Onderzoek: Threat Basics – Email delivered threats

it threatsBelow is an overview of all the different email threats and how you can protect against them

SPAM  |  Information Seeking ScamsHostile Email AttachmentsPhishingLongliningWatering Hole | Spear PhishingAdvanced Persistent Threat (APT)


spamWhat is it?
Spam, also known as Unsolicited Commercial Email (UCE), is often questionable, mass-emailed advertisements. At its peak, spam accounted for 92% of all email traffic, and most of the spam was non-malicious.

Spammers might buy a mailing list and that list may be legitimate. More likely, however, they’ll use web-scraping to collect publicly posted email addresses across the web. And if they’re not doing that, they’ll be generating aliases through permutations of names and domains, like kevina@gmail.com or kevinb@gmail.com, in the expectation of getting lucky.

Spammers can then easily system-generate and email the same message to the entire list they have created. Sometimes they’ll add randomly generated phrases or words to the end of the message, aiming to make each look different and fool automated email filters.

The email content itself usually extols the virtue of a product or service and provides contact details for readers to place an order.

Why is it a threat?
While spam volumes are not at peak levels, the spammers have become more sophisticated. They now use Traffic Distribution Systems (TDS) to run their campaigns, essentially giving them the ability to use the same campaign to be more effective, serve up different types of spam, and even malware, to different types of machines in different locations. These more sophisticated distribution techniques to send volumes of email increase the risk and costs faced by enterprises. At the same time, for certain users, it’s critical to distinguish between spam, unwanted bulk mail, and wanted bulk mail which creates an interesting challenge for most IT organizations trying to grapple with different user needs and risk.

The receipt, processing, classification, and disposal of spam and unwanted mail consumes system and employee bandwidth, creating a service quality issue. Since typical spam email is very easily identified by most enterprise users when it ultimately reaches there inbox, dealing with spam is perceived to be more frustrating as it’s a more visible nuisance.

How can I protect against it?
The focus of basic spam protection should be on avoiding Denial of Service or service quality issues, and minimizing delivery to reduce user frustration. Look for an email gateway product with ability to protect an organization from Distributed Denial of Service (DDoS), technology that enables high catch-rate and low false positives when identifying spam based on unique content analysis techniques.

For more sophisticated spam that uses TDS and other techniques to deliver campaign email and malicious threats, ideally use a hybrid cloud or full-cloud email gateway solution that offers unique Big Data analysis features. This typically includes utilization of large datasets such as historicals and velocity tracking to build behavioral models that can catch emerging sophisticated campaigns, regardless of volume and velocity of the email received.


Information Seeking Scams

info seeking scamHow does it work?
Scammers want information, and they try to extract it by tricking recipients of emails. The information they collect could be an organization chart – or as significant as usernames and passwords to corporate resources.

First, attackers collect email addresses – from public postings, social sites and guesses at a company’s email address format, such as a.lastname@company.com. Next, they email a compelling offer, pretend to be a service provider, or try to impersonate the IT team among other tricks.

In most cases, this is a very convincing and short text-only message – for example: “Your mailbox has reached the enterprise limit, click here or reply to this email to request an increased mailbox size from IT if required”, to much more sophisticated, “I’m an administrator for your company’s benefits program and am contacting you to take a look at the changes we will be soon making to the program, click here to see the details before we schedule a quick call to discuss.”

Some recipients who do fall for these tricks will reply to the offer, and sometimes it also results in an actual conversation between the user and the attacker that will lead to an innocent but significant request if a two-way dialogue is entertained by the user.

How can I protect against it?
User education is a good step. Additionally, look for an email gateway with a machine-learning function and real-time IP reputation scanning. Ability to detect suspicious language and sender aspects is key. Solutions must also be capable of separating such scams from the user-releasable quarantine to avoid any risks of users getting access to such kinds of phish.


Hostile Email Attachments

virus mailHow does it work?
Attackers attach files to email that indirectly launch an executable program that can destroy data, steal and upload information to outsiders, or can silently use the infiltrated computer for other tasks – all without the user’s knowledge.

