Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/4/2019
03:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

How Today's Cybercriminals Sneak into Your Inbox

The tactics and techniques most commonly used to slip past security defenses and catch employees off guard.

Cybercriminals are constantly altering their techniques to bypass increasingly advanced technical controls in order to deliver credential phishing attacks, business email compromise (BEC), and different forms of malware to unsuspecting users who rarely think twice about clicking.

Between Oct. 2018 and March 2019, researchers with the Cofense Phishing Defense Center analyzed 31,429 malicious emails. At 23,195, credential phishing attacks fueled the bulk of emailed cyberattacks, followed by malware delivery (4,835), BEC (2,681), and scams (718). Subtle tactics like changing file types, or using shortened URLs, are giving hackers a hand.

"We do continue to see them evolve with simple adjustments," says Cofense co-founder and CTO Aaron Higbee. Credential-phishing emails using fake log-in pages are tough to stop at the gateway because often associated infrastructure doesn't seem malicious. Some campaigns, to disguise malintent, send emails from genuine Office 365 tenants using already compromised credentials or legitimate accounts – and a fake login page hosted on Microsoft infrastructure is "nearly impossible" to distinguish.

Researchers report many secure email gateways don't scan every URL; instead, they only focus on the type of URLs people actually click. But with more phishing attacks leveraging single-use URLs, enterprise risk grows. Attackers only need one set of legitimate credentials to break into a network, which is why credential phishing is such a popular attack technique, they explain.

Cloud adoption is changing the game for attackers hunting employee login data. Businesses are shifting the location of their login pages and, consequently, access to network credentials.

"As organizations continue to move to cloud services, we see attackers going after cloud credentials," Higbee says. "We are also seeing attackers use popular cloud services like SharePoint, OneDrive, Windows.net to host phishing kits. When the threat actor can obtain credentials, they are able to log into the hosted service as a legitimate user."

It's tough for organizations to defend against cloud-based threats because they don't always have the same visibility to logs and infrastructure as they do in the data center. It's a complex issue, Higbee continues, because businesses may engage with cloud providers and fail to include security teams, which need to be kept in the loop on monitoring and visibility needs.

Special Delivery: Malware

More attackers are using atypical, different file types to bypass attachment controls of email gateways and deliver payloads. As an example, researchers point to when Windows 10 changed file-handling for .ISO files, which gave hackers an opportunity to shift away from the .ZIP or .RAR files usually inspected by security tools. In April 2019, Cofense saw attackers rename .ISO files to .IMG, successfully transmitting malware through secure gateways.

"The gateway sees this as a random attachment, but when you download the file to the device, Windows 10 treats it as an archive and opens it in explorer allowing the victim to click the contents within," says Higbee. "Nothing changed in the malware, just the file extension name."

There is a challenge in defending against these types of threats because, as Higbee points out, there are legitimate attachment types you can't block without disrupting the business. "We see this with PDF files that include links to the malicious site that might be a spoofed login page where they could capture credentials," he adds. Businesses can't blindly block these file types.

Some attackers rely on "installation-as-a-service," through which they can pay to have malware installed on a machine, or group of machines, anywhere in the world. As Cofense points out, Emotet started as a banking Trojan but gained popularity as a loader for other malware; now, its operators have transformed Emotet into a complex bot responsible for several functions.

Cyberattackers who sent malware via malicious attachments in the past year exhibited a strong preference (45%) for exploiting a Microsoft Office memory corruption vulnerability (CVE-2017-11882). In previous years, they had heavily used malicious macros, which only accounted for 22% of malware delivery tactics this past year.

CVE-2017-11882 lets attackers abuse a flaw in Microsoft Equation Editor that enables arbitrary code execution. They can chain together multiple OLE objects to create a buffer overflow, which can be used to execute arbitrary commands often involving malicious executables. Equation Editor is an old application and lacks security of recent Microsoft programs; researchers expect the flaw will be exploited less as companies patch and use newer apps.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSindone
50%
50%
MarkSindone,
User Rank: Moderator
6/13/2019 | 2:47:19 AM
Always be vigilant
This problem needs one simple solution -- better awareness. The more we become educated, the more we will be on our guard. Employees need to be told of the various ways cyber criminals work so as to detect potential harm before they can strike. When people become educated, they are more prepared and will always remain vigilant.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
6/4/2019 | 3:52:30 PM
"If you don't need it, don't read it, delete it."
My golden rule. 
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.