Email phishing and business email compromises (also known as BEC or CEO fraud) are among the biggest challenges that organizations are facing in 2018. A phishing email contains one or more bad URLs or bad attachments and targets many individuals at the same time. A BEC attack usually targets one highly-placed individual and uses high level sophisticated social engineering.
BEC / CEO Impersonation Attacks
In BEC or CEO fraud, hackers craft emails to impersonate specific senior management executives, vendors, or suppliers to trick the recipients into transferring money or providing sensitive information to the hackers. The attackers first do their research on their targets via LinkedIn and other social media. The specially prepared emails may also contain attachments with hacker tools like keyloggers and mouse event trackers for installation on a victim’s PC or mobile device.
The skillful personalization of the email content by attackers serves two purposes. First, it helps the email to pass through spam filters and other checks for undesirable emails. Second, it persuades the victim that the sender is somebody that the victim knows and trusts. For example, a CFO might be convinced that a fake email for an urgent funds transfer was sent personally by the CEO. Attackers also time their attacks to coincide with absences or business trips of the purported sender, making it difficult for the recipient to double check that the email is authentic.
Paladion’s Approach to Email Security
There are several best practices that when used together can be effective in containing the problem and that we have listed below.
Tighten Email Security Configuration
Implement SPF, DKIM, DMARC: Sender Policy Framework (SPF) restricts emailing to a list of servers allowed to send email for a given domain. DomainKeys Identified Mail (DKIM) is used to verify that emails have not be changed after leaving the originating server. With Domain-based Message Authentication, Reporting and Conformance (DMARC), an enterprise defines a policy for using SPF and DKIM, together with the reporting of email statistics for conformance.
Open relay prevention: Also called an insecure relay, an open relay is an email server that relays emails from a third party. Spammers can locate such open relays relatively easily. They can then use them to send large amounts of junk mail (or worse).
Multi factor authentication (or 2FA) for all users: When a BEC attack involves an attacker accessing an executive’s email account, making MFA a security policy will make such illicit access more difficult. For example, two-factor authentication or 2FA may consist of account credentials (only the account owner should know these), plus a code sent to the account owner’s mobile phone (only the account owner has this phone).
Subscribe to TI feeds to filter out emails at entry point: Threat Intelligence feeds can list compromised domains. Filtering rules based on this information can reduce the amount of email attacks, although very recently registered or compromised domains may not always feature in the latest TI feed.
Subscribe to Advanced Malware Protection modules: Advanced malware protection goes beyond simple signature matching to perform other inspection and analysis, such as checks for malicious dormant and dynamic code that might otherwise be missed.
Anti-spam filters for bad file types: A classic example of a risky file type is “.exe”, the file type of an application. Microsoft Office file types may also be blocked or flagged upon reception, as MS Word, Excel and other Office documents may contain malicious macros or scripts.
Monitor Your Emails Wisely
Filtering based on location, subject, sender: There are two basic choices: keep known offenders out (blacklisting); or only let approved senders in (whitelisting). Each choice has its pros and cons.
Bad attachment found based on hashes: Attachment file names can be changed at will and tell-tale file types can be hidden behind others. On the other hand, the hash of the file content allows immediate checking against a list of hashes of files of known hacker tools and applications.
Special focus on spam emails received by VIP or high-risk members: So-called whaling attacks can be harder to detect, as they rely more on social engineering and less on malware. VIP awareness training should also be mandatory.
Correlate email threats with other cases like brute force and failed logins: Remember that attackers can use several attack methods. If you detect a phishing campaign, check other attack surfaces and vulnerabilities that may be threatened at the same time.
Consider Additional Security Controls
User awareness trainings: Employees are often the weakest link in information security and enterprise security policies alone are not enough. Employee behavior must change and proper awareness training helps them develop good security habits.
Similar domains registered like yours: Machines are excellent at picking out the smallest differences, but human beings are less so. Use awareness training to demonstrate how even small differences of a letter or two in a domain name can indicate hackers at work and threats of email compromise. (Domain Typosquatting is where an attacker registers a similar sounding domain to yours and uses it for trapping victims. Register your domain records for people to identify the genuine domains and initiate take down services for Typosquatted Domains that have been proven to cause an attack impacting you or your users.)
Social Engineering exercise: Everybody needs to do this. Make sure that VIPs and other employees do not fall for fake URLs or malicious attachments, and that all departments follow a strict policy of checking email requests for fund transfers or for sensitive information via another channel (face to face or phone, for example).
Consider advanced email solutions with email inspection capabilities: Good inspection capabilities can help stop or contain email attacks and campaigns, identify known and unknown malwares in email attachments, and detect data exfiltration via emails.
Email attacks can be very lucrative for hackers when they scam top executives or people working directly for them. With so much information available today on social media and elsewhere, hackers can often piece together the data they need to make a business email compromise attack look like an authentic everyday operation to its targets. By applying the practices described above, you will at least be able to significantly reduce the risk of such an attack succeeding on your enterprise or organization.
By Prashant Verma, AVP, MDR – IR & Forensics at Paladion