Snatching Credentials and Targeting Inboxes-How Hackers are Getting In

By:  |  Category: Blog, Security Wednesday, January 31st, 2018  |  No Comments

In a new report, Trend Micro revealed that Business Email Compromise is projected to grow at an astounding rate as attackers continue to use more sophisticated social engineering tactics to trick their targets.

The Internet Crime Complaint Center characterizes the business email attacks in five groups:

  • Bogus Invoice Schemes
  • CEO Fraud
  • Attorney Impersonation
  • Data Theft
  • Account Compromise

But in this study, researchers split them in two: Credential-grabbing and Email-only. Attackers must be proficient in at least one of these methods for the scheme to work.

Business email attacks attacks are expected to cost over $9 billion in 2018. That’s way up from just a year ago when the FBI reported that email attacks had become a $5.3 billion industry. Attacks have become more sophisticated as hackers continue to refine their methods.

Email attacks have grown due to “their relative simplicity,” according to a new Trend Micro report “Tracking Trends in Business Email Compromise Schemes.”

“This particular type of attack is not going away — it’s only increasing,” says Ed Cabrera, chief cybersecurity officer at Trend Micro.

Method 1: Snatching Credentials
This tactic leverages keyloggers and phishing kits to steal credentials and access an organizations email. Researchers noticed an uptick in phishing HTML pages sent as spam attachments which, while not new, is still effective against unsuspecting users.

Spear phishing is one of the primary methods used to steal email login data for attacks. Once an attacker compromises a Gmail account, for example, they can impersonate its owner or use personal information or credentials they find in the account.

The other credential-grabbing technique uses malware, which continues to be a problem for targets using antivirus tools because some attackers use crypter services to evade AV detection. Researchers note email attack actors are more frequently using phishing attacks over keyloggers because they’re simpler and cheaper; actors don’t need to shell out for builders and crypters.

Keyloggers and remote access tools are the most common types of malware used for attacks because they’re effective and inexpensive. Unlike attacks that rely on phishing to steal a single set of credentials, malware can collect all stored credentials on an infected machine.

Method 2: Targeting Inboxes
Email-only attacks, which rely on social engineering, are getting more sophisticated as attackers get smarter. This tactic involves sending an email to someone in the target company’s finance department, requesting an exec to transfer money as payment or as a personal favor. Usually, a spoofed email from the CEO is sent to the head of finance.

“The CFO has the authority and ability to request last-minute money transfers within the organizations,” says Cabrera. “[Attackers] are trying to capitalize on the relationship between the CEO and CFO.”

Cybercriminals launching email attacks carefully research their victims. “It’s usually the advanced groups, but it’s also almost akin to cyberespionage,” he continues. “They have a healthy knowledge of who they’re targeting, and who in the organization they’re going to target.”

This research is what makes them successful. And your social media presence is helping them. Attackers want to know about the organization and its executives: who’s on vacation, typical work hours, business travel. They want to know news surrounding the business and operations such as M&A activity and corporate events. Oftentimes actors target ADP credentials and payment/benefits information so they can better understand the employees they’re targeting. All of this data, both public and private, leads to success.

“We’re seeing a shift: ‘How do we compromise email infrastructure and dig even deeper?'” Cabrera notes.

Social engineering scams can be tough to spot. Sometimes the subject line will give an attacker away; based on analysis of email samples, more than two-thirds had subjects containing terms “request,” “payment,” or “urgent.” Many said “wire transfer request” and “wire request.”

In the “Reply To” line, many attackers add their email addresses so they can view replies from target recipients. Most email clients don’t show the reply-to addresses, so they get away with it. If they don’t do this, they create a legitimate-looking email address to impersonate a corporate executive. These usually involve free webmail services like “accountant.com” and “workmail.com.”

“From a user side, awareness and training is critical,” says Cabrera. “From the boardroom down to the server room, make sure [employees] know this is actually happening.”

Source Image: https://unsplash.com/photos/3Mhgvrk4tjM

Leave a Comment
Read previous post:
Azure Football
The Seattle Seahawks use Azure to Provide Insights into the Mystery of the Rehab Process

The Seattle Seahawks work hard to get better and Microsoft Azure is helping them use player's recovery data to their...