Tracking the Evolution of Organizations’ Email Threat Defenses
In 2017, Lastline identified the top email threats facing organizations. Little has changed since then in terms of the list itself. These threats are still using malicious email attachments, malicious links or enticements to perform malicious actions. More than that, the threat categories themselves have largely remained the same, as evidenced by a host of recent campaigns. But that’s not to say that attackers have been standing still.
In this post, I’ll identify a slew of recent attacks that show how ransomware, keyloggers and other email attacks are not only still relevant, but how they’re harder to detect than ever. I’ll then point out how these threats’ ongoing prevalence have motivated email security to change. I’ll then conclude by discussing what organizations can do to protect their systems against these digital threats in today’s world.
The security community witnessed a dramatic surge of ransomware attacks in the first half of 2019. In its Cybercrime Tactics and Techniques Q1 2019 report, for instance, Malwarebytes Labs observed a 195 percent increase in crypto-ransomware attacks on business targets over the fourth quarter of 2018. They also found that business detection of these attacks rose by 500 percent during the same frame in 2018 with 336,634 detections. Bad actors directed these attacks against a variety of targets. Even so, many high-profile ransomware attacks in H1 2019 targeted educational institutions, particularly in the United States.
Ransomware attacks weren’t the only digital threats that grew in volume over the past few years. PhishLabs observed that phishing attacks grew by over 40 percent in 2018, for instance. In the first quarter of 2019, Kaspersky Lab detected an increase of redirects to phishing sites from 35,220,650 to 111,832,308. Proofpoint witnessed something similar in that quarter when it witnessed credential phishing attacks quadruple over Q4 2018 and web-based social engineering attacks jump up by 233 percent during that same frame. Like ransomware, many of those campaigns targeted schools, per KnowBe4.
Like phishing, spam also had a good first quarter in 2019. Out of all email messages analyzed during that three-month period, Kaspersky Lab recorded the highest percentage of spam in March at 56.33 percent. Meanwhile, the average percentage of spam in global mail traffic was 55.97 percent—nearly identical to the fourth quarter of 2018. These attacks took on various forms including sextortion campaigns featuring image spam.
Business Email Compromise
Business email compromisers have ramped up their attacks substantially in recent years. This fact wasn’t lost on the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) when it found that the amount of money which digital criminals attempted to steal using BEC scams had risen from $110 million per month in 2016 to $301 million each month two years later. There’s no sign of these increases slowing down going forward, either. Illustrating this point, the FBI found that losses stemming from BEC scams had doubled year-over-year and by 2018 reached $1.2 billion. Since then, fraudsters have targeted various organizations including Scott County Schools and the St. Ambrose Catholic Parish with BEC scams.
Spoofing attacks also increased in the beginning of 2019. As reported by TechRepublic in March 2019, Valimail found that the majority (90 percent) of organizations were susceptible to spoofing attacks. Bad actors have been incorporating a variety of lures into their campaigns to trick recipients. One sextortion attempt discovered by Bleeping Computer in the summer of 2018 made headlines, for instance, as digital attackers spoofed recipients’ own email addresses to trick them into sending over money.
Man-in-the-Middle (MitM) Attacks
Man-in-the-middle (MitM) attacks also remain a persistent force in the digital threat landscape. As an example, ESET revealed in May 2019 how it had determined that the ASUS WebStorage software was vulnerable to a man-in-the-middle (MitM) attack. The issue boiled down to update software using HTTP and the software not verifying the authenticity of an update before executing it. In this particular case, digital attackers abused the fact to conduct MitM attacks at the router level, compromise these devices and use them as command-and-control (C&C) servers for Plead malware.
Plenty of keylogger campaigns emerged in the first half of 2019. Back in May, for instance, IBM X-Force detected a campaign in which bad actors targeted businesses around the world with HawkEye, a keylogger which is capable of installing additional malware on infected machines. About a month later, Cofense targeted a phishing attack that infected victims with a sample of the Houdini worm containing a keylogger module. News of that campaign came just a few weeks before FireEye detected a phishing operation in which the Iranian threat actor APT34 targeted recipients with LONGWATCH keylogger and other threats.
The first half of 2019 revealed that organizations still need to take zero-day exploits into consideration. In June 2019, for instance, ESET researchers spotted a zero-day exploit which bad actors leveraged to conduct a targeted attack in Eastern Europe. Just a few weeks later, a security researcher spotted a zero-day flaw in the Mac client for Zoom video chat software that enabled digital attackers to add unknowing users to video calls.
Lastly, social engineering remains a persistent technique within email attack campaigns. Back in late-July, for instance, CNN Wire reported on a scam that used social engineering tactics to target Uber drivers. Around that same time, researchers at ESET picked up on a campaign that used the false promise of free internet to prey upon WhatsApp users.
The Ongoing Prevalence of Email Threats
Digital attackers continue to incorporate the email threats discussed above into their attack campaigns for one reason: they continue to work. They worked years ago when defenses were less sophisticated, and as security has improved, they continue to operate successfully because criminals have advanced their own techniques, as well. Ransomware attacks are now increasingly using sophisticated evasion tactics, for instance, while phishers are now hosting their landing pages in the cloud in order to evade detection. It worked years ago to look at email security as a separate entity, but now, it’s not possible to properly secure email without the greater context of the network.
In recognition of how email security has changed, Lastline has broadened its capabilities. It applies its industry-leading Deep Content Inspection™ technology to deconstruct the malicious behavior of every object that enters an organization’s environment via email, and it has the ability to identify malicious links. With its AI-based network detection & response technology, organizations can use Lastline to gain better visibility into and automatically block the complete spectrum of potential email-based threats before they take root, spread across the network, and disrupt operations.
Defend against threats targeting customer-managed and cloud-based email using Lastline Defender for Email.
Latest posts by Brian Laing (see all)
- Tracking the Evolution of Organizations’ Email Threat Defenses - September 4, 2019
- How to Take Account Takeover Fraudsters Out to the Curb - August 15, 2019
- Can You Hack My Network? Why Ethical Hacking is Essential for Improving Your Security - July 18, 2019