Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/19/2019
11:00 AM
Robert Lemos
Robert Lemos
News
50%
50%

Stealing Corporate Funds Still Top Goal of Messaging Attacks

Cybercriminals focus on collecting credentials, blackmailing users with fake sextortion scams, and convincing privileged employees to transfer cash. The latter still causes the most damage, and some signs suggest it is moving to mobile.

Attackers continue to use many of the same phishing techniques as in the past, but, increasingly, the scams are much more targeted and, in some cases, have moved to mobile devices, according to two reports published today.

In its report, messaging-security firm Barracuda Networks found that 83% of targeted phishing attacks, also known as spear-phishing, appear as a message from an administrator at a popular service, asking for the user to log in. The scams use a variety of reasons, from claiming the account has been frozen to asking the user to review a document.

Overall, attackers are moving to spear-phishing attacks because they are relatively low volume and can be sent from popular e-mail services, making it less likely they will be blocked, says Asaf Cidon, vice president of content security at Barracuda.

"Because they are not sending a high volume of attacks — it's quality and not quantity — and it is usually a human manually sending the e-mail and tailoring it, they can afford to send it from a Gmail account," he says. "And basically the popular e-mail security services and cloud providers won't block the e-mail because those services have a high reputation."

Despite advances in anti-spam systems, fraudulent messages continue to reach end users, aiming to take advantage of nontech-savvy workers to steal their credentials, convince them to pay fake invoices, or convince them that lurid secrets are in criminals' hands.

While e-mail scams that attempt to fool users into giving up their credentials for popular services are the most numerous, the most costly threat continues to be business e-mail compromise (BEC), where the fraudster attempts to fool an employee into paying a fake invoice. While BEC attacks only make up 6% of all spear-phishing attacks, according to Barracuda, they account for the most losses.

In 2017, for example, more than 15,000 BEC complaints  were filed with the Internet Criminal Complaint Center (IC3), amounting to an adjusted loss of $675 million, according to the center's annual report. By comparison, ransomware only accounted for $2.3 million in losses in 2017, the latest data available, according to the annual IC3 report.

Reprising the theme of using high-reputation services, more than 60% of BEC attacks come from one of 10 different e-mail service providers, Barracuda's Cidon says.

"What happened over time is that all these services actually started getting very high sender reputation," he says. "So, effectively, Gmail and Office 365 treat free e-mail services as very high-reputation sender domains.”

In some cases, attackers have also started moving victims over to text messaging as the primary conduit for the scam, according to the second report from messaging-security firm Agari. In its analysis, the firm described how the attack starts with a purported message from the company CEO asking for the employee's personal cell to "complete a task for me." The attacker then moves the discussion to SMS text messaging. 

Rather than aim for high-value accounts, the scam typically focuses on getting the employee to buy gift cards with the corporate credit card, the Agari report states. Gift cards have become a common way for scammers to cash out, with a quarter of fraud ending in payment by gift card, up from 7% in 2015, according to the U.S. Federal Trade Commission.

For victims of BEC scams, text messaging presents additional dangers. The attacker now has the target's mobile number, which allows them to potentially punish non-compliant victims with spam. Employees need to be trained to recognize such fraud, says Crane Hassold, director of threat research at Agari.

In addition, companies need to have a procedure in place to catch the fraudulent transactions before they occur, he says.

"There needs to be a secondhand verification for that request," Hassold says. "If someone is asking for a wire transfer, confirm through a second channel."

Perhaps the easiest way to monetize leaked credentials — no matter what service the username and password originates — is through the increasingly popular sextortion scam. Blackmail, primarily sextortion, accounts for 1 in 10 spear-phishing messages, Barracuda stated in its report. The attackers typically pretend to have access to an online cache of pornography accessed by the target, to have recorded the target watching pornography, or to be a law enforcement agency investing child pornography.

"The fact that, at this point, it is 10% of targeted attacks is surprising," Barracuda's Cidon says. "It didn't exist a few months back, and now it is one of the most popular attacks on e-mail."

The attacks are likely underreported because of the sensitive nature of the threats, he says. 

The vast majority (88%) of all sextortion e-mail messages used subject lines having to do with a security alert or requesting a password change, Barracuda said. The majority of e-mail messages (60%) used only 30 subject lines.

Messaging attacks will continue to be a major threat for companies because they offer an easy way to gain employee credentials, compared with other cyberattacks based on malware, says Agari's Hassold. 

"We have seen cyberattacks decrease significantly over the past couple of years compared to social engineering attacks," he says. "The ROI for social-engineering attacks is much lower. I do not have to stand up that much infrastructure, and I do not need a lot of technical knowledge."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11931
PUBLISHED: 2019-11-14
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prio...
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.