Slow Down… to Go Faster!
I like a good strong cup of coffee. And when I’m in Mumbai, you will usually find me lining up at the coffee shop in the office building to get my workday afternoon fix. Today, when it was time to pay up, I handed over my credit card as usual. Somehow, I couldn’t help but think that I was handing over personal financial details to a stranger. Of course, the outlet is of a reputed global chain, and I have used my credit card thousands of times in similar situations. I looked around and assured myself that this was a relatively safe transaction. But is that always the case?
As humans, we tend to be creatures of habit. Our brains are wired to trust the familiar. We feel comfortable in situations that we have experienced earlier, and environs that we have seen before. Take the case of email – how many times have you thought twice before opening that email attachment? Or clicking that URL in an email? Given the amount of information available on protecting yourself against email-based attacks, a surprisingly large number of users still click on suspicious links and open attachments from unknown senders. It is no wonder that email is the #1 vector for both malware distribution and phishing attacks.
Last year marked the 40th anniversary of the first spam email, which was sent out over the ARPANET in 1978. To this day, spam continues to be the bane of the modern internet. In fact, it has reached staggering proportions – according to Talos Intelligence, about 85% of all email is spam! But spam is a relatively harmless by-product of email today compared to its more dangerous cousins – Phishing and Malware. And even the tightest Zero Trust Security implementation is ineffective at stopping them – proving that Users continue to be the weakest link, just like in the Target attack.
Attackers are getting increasingly sophisticated and can make Phishing emails look very close to the real thing. The Office365 phishing attack disguises itself like a genuine email from Microsoft, but on clicking, directs you to a fake website with an official-looking login page, and attempts to gather your credentials. Once compromised, your email account can then be used to launch a broader attack within your organization – using your legitimate account! Similar attacks are being seen against Google’s G-Suite users as well.
The objective of the attacker in this case is to get you to open the attachment or click on a URL that typically contains an exploit. And they will go to great lengths to convince you to do so. You may find yourself receiving an invoice for a subscription that you never signed up for. In this case, the email is vague and arouses your curiosity – hence tempting you to open the attachment or click the URL to find out more. The interesting part here is that evermore, commonly used file types at work are being used to deliver malware. According to Talos Intelligence, “.doc”, “.zip” and “.pdf” make up ~80% of malicious extensions being used.
Increasingly, automation is being leveraged to launch large-scale and highly distributed attacks, having disastrous consequences. Once such example in the recent past was the WannaCry ransomware that reached over 250,000 hosts across the world in just 4 days!
In our progressively mobile world, a majority of our email is accessed on the go, through our smartphones. In this situation, it becomes even more challenging to identify suspicious content on the small screen.
Financial fraud is perhaps as old as money itself. It has evolved with technology, but still targets an inherent human trait: Trust. Some email frauds were so effective, they became popular and therefore well-known – like the one where the assistant to an African prince (or some similarly rich personality) wants to send you a large sum of money, but first needs you to transfer a smaller, yet significant, sum to him to cover “transaction costs”.
Another surprisingly simple technique in the corporate world is where the attacker masquerades as the CFO/CEO of the organization, and sends an email authorizing an illegitimate transaction – like wiring a sum of money to an external organization – under the pretext of urgency. The recipient, in this case, is typically a few levels lower in the hierarchy, and therefore overwhelmed by the authoritative nature and source of the instructions.
My transaction at the coffee shop was relatively low risk, compared to what’s at stake today in the world of email attacks. In my next blog, I will cover strategies for organizations to protect themselves from this threat.Tags: