One of the most used ways for hackers to attack an organization is through email phishing. From an attacker’s point of view, email attacks can be automated at scale with thousands of emails sent virtually for free.
Email attacks are also effective. Some 80% of hacking attacks start with a social engineering attempt to get a human to make a mistake.
Hackers know that emails typically bypass firewalls and other technical controls. For that reason, many organizations are now investing in email security systems that scan emails and attachments for malware and links to bad websites.
However, these systems are not perfect. Some well-crafted emails may find their way through to a recipient. It’s no longer enough to simply tell people not to click on links in suspicious emails. We can do more to educate users by explaining how these attacks work.
The Taxonomy of Email attacks
In the world of email attacks, a vocabulary has evolved to describe the different types of attacks that are used.
Here are some commonly used definitions:
Business Email Compromise (BEC)
BEC is a broad term defining the misuse of business emails to scam a victim. These emails may not contain any malware or links to bad websites. Instead, they appear to be legitimate emails attempting to get the recipient to take some action (usually urgently).
In many cases, they are sent from a compromised email account to appear to come from an inside user. Such emails might be instructing an accounts payable person to pay an overdue invoice or send a refund to a frustrated customer. In other instances, they may simply be instructions to make a routine payment to a new bank routing number and account, or to re-route a shipment of products. In most instances, the email is customized to the situation, with appropriate names, terminology, and references. Typically, the email includes some sense of urgency from a frustrated executive or possibly a risk of lawsuit.
This term is normally reserved for broad-based email attacks where attackers send thousands of emails at a time. The attackers use stolen, or sometimes purchased, lists of email addresses, and automate the launch of phishing emails with scripts.
Attackers know that perhaps only one in one thousand recipients will open the email, and even fewer will click a link. However, this is a game of numbers.
If they send out 100,000 emails, they may get 100 responses. Recent research has shown that attackers may intentionally include misspellings, poor grammar, and other defects in the phishing email because they don’t want more sophisticated victims to reply and take up their time, only to drop out later. Instead, attackers are looking for naïve or careless victims.
This is a specially crafted phishing email intended for a specific recipient (rather than sent out in bulk).
Attackers will use information known about the victim to establish credibility. To get this information, attackers may go through the victim’s social media pages looking for references to schools, groups, and associations. They may also find the names of executives in an organization and “name-drop” as needed.
Spear phishing emails typically prey on emotions — typically fear, fun, greed or even pity.
To prey on fear, the email may tell the victim they are in legal trouble or are responsible for some debt. To prey on fun, some spear phishing attacks make use of known hobbies and may offer special discounts. They may flatter the victim and ask them to review a document of a subject they are interested in.
Spear Phishing attacks use greed to promise a victim a large (or small) payoff. Some people are suspicious of the famous “Nigerian Prince” scam promising millions of dollars and won’t respond. However, would they respond to a $5 Starbucks gift card offer?
Finally, pity is used to solicit donations for fake charities that may resonate with the victim.
This is a special version of spear phishing focusing on executives of organizations. Attackers know that executives are under time pressure and often fail to verify credibility and often forward emails to others with little thought.
Therefore, a scammer can send an email to an executive requesting immediate payment for an overdue invoice. The busy executive will immediately forward it to someone in accounts payable. That person, in turn, trusts an email from the executive and won’t vet the account before paying.
Email Attachments — what’s the worst that can happen?
Phishing emails often include attachments for the recipient to open. Most people realize that they may include malware but don’t know how the attack works.
Hackers are constrained by several factors when they try to deliver malware to a victim. First, the victim usually needs to take some action to open the attachment and cause code to be executed.
In other words, malware in an attachment usually cannot launch itself — it needs human intervention. This means the victim needs to open the attachment. Further, some basic malware runs as embedded programs (macros) in Microsoft Excel or Word. Macros can be helpful when used to access data or run special calculations. However, when written by a hacker, they can be used to launch malware or copy files on a hard drive.
For security, when Microsoft Word or Excel opens a file with macros, it stops and asks the user to allow macros to run. You should usually say no unless you trust the sender and expect the attachment to need to run macros. To get past this hurdle, phishing emails often remind the victim to allow macros to run when prompted with “accessing your coupon” or “updating your information.”
Other malware can be sent as directly executable programs, so scammers must take care to try to hide the file type. Windows users may know that a file ending in “.exe” is an executable file so that must be hidden. Therefore, the scammer may name a file “YourInfoIsInsideThisFile.PDF.exe.” This is still a “.exe” file, but the victim may only notice the PDF suffix and think it is safe.
80% of hacking attacks start with a social engineering attempt to get a human to make a mistake.
Scammers also use long file names hoping the actual suffix is hidden in short filename fields on a list of files. Even so, modern virus protection software on computers may detect and block this type of program, so scammers even add a note to the email telling the victim to allow the program to run if virus checkers block it.
Another problem hackers need to solve is the size of the malware attachment. Powerful malware can be very complex, resulting in an executable file of many megabytes of information.
This might be suspicious to a user expecting to open a recipe or directions to an event. Therefore, the downloaded file may simply be a “dropper.” This is a very small, efficient piece of code that immediately begins downloading and installing another, larger malware package in the background.
