Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/19/2019
11:00 AM
Robert Lemos
Robert Lemos
News
50%
50%

Stealing Corporate Funds Still Top Goal of Messaging Attacks

Cybercriminals focus on collecting credentials, blackmailing users with fake sextortion scams, and convincing privileged employees to transfer cash. The latter still causes the most damage, and some signs suggest it is moving to mobile.

Attackers continue to use many of the same phishing techniques as in the past, but, increasingly, the scams are much more targeted and, in some cases, have moved to mobile devices, according to two reports published today.

In its report, messaging-security firm Barracuda Networks found that 83% of targeted phishing attacks, also known as spear-phishing, appear as a message from an administrator at a popular service, asking for the user to log in. The scams use a variety of reasons, from claiming the account has been frozen to asking the user to review a document.

Overall, attackers are moving to spear-phishing attacks because they are relatively low volume and can be sent from popular e-mail services, making it less likely they will be blocked, says Asaf Cidon, vice president of content security at Barracuda.

"Because they are not sending a high volume of attacks — it's quality and not quantity — and it is usually a human manually sending the e-mail and tailoring it, they can afford to send it from a Gmail account," he says. "And basically the popular e-mail security services and cloud providers won't block the e-mail because those services have a high reputation."

Despite advances in anti-spam systems, fraudulent messages continue to reach end users, aiming to take advantage of nontech-savvy workers to steal their credentials, convince them to pay fake invoices, or convince them that lurid secrets are in criminals' hands.

While e-mail scams that attempt to fool users into giving up their credentials for popular services are the most numerous, the most costly threat continues to be business e-mail compromise (BEC), where the fraudster attempts to fool an employee into paying a fake invoice. While BEC attacks only make up 6% of all spear-phishing attacks, according to Barracuda, they account for the most losses.

In 2017, for example, more than 15,000 BEC complaints  were filed with the Internet Criminal Complaint Center (IC3), amounting to an adjusted loss of $675 million, according to the center's annual report. By comparison, ransomware only accounted for $2.3 million in losses in 2017, the latest data available, according to the annual IC3 report.

Reprising the theme of using high-reputation services, more than 60% of BEC attacks come from one of 10 different e-mail service providers, Barracuda's Cidon says.

"What happened over time is that all these services actually started getting very high sender reputation," he says. "So, effectively, Gmail and Office 365 treat free e-mail services as very high-reputation sender domains.”

In some cases, attackers have also started moving victims over to text messaging as the primary conduit for the scam, according to the second report from messaging-security firm Agari. In its analysis, the firm described how the attack starts with a purported message from the company CEO asking for the employee's personal cell to "complete a task for me." The attacker then moves the discussion to SMS text messaging. 

Rather than aim for high-value accounts, the scam typically focuses on getting the employee to buy gift cards with the corporate credit card, the Agari report states. Gift cards have become a common way for scammers to cash out, with a quarter of fraud ending in payment by gift card, up from 7% in 2015, according to the U.S. Federal Trade Commission.

For victims of BEC scams, text messaging presents additional dangers. The attacker now has the target's mobile number, which allows them to potentially punish non-compliant victims with spam. Employees need to be trained to recognize such fraud, says Crane Hassold, director of threat research at Agari.

In addition, companies need to have a procedure in place to catch the fraudulent transactions before they occur, he says.

"There needs to be a secondhand verification for that request," Hassold says. "If someone is asking for a wire transfer, confirm through a second channel."

Perhaps the easiest way to monetize leaked credentials — no matter what service the username and password originates — is through the increasingly popular sextortion scam. Blackmail, primarily sextortion, accounts for 1 in 10 spear-phishing messages, Barracuda stated in its report. The attackers typically pretend to have access to an online cache of pornography accessed by the target, to have recorded the target watching pornography, or to be a law enforcement agency investing child pornography.

"The fact that, at this point, it is 10% of targeted attacks is surprising," Barracuda's Cidon says. "It didn't exist a few months back, and now it is one of the most popular attacks on e-mail."

The attacks are likely underreported because of the sensitive nature of the threats, he says. 

The vast majority (88%) of all sextortion e-mail messages used subject lines having to do with a security alert or requesting a password change, Barracuda said. The majority of e-mail messages (60%) used only 30 subject lines.

Messaging attacks will continue to be a major threat for companies because they offer an easy way to gain employee credentials, compared with other cyberattacks based on malware, says Agari's Hassold. 

"We have seen cyberattacks decrease significantly over the past couple of years compared to social engineering attacks," he says. "The ROI for social-engineering attacks is much lower. I do not have to stand up that much infrastructure, and I do not need a lot of technical knowledge."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.