeted phishing attack on an air conditioning outfit that supplied the firm's stores.

Networked organisations offer the would-be attacker a huge variety of vulnerabilities to exploit, but every attack needs a way in. Despite the rise of the social and mobile web, the vector favoured for the initial attack, the first of what might be 20 subsequent stages, remains email.

"Something like 95 per cent of all data theft starts with a targeted email attack," Patrick Peterson, CEO of email security firm Agari, told Computing. "Verizon estimates that about 18 per cent of us will respond to a targeted phishing email."

Some thought the rise of social media and instant messaging would topple email from its position of communications tool of choice, but the medium has proved them wrong.

"Consumer email may have reached its apex but business email is just rising and rising," Peterson said.

"Interestingly, the biggest sender of email in the world is Facebook. When one of my friends I care about on Facebook does something, I get an email. When someone shares a file with me on Google Drive, I get an email."

Email has, of course, long been the tool of choice for spammers too. A quick glance in the spam folder reveals it remains very popular with bogus African royalty and dubious purveyors of pharmaceuticals, but, says Peterson, these are small fry, not the ones to be worried about. For one thing the vast majority are caught by spam traps, and for another familiarity with their methods has meant a steady decrease in their effectiveness.

"Those are the crap criminals," he said, contrasting the mass spammers with the really effective underworld hackers, for whom he professes a sneaking admiration.

"They are fantastic business people, not particularly nice or ethical business people but they're really good at putting together a business model with a coalition and iterating very rapidly to be successful."

Compared with the mass spam attacks, the number of emails sent doesn't have to be huge. Successful cybercriminals eschew the blunt instrument of the botnet, except to compromise other mail and web servers. Using thorough reconnaissance, rigorous attention to detail and selective deployment of malware they typically perform small test attacks before launching, keeping numbers low to avoid detection.

However, a change has been observed recently. Rather than being a persistent background threat, criminals have started launching targeted emails in surges lasting two or three days.

"We use the term Blitzkreig," Peterson explained. "Typically for months you will see low levels of activity because they are busy compromising other email and web infrastructure and testing their approach. Then one day instead of 5,000 emails a day you'll see 10 million."

Rather than sending them using a botnet, which will most likely lead to their ending up in the spam folder, these emails will come from a trusted source – "a hairdresser, a restaurant, an observatory that has been compromised" – and will be therefore much more likely to reach the target as they will be under the radar of the security solutions.

"Then you click the link and bang! It's GameOver Zeus, or Cryptolocker," Peterson said referring to two nasty Trojans that are spread using email.

"We're seeing the weaponisation of malware in the email channel. In the last three months they've really hit their stride," he went on.

Agari's recent TrustIndex Europe report identifies airlines, banks and healthcare as particularly badly affected by brand-abuse in spoofed emails.

"Two-thirds of the calls to the Delta Airlines helpdesk in one 24-hour period were from people saying, ‘Hey, I just got this receipt from you for a flight I didn't book'," Peterson said.

"And the thing is, there's nothing their security guys can do about it. It's not their servers being used. It's not their payment system or their website or their anti-fraud system. It's just their brand that is being used to get people to click on the link."

This means that traditional security solutions are powerless against spoofers' use of a trusted brand for gain. It's a problem of authentication.

A veteran of the email security business, Peterson was instrumental in the creation of the DMARC security framework. This is an open set of authentication standards used by email services like Yahoo and Gmail and which covers over two billion mailboxes.

Through DMARC, organisations are able to authenticate their email messages and also to discover the domains where emails purporting to be from them are coming from and create rules and policies on how to handle them.

Agari provides a big data platform and analytics tools on top of DMARC that allow its customers to analyse this information and implement rules in real time. It provides a binary way to tell if an email has actually been sent from a domain owned by the organisation or if it is a spoof. Emails purporting to be from Delta Airlines but which actually emanate from a hairdresser are automatically deleted or quarantined before they ever reach their target.

Analysing 2.5 billion emails per day also creates a source of real-time intelligence, allowing companies to discover just how their brand is being used in emails by subsidiaries and supply chain partners.

"We have a massive volume of malicious emails to analyse, and some organisations have dedicated threat intelligence teams that are using this information to change the way they do business," Peterson said.

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

53 %
20 %
7 %
16 %
4 %