Why protecting and validating email identity is a top priority for a secure 2015
The scope and frequency of cyber attacks, data breaches, information disclosures, and the sophistication of the tools used to attack companies and individuals has been increasing at a tremendous rate.
It doesn’t strain our memories to come up with numerous prime examples including the deliberate corporate penetration of Sony (which was “easy”) and of Sands Casino (presumably very hard); or the exposure of super-powerful nation state sponsored attack software Regin that helps enable penetration of specific, complex targets. Don’t forget as well, the numerous phishing attacks that were propagated in 2014. And, perhaps just as infamous, the social engineering attacks in which malicious individuals tricked Apple and GoDaddy into revealing sensitive information.
All of these are different attack vectors, with different ultimate purposes, targeting individuals or corporations. All were successful. And the actual, complete list would be too large to publish (and would be impossible to know as more than half of data breaches go unnoticed).
What do the majority of these attacks have in common?
In order for most of these attacks to be successful, the attacker must penetrate your systems or defenses in some way and establish a “beach head” — just as in war. Once the attacker gets his foot in the door, it becomes much easier for him or her to escalate the scale and scope of the attack with much more potential for very serious impact.
What are the most common vectors for attackers? Besides your public-facing web and internet presence, email is one of the primary means that attackers use to begin. In order for email to work as a vector, the attacker must trick you into trusting him/her somehow. It’s the old “Jedi mind trick” over the Internet …
“…You will trust me … I am your friend … clicking on this link is Ok … You feel comfortable doing what I ask of you…”
As attacks are escalating, so is the pressure on your email … more and more attackers are using well crafted email messages as a vector. And by “well crafted,” I mean messages that really look legitimate and not like a Nigerian Spam.
How Attackers Get Your Trust In Email: Identity Theft
Some attackers use low-quality brute force methods to infiltrate random people. They send loads of spam with “interesting” content. Those messages contain links which, if clicked on, can infect your computer with malware or which try to collect sensitive information from you. These generic “phishing” attacks are incredibly common, fairly easy to spot, and pretty easy for anti-Spam filters to block. This is not really what we are concerned with here.
The “next level” beyond generic phishing attacks are “spear phishing.” In these attacks, the malicious sender has some information about you and uses that to trick you into believing that the message should be trusted. Simple spear phishing attacks are very common and are often easily recognized, however artfully crafted attacks can be sophisticated in their design and not nearly as easy to identify at first glance.
What are some of the things that attackers use against you in a spear phishing attack?
- Email addresses of your co-workers, friends, vendors, and associates. Messages can be forged to look like they are from these people. This may allow the message to slip through your spam filters and your mental filter. You see the message from someone you know and you open it. Your guard may be down and you may not look critically at the message for “tells” that it is not really from this person.
- The names of these people. If the attacker knows the names (and email signatures) of these people as well, then the message can be better crafted.
- Subjects and message content, images, and formatting. If the attacker knows what messages to you from this sender look like, then s/he can craft similar messages to better entice you to do what s/he wants. The familiarity will lower your guard further. This includes things such as using the same subject lines, the same formatting, the same wording and phraseology, the same images and email signatures, etc.
A large part of what this comes down to is “email identity theft.” The attacker needs to pose successfully as someone else in order to gain your trust. Your ability to detect this type of fraudulent behavior is crucial to your ability to defend yourself (and your organization) from such attacks. And you may never know the attack was successful or that it even was an attack.
Common reasons for phishing attacks
To put this in perspective, here are a number of reasons we have seen for phishing attacks (and there are clearly many more possibilities). Think about which could apply to email messages sent to you and what the impact would be if you accidentally fell for one…
- Divulging your personal information. Trick you into filling out a form that gathers your username, password, social security number, account number, address, or other information. Sometimes this is used to then gain access to other accounts that you have (e.g. a bank or email system); other times it is used to further build a profile of you so that the next attack on you can be more targeted.
- Installing malware. Trick you into clicking on a link in the email message that opens a web page that then infects your computer with some type of virus or malware. This could be a key logger that captures everything you type; it could be a botnet that uses your computer to attack other computers; it could be a back door that gives the attacker full access to your computer and everything on it and a privileged foothold into your local network to attack other computers and servers, etc.
- Divulging privileged / sensitive information. Trick you giving out information about someone or some thing to which the attacker is not authorized. This is “social engineering” at its core. A good example is someone posing as a customer and calling a call center for help and requesting information about the company, the account, users in the account, etc. Usually there is a high degree of urgency — “my boss is out of town and our systems are down and we need this ASAP or else we’ll lose some important business!” If you believe them, you give out the information requested and they are happy. They then use that information for ill-intentioned purposes, such as further targeted attacks.
- Getting you to perform some action. Trick you into doing something that you should not. E.g. leaving a door open, resetting someone’s password, leaving where you are to go on a “wild goose chase.” If you are in technical support, this could involve convincing you to make some change to some account, such as closing it, changing security settings, creating a user, etc. All of these actions then enable the attacker to continue to escalate the attack.
What can you do to better detect forged identities and to protect your own from theft?
We will discuss how attackers go about forging email identities and the details of how defenses against that work in future articles. For now, the simple answer is to follow these steps to protect yourself:
You would be well served to also add SPF and DKIM to your own domain’s email settings (if you have your own domain name), as these technologies can help others detect if email purporting to be from you really is from you.
If you have questions on what you can do to lock down your email account to block forged email (as best as possible) and to help ensure that you email cannot easily be forged, please contact LuxSci or your email provider.