According to security vendor FireEye, 33% of organisations in the Asia Pacific region have been exposed to APTs, compared with 20% worldwide. This is growing rapidly – it was 27% in March, 2015.
Phishing – emails purporting to be from ‘real companies’ has become the latest attack vector. The ‘human factor’ makes it almost impossible to protect against the harm it can cause.
“Many companies – large and small - just don’t address the problem and it comes back to bite them,” said Theo Noel, Regional Director, APAC for Return Path, a company that analyses email and identifies threats.
I interviewed Theo, based in Sydney, and Robert Holmes, General Manager, Email Fraud Protection based in London. This follows iTWire’s recent article on ‘Email attacks that evade authentication’.
“Let me be clear – it is not about having the best antivirus and spam detection, it is not about the best hardware firewalls, and it is not even about being security conscious. Phishing is about social engineering, it is highly targeted, and human errors are a given. It will get through,” said Theo.
“Spoofing and phishing are old problems that have not been solved,” said Robert. “It is hard not to read emails purporting to be from your bank, the tax office, police, even from people who you deal with, your favourite brands, or those who are close to you. Brand spoofing [emails purporting to come from an organisation or person] can ruin a real brand’s credibility. We are analysing the characteristics of phishing and spoofing emails here and learning about this region.”
We spoke further about this. If a spoofed email gets wide circulation and contains a payload such as links to web sites containing malware people tend to ignore or block future emails from that organisation. Imagine the lost business opportunity as real emails may not be opened.
“Not to be alarmist but you have to assume that all personally identifiable information has, or will be, compromised. Part of the solution is to stop spoofing and therefore reduce phishing that can open up corporate servers to cyber-criminals. If only companies would adopt DMARC as a standard. ,” said Robert.
DMARC is a way to make it easier for email senders and receivers to determine whether or not a given message is legitimately from the sender, and what to do if it is not. This makes it easier to identify spam and phishing messages, and keep them out of peoples’ inboxes.
“Our heritage has been working with consumer email – Gmail, Hotmail/Outlook and others to protect consumers from themselves. We freely share data with other organisations like Cloudmark and vice versa to identify fraudulent URLs, IP addresses used to send such emails, and more. Its ‘data as a service’ and the whole prevention industry benefits. Call it contributing to the prevention ecosystem with data sharing as the currency,” said Robert.
Employees are using business email accounts for personal messages, or using their own accounts to send business email. The tools needed are a convergence – the best of both breeds to protect both parties. But the issue extends to a business’s suppliers and partners as well.
“The recent Target hack in the US was caused by a supplier unknowingly loading its updated (and compromised) software to Target’s network connected point of sale machines. From there it was easy to explore the network and find vulnerabilities,” said Robert.
We spoke about some solutions to preventing spoofing and phishing.
“We have already mentioned adopting software complying with DMARC standards. That would allow you deliver to an inbox or deny it via several criteria:
- Has it come from a known bad address (IP blocking but that is an issue – more on that later)
- Are you who you say you are? (authentication)
- Do I trust your email today
- Do I trust you email tomorrow
There is a lot of spam originating from the US and lately China. It is because cloud services are cheap and plentiful. But let’ say that cyber-criminals send from Amazon Web Services (just used as an example) do you block the IP address that may be hosting hundreds or thousands of legitimate sub domains. IPv4 blocking (4.3 billion addresses) is not effective and the newer IPv6 blocking is too massive (340 undecillion) to consider. Criminals simply more from one to another. “It is like whack a mole – they keep moving,” said Robert.
Then there is router hacking – the cyber-criminal hacks a legitimate company or person’s router to forward phishing emails. This can also extend to the Internet of Things. Feasibly and internet connected device – fridges, coffee makers, security cameras and more can be hacked to forward fraudulent email.
PS – if your IP address is hacked and used as a bot-net (email forwarder) and blacklisted it is not easy or quick to get off and your email will not be delivered.
Instead, DNS (domain name system) blocking is more effective but cyber-criminals can set new ones up in seconds so that is not the cure either.
“There is a huge dark web market to help cyber-criminals – malware as a service. You can buy a phishing creation kit for $100. Then a ‘wizard’ will guide you to which country, which organisation, automatically create the email, set up the phishing web site with a malicious payload, and you are ready. Then you can rent for a few dollars an hour a botnet to send millions or tens of millions of phishing emails – even if only 1% per are opened that at least 10,000 per million sent that will result in potentially compromised devices,” said Robert.
“It can be really hard to spot the difference between a phishing emails. He referred to the recent Telstra phishing email that was so good many were lured in to revealing credit card details.” That’s where you need software like FireEye to identify anomalous behaviour in your system,” he added.
We spoke of the main targets – what made cyber-criminals salivate?
Any organisation that collects and stores PII is a target. For example, Government – at all levels - is a massive target. It is trying to make digital transactions the default. The issues there are compounded by use of legacy (old) systems, lack of whole of government computer policies and systems, many staff changes, lack of funding, and the policy needs to change.
Part of the problem is awareness. “Our mission is to raise awareness of the threats. We constantly work with big data gathered from security providers and others to analyse patterns, threats and help to ensure that the right mail gets to your inbox,” Theo said.
Return Path’s business model is to help brands strengthen consumer engagement and build trust in email ensuring that wanted messages reach the inbox while spam and abuse do not. If also provides professional services to help analyse an organisations email and delivery systems so that it can take steps to reduce spoofing and phishing.