The easiest way for a cyber-attacker to get into your network is through your email. This can be accomplished a number of different ways, but a successful exploit may use several of these methods together to gain access to your network and control your computer systems. The great thing, from the attacker’s perspective, is that by using your email, they can get around whatever perimeter defenses you have, such as firewalls and intrusion detection systems, and can even beat the Internet security software programs installed on your computers. These systems are not designed to prevent what an authorized network user allows, and the attackers are counting on their ability to convince a user on your network to click on a link or open an attachment in a convincing email to get the ball rolling.
Email Account Hijacking
Account hijacking happens when an attacker gains access to your email account by acquiring your email user credentials. Losing your email user name and password may happen a number of ways, from a simple phone call from a “tech support agent” who simply asks you for them, to an email appearing to be a reset email (“there are problems with your account, please click the link to reset your password”), to losing your credentials in a large database breach and having your user name and password sold in a Rainbow Table on the Dark Net. Account hijacking can be used as part of a reconnaissance phase, where the attacker just simply sits back and reads your emails, determining things such as who you contact the most, the names and email addresses of other people in your company or organization, your vendors, bankers, and other major partners or online accounts. This access comes in handy when they are ready to craft the perfect email to fool you into clicking on that link! (See Spearphishing below)
Or they may use the access to your account to send an exploit to everyone in your Address Book, even something as simples as the “I’ve been mugged in Spain, send me money.” email. Or they may be able to harvest enough information to get into your bank or investment accounts. With access to your email account, the attacker can use the “lost password” reset tool on every site you use online and eventually gain access to PayPal, eBay, Facebook, LinkedIn, Amazon, well you get it – everywhere! Access to your email account gives the attacker unprecedented insight into your life online, and can have devastating consequences.
Email tracking allows email senders to know whether and when you received and opened an email. Mail programs such as Outlook have the ability to set a “received request” and an “read request” on emails you are sending, and if you have ever received this sort of email, you generally we get a pop-up alert asking if you want to permit the sender receiving this verification. Commercial email marketing services such as iContact, Constant Contact, and MailChimp also provide email tracking services to their subscribers, the marketing company that is sending the mail. This is done with the use of a cookie or a web beacon.
Cyber-attackers can also add these sorts of feature to SPAM, phishing or spearphishing messages in order to gain useful insight into how well a certain email approach is working, by seeing when the email was received, opened, read, and forwarded. This can also be used find out other information about the recipient such as geolocation of the recipient (yes!), what computer operating system and what email reading program or web browser you are using.
When used by cyber-attackers, email tracking is part of the reconnaissance or research phase of the attack.
Phishing is a form of SPAM or bulk email send to many individuals in an attempt to get the recipients to respond if some fashion. The typical endgames for Phishers are tricking the recipients into responding with personal information, such as user IDs and passwords for targeted accounts, credit card information, or other personally identifying information. Often there is a link to click on, and the link will take the unwary recipient to a look-alike web page where information can be entered in a form, and sometime the web page will be used to download and install a malicious program such as a remote access Trojan (RAT), encryption ransomware such as CryptoWall, or a banking Trojan such as Neverquest. Or the email may contain an email attachment, that when opened installs malware like that described above.
Once an attacker has successfully installed a remote access program, they can use the computer as if it was their own. They can install mailing software to send SPAM, or other type of exploit tools. They can browse through your files for passwords, financial information, personal information, and proprietary trade secrets. They can then use the compromised system to launch attacks on other systems on the network, elevate their privileges to become a network administrator. Then the entire organization is at risk since at this point the attacker has unlimited access to and power over all the devices connected to the network.
Spearphishing is different in that the email is sent to one very specific targeted individual in an organization. This can be anyone, but is often the CEO, CFO, network administrator, bookkeeper, or other business manager. The spearphishing email will be designed after some significant reconnaissance on the target, and may look like it is coming from a colleague, client, coworker, trusted vendor, or other plausible source and will may include convincing details that you would not expect an attacker to know. This can make spearphishing emails extremely difficult to detect and avoid.
The endgame is the same: gain access, elevate privilege if necessary, and take control of the network. Spearphishing is often used to deploy banking Trojan such as Zeus or Neverquest, which can be used to take over online banking session so the attacker can transfer funds out of company bank accounts. Sometimes the recipient is selected because they have access to the networks of other companies that are the real objective. This is exactly what happened in the Target Christmas breach of 2013: Target’s networks were compromised through at network access provide to an HVAC vendor.
Defending Against Email Attacks
What can you do to defend against these sorts of exploits? The best defense is a healthy level of suspicion and paranoia when reading your email. Do not assume that every email is a legitimate email from someone you know and trust, even if it looks like it. Taking a minute to send a reply asking the sender what is in the attachment or where the link is going to take you can save you a lot of trouble. Email attachments and web links can be scanned for malware and verified at VirusTotal.com. Get familiar with this site and use it. Switching from HTML to text only email will neutralize and attempts at email tracking, and disables hyperlinks. Any embedded images in your email will also be gone, but we lived without them in the past, and this may be a good practice given the prevalence of email exploits.
As a business owner or manager, you need to up your game relative to cybersecurity in your business. This starts with a continuing program of employee training, teaching them how to recognized and avoid email and other computer threats, and what to do in cases where they think they are being attacked. You will want to make sure your perimeter defenses are working as expected, and that all computers are running some sort of anti-malware software, of course. But you should be looking for the newer security solutions that also monitors and examines computer traffic internal to the network, or suspicious traffic originating on the network and traveling out to the Internet. You should be looking at data encryption and regular backups.
The cybercrime industry has become a billion dollar a year enterprise, because for the criminal the risks are much lower and the rewards are unbelievably large. At the time of this writing, we are uncovering the details of a sophisticated attack on over one hundred banks around the world that have together lost $300 million dollars. Some estimates place total potential losses in the $750 million to $1 billion dollar range. And this is just one cybercrime gang. 2015 is the year to finally get serious about protecting your company from cybercrime.
More information at:
- Security Affairs – Defending Against Spear Phishing, RAT Deployment and Email Tracking