You've Got Mail was on the big screen nearly 20 years ago. Thinking back to the excitement of the “ding!” and “you've got mail” each time a message appeared in Tom Hanks' or Meg Ryan's email box seems funny now. If any of us were to hear that every time an email appeared in our inbox today, we wouldn't get a moment of peace.
Research by The Radicati Group shows that in 2017 the total number of business and consumer emails sent and received per day will reach 269 billion, and is expected to reach 319.6 billion by the end of 2021. Email remains the preferred channel for business communication and, as such, remains a choice attack vector for adversaries.
Spam is on the rise
We have seen a significant increase in spam volume over the past year. As exploit kit activity declines with the disappearance of Angler and other leading players, many adversaries are returning to email to distribute malware. Not only does spam email have the potential to infect the endpoint, adversaries also can count on “help” from unsuspecting users to gain a foothold within the network. Through crafty social engineering (phishing or more targeted spear phishing), they appear to be sent from trusted sources and can easily dupe users to click on a link to a website or a file attachment infected with malware, eventually compromising entire organizations.
Some of these malicious attachments require interaction by the recipient, such as clicking “OK” on a dialog box, to infect systems and deliver a malware payload. This technique can defeat sandboxes that do not allow user interaction and could increase the likelihood of it reaching and end user's mailbox. Spam-sending botnets like Necurs are also thriving, generating revenue for attackers faster through large-scale campaigns.
A surge in BEC
Business email compromise (BEC) is a growing problem as well. A BEC campaign typically involves an email (sometimes using spoofing to appear as though it's from a co-worker) delivered to financial employees who can send funds by wire transfer. The adversaries have usually done some research on the company hierarchy and its employees—for example, using social network profiles to piece together the likely chain of command. The email may appear to be from the CEO or another top executive, asking the recipient to send a wire payment to a supposed business associate or to pay a vendor. The message may express some urgency to compel the recipient to send the money, which typically ends up in foreign and domestic bank accounts owned by cybercriminals.
In fact, while ransomware is dominating the headlines these days, BEC is currently the most lucrative and profitable method to extract large amounts of money from a business and will likely grow. The Internet Crime Complaint Center (IC3) reports that $5.3 billion was stolen due to BEC fraud between October 2013 and December 2016, an average of $1.7 billion per year. In comparison, experts currently estimate profits from ransomware at $1 billion for 2016.
So what can organizations do to better protect themselves from email-based threats? Here are four recommendations to consider.
1. Educate users. Continuous education is vital to raise awareness and ensure users know how to recognize and stop clicking on malicious links or PDFs delivered via email. Offer simple suggestions such as hovering over a link without clicking to view the intended URL, or not opening attachments they didn't request. Combating BEC fraud usually requires improvements in business processes. For example, train employees to identify out-of-the-ordinary requests for financial transfers, such as an out-of-country transfer at a business that operates domestically. You can also require employees to verify wire transfers with another employee—perhaps by phone—to bypass a spoofed email.
2. The old ways don't work as well now. Retool. The traditional approach to email protection, using anti-virus to chase threats, isn't enough. Adversaries are innovating at a faster pace than ever. For example, embedding malicious documents in PDFs to evade detection, rotating subdomains to hide the IP address of the server, and relying on Tor2 web proxies to remain anonymous. Email protection must continuously evolve to stay ahead of these advanced threats to detect and block the vast majority of them. And when threats evade detection, retrospective security should continue to track files as they move across the network and dynamic sandboxing technology analyzes their behavior against real-time, global threat intelligence to stop emerging threats. To protect against the surge in BEC, you need capabilities that allow legitimate messages (such as marketing messages or newsletters) through while flagging emails that could be forgeries to warn users of potential risks. And to address the uptick in malicious spam, look for solutions that include advanced capabilities such as tightly integrated spam and anti-virus engines that automatically and seamlessly work together, web categorization, URL rewrite, and reputation filtering.
3. Mitigate risk with an integrated security architecture. Adversaries aim to move beyond the inbox to steal information and increasingly to destruct service, not just disrupt. As I discussed before, with solutions working together as part of an integrated security architecture, if a threat is seen anywhere in your security architecture, that information is shared with your email gateway so you can see a threat once and block it everywhere. And if a threat does begin to move laterally across the network, with an architecture that can integrate multiple best-in-class platforms you can determine the scope of the attack, quickly and dynamically contain the threat, remediate, and update protections everywhere to prevent further compromise and future attacks.
4. Leverage intelligence to stay ahead of emerging threats. The ability to look at email and network security telemetry from a community of users together with threat feeds can give you the intelligence and lead time you need to proactively protect against emerging outbreaks. Look for vendors that include outbreak filters within their email security architecture and apply intelligence continuously to develop and push protections in real-time against new outbreaks.
As cybercriminals turn—or return—to email as a primary vector for malicious activity, organizations of all sizes are potential targets. Understanding some of the latest trends and how attackers innovate and operate can help to identify and close gaps in your approach to email security and combat increasingly sophisticated threats.