When is a phishing email not a phishing email? The taxonomy of malicious emails
Malicious email attacks have dominated the security headlines in recent months, with 2017 already seeing large campaigns targeting Netflix and Amazon customers.Despite the number of incidents however, many individuals and businesses alike don’t actually know what kind of attacks they are being hit by, let alone understand how many different types of attacks exist.
The effect of an email attack can be devastating, leading to financial losses, reputational damage or worse. For a business to defend itself against attacks, it is essential they are able to identify the type of attacks they are most vulnerable to or concerned with so they can put the appropriate security measures in place, says Markus Jakobsson, chief scientist at Agari.
Identifying and protecting
The differences between the content and the methods used to deliver these email attacks can often be very subtle. For example, a consumer phishing attack is typically sent by an imposter who spoofs an email or uses a deceptive display name to create a false identity.
In these types of attacks, the cyber criminals typically use an unfocused ‘scattershot’ approach, sending out the malicious email to a wide audience. The success rate of this type of approach is low, as the content is unlikely to be persuasive enough to trick many into clicking on a link.
With most phishing attacks, the criminal impersonates a trusted organisation’s brand and sends malicious emails to their customers. Because the email appears to be from a known and trusted sender, a number of customers will open it and then be asked to either open a malicious document or click on a link.
Business email compromise (BEC) attacks, on the other hand, can come from either an imposter or from a legitimate but compromised account. These types of attacks typically use social engineering methods to create ‘believable’ content for a fraudulent email, which makes them much more likely to be successful. They are also extremely targeted, being sent to a few, very specific people such as financial controllers or HR managers of a company.
Ransomware is a third type of attack. While ransomware emails are typically sent from an imposter, they can also come from a compromised account. Like BEC attacks, they are often targeted and use advanced social engineering techniques to create ‘believable’ content that convinces their victims to open a malware-infected document or click on a malicious link.
As soon as the victim opens the malicious file, his or her computer (and potentially other computers on the same network) gets infected, and the hard drives are encrypted. The attacker will then offer to sell the decryption key to the victim.
Thanks to the huge volume of emails arriving every day, it can be difficult to differentiate between truly malicious emails, legitimate email and “grey mail”. The latter are the annoying emails which fill up our inboxes or spam folders but are usually harmless, such as newsletters and advertisements.
Prevention is better than cure
There is no one solution which can prevent all malicious email attacks. To defend against all email attacks, organisations need to implement a multi-layered security solution. Using email authentication technology which can identify and confirm the identity of the sender is much more effective than using a programme which focuses purely on blocking emails with known malicious attachments, as criminals can use crypters to “recompile” malware and make it evade detection.
Email authentication software will, over time, begin to recognise increasing numbers of email addresses and domains and remember previous actions taken for each one. This type of solution will go a long way to protecting an organisation and its employees against malicious email attacks.
Each attack requires its own solution – there is no ‘one size fits all’ approach to preventing cyberattacks. By understanding the techniques, targets and motivations behind each kind of malicious email, businesses can be better prepared to understanding the solutions that will prevent them.
The author of this blog is Markus Jakobsson, chief scientist at Agari