Phishing. What? Where? When?
What is phishing exactly, how the technique works and how to prevent it.
We are all too aware of the various common attack techniques that cyber criminals use. They usually come in the form of malicious files or phishing links that trick us into clicking on them.
These types of attacks are simply not able to be discovered by regular anti-virus solutions or sandboxes as there is nothing malicious in the content to be detected.
Business Email Compromise (BEC) and email Account Compromise (EAC) attacks are sophisticated scams used by attackers employing social engineering techniques to make you believe you are interacting with a trusted sender. There is no malware, ransomware or any phishing links involved.
BEC attacks are frequently carried out by compromising legitimate email accounts or by trying to look like legitimate email accounts. They usually involve a request for money transfer of funds or a request for sensitive personal information such as Tax Statement (W-2) forms for employees.
We are all too familiar with the Nigerian Scam. BEC uses similar methods but is usually much more targeted and personalized to the user being attacked.
A recent FBI report highlights a 136% increase in financial losses from BEC attacks over the past 2 years, which contributes to the total of 12.5$ billion losses over the past 5 years.
In one such scenario, Xoom Corporation (an international money transfer organization from California) lost 30.8M$ in 2015 when a finance department employee had transferred money to overseas account after receiving a BEC email. The attack resulted not just in a significant financial loss, but the CFO also resigned and the stock lost more than 14% of its value, equal to an additional $31M.
A BEC attack usually follows known patterns. It starts with building a targeted list of companies and users to attack. Usually, the attacker starts with a business contact database and continues to LinkedIn profiles and company websites. Very easily the attacker can identify the company structure, the high-profiles worth attacking and the relationship between them.
The attacker then launches a BEC campaign to selected individuals, with a sophisticated application of social engineering. The attacker may employ various techniques such as borrowing a display name of someone in authority (e.g., CEO or CFO) or using a domain or email addresses that are very similar to the organization’s domain.The attacker will usually use language that implies urgency to prevent the attacked person from taking enough time to identify that it is actually an attack and not actually from the person it says its from.
In sophisticated attacks, there may be multiple stages, getting important data from one employee and using it to steal money from another employee.
We have even seen attacks where the attacker actually manages to hijack the account of a user and subsequently enter into existing legitimate email threads. In these cases the attacks can barely be noticed without looking deeply into the origination and structure of the email (e.g., a different IP address).
Recently, a malicious attachment was caught in an email to one of our customers.
By leveraging the email history collected when protecting the entire organization, Perception Point was able to spot that the display address and name belonged to a business partner of the company with whom regular communication was conducted over the past two and a half months.
The attackers used a combination of display name deception and address spoofing. The spoofed emails were sent to 7 different addresses within the organization from 8 different IPs, including some with no malicious payload. The attackers had done their homework and clearly knew about the relationship between our client and the business partner. They were targeting the specific person who was in contact with the business partner. By doing so, they were able to leverage the trust that existed between the two parties in order to carry out their malicious intent.
Most solutions protect against BEC by checking IP reputation, SPF, DKIM and DMARC records as well as allowing the administrator to define a long list of rules on sender and domain addresses.
Perception Point does all of the above, but also takes a unique approach in order to better protect our customers. We believe that while rule-based detection can be used for extreme cases, a solution should protect the user from the moment it is deployed without any need for configuration.
Perception Point’s solution checks IP reputation, SPF, DMARC and DKIM even when it is not deployed directly on the MX record (most solutions can’t). In addition, Perception Point has unique algorithms that inspect the structure of the message as well as the actual message itself. For example, look-alike domains and email addresses as well as requests to transfer funds.
We essentially combine out-of-the box protection with machine learning to map the organization’s communication patterns in order to improve with time.
To learn more about Perception Point’s capabilities,
We’ve spotted CVE-2017-8570, a.k.a the “Composite Moniker” in the wild alive and kicking.
Resume files can be dangerous, especially when they are encrypted word documents.