Email presents many hazards to the unwary user. All it takes is one small action in response to the wrong email for a social engineering scam to be successful. As a result, you could have your credentials stolen or find yourself the victim of a cyptomining attack. You could even find yourself suddenly out of a large sum of money.
Social engineering is a form of manipulation and deception that is crucial for a successful phishing attack. Successful phishing attacks rely heavily on the attacker’s ability to effectively deceive the target by convincing them to trust the sender as well as its content.
Phishing is conducted in order to gain as much information about the target as possible. In order to increase the effectiveness of social engineer for a successful attack, attackers will aim to demonstrate detailed knowledge of the person or target organizations with information which is often gathered through open source intelligence (OSINT).
This assumed credibility rests on two critical sets of information:
- Knowledge of an organization’s internal structure, processes, and software.
- Knowledge of an organization’s staff.
This information is often obtainable from materials the organization has published online. Attackers are also able to gather extensive knowledge about an organization and its staff from public channels such as LinkedIn. For example, a typical job listing covers:
- Processes: Detailed descriptions of the task and responsibilities for a specific role.
- Structure: Information about whom the employee reports to or manages.
- Software: Desired skills and knowledge.
The likeliness of a successful attack increases alongside the amount of information the attacker has on the potential target.
Phishing represents the intersection between cybercrime and social engineering and is one of the oldest threats on the internet. A phishing attack essentially hacks a person rather than a computer system.
Attackers rely on phishing because of its ease, reliability, and potency. Potential goals of a phishing attack include:
- Obtaining login credentials to be used to gain access to assets – an account, a server, a network or the like.
- Obtaining sensitive information such as financial or personal data.
- Delivering malicious payloads such as ransomware, a keylogger, or a Remote Access Trojan (RAT).
- Convincing victims to carry out activities that are against their self-interest, such as wiring money or sharing personal data.
The rate of phishing attempts has been increasing due to the proliferation of leaked email addresses, with the number of unique phishing sites detected being at an all-time high. Phishing attacks can be broadly categorized into two types – untargeted phishing attacks and targeted spear phishing attacks.
- Untargeted phishing attacks: Untargeted phishing attacks are designed to reach the broadest possible audience. The main goal of this kind of attack is to trick recipients into clicking on a link, opening a malicious attachment, disclosing sensitive information, or transferring funds. Untargeted attacks often rely on high volume to be successful and are more easily identified and mitigated by email security filters. These filters look for existing patterns and indicators of malice found in language, type of content or domain registration information.
- Targeted phishing attacks: Targeted phishing attacks, on the other hand, are used to target a small set of users within a specific organization. A targeted phishing attack relies heavily on social engineering. This kind of attack is much harder to detect and stop. Attackers will craft the attack using in-depth knowledge about the targets and their environment that often only an insider should possess. Unlike untargeted phishing attacks, even a small number of successful targeted phishing attacks can lead to much greater damage overall. The significant danger of targeted spear phishing attacks lies in the fact that it only takes one successful attempt to compromise an entire organization.
Email is still the primary initial access vector used by attackers – with 94% of malware being delivered via email.
The delivery of malicious binaries used to be more prominent with .exe, Java, and Flash files attached directly to emails to trick users into opening an executable.
As preventive controls have become more advanced, attackers are also changing their attack tactics, techniques, and procedures to infiltrate a target’s IT security system. Nowadays, malware is much more likely to be delivered through less suspicious business document attachments or URLs that are commonly sent in regular, valid email communications or through other applications.
Almost 50% of all malicious attachments are found to be Office Documents with hidden macros, scripts, and other exploits, which upon activation, will download additional payloads, such as ransomware and RAT. The rest are commonly sent through Windows Apps (26%) and other files, such as archives and .js files (22%).
Ransomware attackers are now targeting companies in order to receive larger payouts instead of mass attacking consumers as they once did. They have also changed the way they operate in order to maximize their chances of receiving a ransom.
Instead of an immediate deployment of ransomware or exfiltration of data following the initial breach, the attackers will spend some time in the company network in order to gain as large a foothold as possible before taking action. This is to ensure that as much data as possible is exfiltrated and to encrypt as much of the company network as possible, in order to maximize the chance of payout. However, the goal of a ransomware attack is not always for financial gain as ransomware is sometimes also used to cover up a compromise.
The consequences of successful malicious email attacks are numerous. Having a multilayer approach is crucial in strengthening an organization’s security features and to keep an organization safe from such email attacks. Read more about email security in our latest whitepaper.