Malicious email remains one of the most significant and ongoing computer security threats that we face. Cybercriminals use a variety of email-based attacks to deliver malware, lure victims to malicious websites, and steal logon credentials, and organizations everywhere need to understand these threats and how to implement effective safeguards.
Malicious email authors are clever and relentless, and they are constantly developing new, or at least different ways to deceive and attack us. Although the malicious payloads found in email-based attacks frequently change, the vast majority of cybercriminals use three basic strategies:
Malicious attachments: Emails often include dangerous attachments that install keyloggers, ransomware, and other malware when opened by the victim. According to Verizon’s 2017 Data Breach Investigations Report, hackers delivered two-thirds of all successful malware (penetrated the victim’s network) during 2016 via malicious email attachments.
Links to malicious web pages: Contained in either an attachment or in the body of the email, links to dangerous web pages also account for a significant number of data breaches. ZDNet reported that almost a quarter of users will click a malicious link if they believe the email is from a friend.
Enticements to perform transactions: Cybercriminals are increasingly researching and using social engineering to entice their victims to transmit sensitive data or perform a financial transaction. This technique does not require an attachment or any links in the message.
These three basic strategies account for virtually all forms of malicious emails in use today. Although there are permutations within each of these methodologies, risky emails will, in general, incorporate one or more of these tactics.
Top 10 Malicious Email ThreatsCybercriminals combine poisonous links, attachments, and enticements in various ways to develop malicious email campaigns that are, unfortunately, very effective. While it’s impossible to enumerate all email-based threats, here’s a list of some of the most significant and dangerous types.
Ransomware: Most commonly delivered via email, ransomware encrypts the victim’s data and demands a fee to restore it. According to CNBC, ransomware spiked 6,000% in 2016, and most ransomware victims, in an attempt to recover their data, paid the ransom. Learn more about ransomware by reading Ransomware Delivery Mechanisms.
Phishing: Phishing uses psychological manipulation to bait victims into divulging logon data or other sensitive information that criminals sell or use for malicious purposes. A phishing attack usually consists of an authentic-looking sender and a socially engineered message. Many email recipients believe the message is from a trusted individual and will open infected attachments or click on malicious links. See For Cybercriminals, A Bad Day of Phishing is Still a Good Day to learn more.
Spear phishing: A more targeted form of phishing, spear phishing consists of a highly customized attack, focused on a specific individual or organization. Cybercriminals will often perform extensive research to make their emails appear legitimate. For example, criminals will pose as, or mention legitimate colleagues, departments, business partners, or even superiors.
Spoofing: Because email protocols lack effective mechanisms for authenticating email addresses, hackers are able to use addresses and domains that are very similar to legitimate ones, deceiving victims into believing that fraudulent emails are from a trusted individual. Criminals may spoof an individual mailbox (“email@example.com” vs. “firstname.lastname@example.org”), or the company’s domain (“johndoe@123abccompany” vs “johndoe@123abcompany”).
Man-in-the-Middle Attacks: In these attacks, cybercriminals insert themselves between the user and the application, website, or service the victim is using. This enables the attacker to impersonate the victim, read and manipulate their emails, steal valuable personal information, and even modify or conduct transactions, all without the victim’s knowledge. Like most malicious emails, man-in-the-middle attacks are not new. However, in recent years, hackers have found numerous ways to revive this classic attack. To make matters worse, a variety of inexpensive hacking tools are readily available that help criminals perform man-in-the-middle attacks.
Whaling / Business Email Compromise: Business Email Compromise (BEC), also known as “whaling” target’s an organization’s biggest fish. This is a type of social engineering scam where an attacker sends an email to someone in the organization that has the ability to execute a financial transaction. The email looks like it’s from the CEO (or another empowered individual), and requests an immediate financial transaction such as a vendor payment, direct deposit, or wire transfer. See Preventing Business Email Compromise (BEC)for more information.
Spam: Despite a number of ways to filter out unwanted email, spam remains a significant challenge for organizations. While ordinary spam is simply considered a nuisance, spam is also frequently used to deliver malware. Ransomware, for example, is most commonly delivered via spam, and it behooves all organizations to carefully evaluate spam for dangerous intent.
Key Loggers: In the most damaging data breaches, the criminals behind the attacks nearly always utilize stolen user credentials. One effective method criminals use to obtain IDs and passwords is a keylogger, often delivered by email when victims inadvertently click on a malicious attachment or link. Read Password Stealing Malware Remains Key Tool for Cybercriminals to learn more about key loggers.
Zero-Day Exploits: A zero-day vulnerability refers to a security weakness that is unknown to the software developer. The security hole is exploited by hackers before the vendor has created a fix. Zero-day attacks are frequently delivered via malicious emails, and hackers use them to gain unauthorized access and steal sensitive information.
Social Engineering: Cybercriminals use social engineering to build trust before stealing user logon credentials or confidential data. In a social engineering attack, a computer criminal poses as a trusted individual (IT support, human resource, outside contractor, etc.) and engages in a conversation to gain access to a company’s network. The attacker deceives the victim into divulging IDs, passwords, and sensitive information, or dupes them into performing a fraudulent transaction.
Detecting and Preventing Malicious EmailsConventional Secure Email Gateways (SEGs) address legacy email-based threats such as known viruses, Trojans, and spam. However, as discussed in a previous blog Protecting Email from Evasive Malware, the majority of security systems are unable to detect and stop today’s advanced email threats that are specifically designed to fool SEGs, legacy sandboxes, and other common security systems.
To detect and prevent advanced forms of malicious emails, organizations should augment their SEGs’ security by deploying sandboxes that can perform deep content inspection and provide full visibility into the workings of emails and their attachments. These advanced tools provide significantly more information and full context of the situation, enabling security analysts to make informed and accurate decisions.