Droppers can be very compact, often just a few kilobytes, to avoid suspicion. In addition, when a dropper begins downloading and installing malware, it may adversely affect the performance of the computer. Therefore, the dropper may include a delay to wait for a period of inactivity before beginning their work.
Hackers must also remain undetected through the installation phases of the malware process. Therefore, many executables actually do include the promised attachment for the victim. It may be a complex document, game, or links to special websites. This allows the hacker to open large windows on the computer, while hiding any necessary installation windows and scripts behind them.
A program that does what the victim wants, but also delivers a dropper in the background is called a “Trojan” after the Trojan Horse story in ancient Greece.
Finally, the hacker needs to take steps to make the malware undetectable to malware detection software on the computer. Older virus protection software operated using a catalog of known malware “signatures,” which was updated frequently.
If malware came through that matched a known malware variant, it was detected and blocked. Newer virus checking software also looks at the code itself for suspicious behavior, reading and writing many files to disk, registry entries, and reaching out to command-and-control websites on the internet.
Modern hackers must go to great lengths to encode the malware code in several layers of obfuscation software and re-directs to hide the signature and behavior from virus checkers.
Pro tips for IT staff:
The attacks above seem difficult to try to prevent, but there are some steps you can take to add a little extra protection for users.
Here are some ideas:
- Deploy anti-virus software on all user machines and make sure it’s kept up to date.
- Send any unknown executables to VirusTotal for analysis.
- Maintain a known baseline (profile) for each computer image in the organization and compare it to running machines periodically. Pay extra attention to the Registry and running processes on Windows computers.
- Do not allow users admin permissions on their assigned computers, and do not allow users to install software.
- Disable the ability to boot from a USB drive on all computers and lock the BIOS. You may also want to outlaw USB drives from your organization.
- Deploy anti-virus software on all user machines and make sure it’s kept up to date.
Links in Emails May Not Be What They Seem
Often, it is far easier for a hacker to get a victim to click on a link in an email rather than open an attachment.
Hackers can use links in two ways:
First, the hacker may setup a fake website loaded with malware that would then be downloaded and executed by the victim’s browser. Often, this is only a way to infect the browser, and not the whole computer, but it’s a good start. In other cases, very sophisticated attackers host website malware that can infect a victim’s computer.
More often, however, links are used to steal a victim’s credentials, and the methods attackers use are very clever.
The hacker will go to the login web page of a common website known to be used by the victim. It might be a bank, credit card company or email client. The hacker will then capture a complete copy of the legitimate login web page and then host a fake on his own site.
Then the hacker will capture the user ID and password entered on the fake site. This site is then used in the phishing email to the victim. The phishing email will include copies of legitimate logos and say something like “Suspicious activity has been detected in your account. Click here to log in to verify account activity.”
When the victim clicks on the link, the fake login page is presented where the victim enters their credentials. Then the page flashes a brief error message saying the password was incorrectly entered and then connects the victim to the REAL website login page.
The victim assumes they mistyped the password. Therefore, they enter the user ID and password again, this time with success, and access the real account.
All looks good, but the victim doesn’t realize the hacker was able to capture the user ID and password on the fake page. The hacker now has the login credentials of the victim. They can wait a few minutes, hours, or days, and access the account or sell that access to other criminals.
The hacker may also try other known accounts using the same password, because many people use the same password across multiple accounts.
All of this sounds like a sophisticated attack, requiring advanced skills. However, that is not the case. Hackers often use a free tool called Social Engineering Toolkit (SET) which automates the entire process, from cloning the website to capturing IDs and passwords in a convenient database. No coding required.
Like hundreds of other hacking tools, the SET is completely legal and easy to use. Penetration testers typically install it on a Linux based virtual machine, but other operating systems are supported. Kali Linux even comes with SET and other tool pre-installed. In addition, there are plenty of YouTube videos showing how to use it.
Tips to Combat Email Scams and Attacks
One of the major benefits of a connected internet is email service. It is cheap, reliable, and fast. However, like any good technology, it can be abused and exploited for gain. Everyone should learn more about how to avoid becoming a victim of a phishing attack.
Here are some suggestions:
- Double-check the origin — If you get an email suggesting unusual activity, it’s very easy to verify out-of-band. Just pick up the phone, send a reply, or do a little research to get confirmation.
- Stay skeptical of attachments — Don’t open attachments from unknown sources or unusual attachments from known sources. Just delete them or forward suspicious emails to your IT team for investigation.
- Don’t click that link! — Verify links in emails by hovering your mouse over them to check the URL. Pay close attention to “Almost correct” spellings. If you get an email from your bank or another account, it’s better to type in the URL yourself rather than trust one in an email.
- Contact IT right away — If you suspect you are the victim of malware, report it to your IT team. They will probably instruct you to disconnect and shut down your computer until it can be checked. However, in some cases, they may ask you to leave it running so they can gather forensic evidence.
- Anti-virus software — Keep anti-virus and email scanning software up to date, and don’t disable it.
In every case, security engineers can take steps to reduce the risk of attack and intrusion. However, it takes good training to do that.
Here are some courses to get you started: