There’s no doubt email is the number one vector used to initiate attacks on organisations, and of those email attacks, phishing is king. According to a recent survey Mimecast conducted with Vanson Bourne, 94% of enterprise organisations had seen untargeted phishing attacks in the last 12 months, and 92% had seen targeted spear phishing attacks incorporating malicious links.
So, what’s contributing to this rise? We’re seeing hackers increasingly seeking to hijack popular events. In recent weeks, phishing scams have targeted events like the FIFA World Cup, and the end of financial year in Australia as people prepare to do their tax returns.
One notable campaign preying on unsuspecting football fans during the FIFA World Cup promised users the ability to download a match schedule, or to obtain a free pair of Adidas shoes - via a malicious link. Scams like this illustrate the difficulty of protecting organisations and individuals from bad actors who want to gain access to corporate networks or personal information.
These scams are also becoming harder to spot. The Adidas threat, for example, takes the form of a homographic attack.
Targeting Adidas customers, a longstanding partner of the FIFA World Cup, in this phishing attack, the letter “I” in the brand name displayed in the URL was replaced with a vertical character. When a user, mistaking the link for a genuine one, clicked through, they were taken to another web page, where they were prompted for credentials, and faced with the threat of malicious software being automatically downloaded. These attacks have been in the wild since 2001, but they have risen in popularity over the last twelve months.
The key to a homographic attack is what’s known as ‘punycode’. Using punycode, popular browsers will automatically substitute elements of the ASCII (American Standard Code for Information Interchange - a character encoding standard for electronic communication) character set in place of the Unicode characters used to display non-English languages online.
The result is that characters are replaced with similar characters from a non-English language, such as Cyrillic, and to the casual observer the domain being presented looks legitimate.
These homograph attacks remain a particular problem because aside from being able to display the domain name in its punycode output to help warn users, the majority of major browsers, including Chrome, Safari, Firefox and Microsoft Edge are not able to comprehensively protect against them.
Another vector for phishing attacks is social engineering. Most recently, emails have been sent from multiple domains resembling invoices or tax statements from well-known companies such as accounting software firm Xero, office supply chain OfficeWorks, and the Australian Taxation Office.
These emails include a link prompting recipients to download a malicious file, downloading a banking trojan via compromised Sharepoint sites. For attackers, these emails represent easy pickings, because the recipient sees the logo of a trusted firm prominently displayed and won’t necessarily check the URL to ensure that it is legitimate.
When it comes to orchestrating email attacks, cybercriminals know that a person is sitting on the end of an email address, and the majority of these people are not security trained. Attackers will send these emails because they’re easy – using social engineering to get a user to click on a malicious link is simpler than complex network or application attack vectors.
Once the user clicks on one of these phishing emails, they are generally asked to enter log-ins, personal information or credit card data, or they are subject to an unwanted, malicious download (malware) that automatically harvests these credentials through key-logging or the monitoring of network connections without detection.
During peak periods such as the FIFA World Cup or tax deadlines, recipients are usually more willing to click on links that resemble something of interest to them and as a result, become less vigilant.
When it comes to human error, defending against these attacks remains complex. Humans are frequently cited as the weakest link in any security chain and so it can be hugely beneficial to employ automatic email security. This automated security is able to detect attacks such as the Xero, OfficeWorks and ATO attacks because the software checks the sender URLS and blocks those ones that are generated by non-legitimate sources.
While automated email protection remains the key defence against phishing attacks, user awareness can’t be forgotten. With the threat landscape constantly evolving, users can’t be expected to just figure out the good from the bad.
Training users can be as simple as getting people to check the email address and seeing if it makes sense given the type of email they have received. Or asking questions like – is it asking for something unusual – and if they hover over links, do those links go where they say they will? A couple of minutes spent asking the security team if a link or email is legitimate will save hours or days of effort and embarrassment if the email is fraudulent.
Email remains the number one attack vector, but with vigilance and software protection, it doesn’t have to be the downfall of your organisation.
Article by Mimecast A/NZ principal consultant Garrett O'Hara.