Most email systems automatically block obvious executable programs. Attackers usually conceal an exploit inside other types of files – Microsoft Word documents, a ZIP or RAR files, Adobe PDF documents, or even image and video files. The exploit takes advantage of known software vulnerabilities and then downloads additional payload to the computer for persistence. The attackers typically send these email attachments and provide email content that is sufficiently convincing to get the user to believe it is plausibly legitimate communication.

A user just needs to open the email file attachment in an attempt to access the content and they can trigger the malicious scripts or exploit embedded within the document to execute. Users won’t even notice that their machine is being infected.

How can I protect against it?
Start with user education, but back it up with email attachment security solutions.

Install endpoint and server-based antivirus scanners. Be aware though of a time lag between attackers creating new malware and those malware signatures appearing in anti-virus (AV) databases.  Recent tests show only 10% of endpoint AV engines recognize a threat a full 24 hours after it was delivered; part of this is due to the polymorphic malware approached adopted by many attackers.

Implement an email gateway with a machine-learning function and real-time IP reputation scanning that can detect suspicious language and sender aspects. Ensure the gateway can unpack nested archive files (like .zip and .rar) and block executables to look for potentially malicious programs. It is also typically best practice to consider using a different gateway AV than what is used on the endpoint to provide diversity and increase likelihood of detection.

For optimal results, look for a security solution with email attachment scanning, performed in the cloud via static and dynamic (sandbox) malware analysis, so email attachments are checked for bad behavior before they’re delivered, and not just known bad reputation or known signatures which tend to miss zero-day and polymorphic malware attacks.



phishingHow does it work?

Phishing is a socially engineered attack that uses embedded URL links to extract information from the user or take control of their computer. Attackers typically send emails designed to encourage recipients to click on an embedded URL – “check on the status of your package” or “notification for usage of your miles” for example.

Clicking on a link opens a browser, and the user is taken to a site that’s been setup as a trap by the attackers to either:

  • Harvest credentials: The site typically appears familiar and persuades the user to hand over data, asking them, for example, to “Enter your username and password to proceed outside the corporate network” or “Enter your username and password to validate your account”
  • Deliver malware: The site typically exploits a vulnerability in the web browser to silently download and install a virus, trojan, spyware, or rootkit on the user’s machine.

How can I protect against it?

User education around signs to look for when an email looks or feels suspicious definitely helps to reduce successful user machine compromises. However, since user behavior is not predictable, typically security solution-driven phishing detection is critical.

Some email gateway reputation-based solutions do have the ability to catch and classify phish based on the known bad reputation of the embedded URLs. What gets missed by these solutions are often well-crafted phishing messages with URLs from compromised legitimate websites that don’t have a bad reputation at the time of delivery of email.

Opt instead for a system that identifies suspicious email based on anomalytics, which looks for unusual patterns in traffic to identify suspicious emails, then rewrites the embedded URL and maintains a constant watch on the URL for in-page exploits and downloads.



longliningHow does it work? 

Mass customized phishing messages that are typically engineered to look like they are only arriving in small quantities, mimicking targeted attacks. Attackers leverage approaches used by mass marketing campaigners to generate millions of dissimilar messages. They do this with mail-generating code and infrastructure that can rotate email content, subject lines, sender IP addresses, sender email accounts and URLs. This means that for every organization no more than 10-50 emails will look alike, enabling the malicious emails to fly under the radar of all spam and content scanning systems. Typically no attachment is included, thus minimizing the chance of detection by antivirus or other signature-based solutions. Additionally, the multiple IP addresses, sender email accounts, and URLs used in the campaign are typically legitimate but compromised.

This inherently provides ‘good’ reputation characteristics to the emails, helping them to evade any reputation-based detection approach. To prolong the attacks time-till-detection, attackers will ensure that the compromised site delivers ‘polymorphic’ malware to user machines. Every user gets a unique version of the malware, essentially defeating the value of new signatures that may be created as the attack starts to be detected. How can I protect against it? Given the sophistication of the content and compromised infrastructure that are typically seen in Longlining attacks, combatting these threats by leveraging a Big Data-driven security solution will likely be more effective. Such a solution should typically not just rely on signatures and reputation controls. The goal of the solution should be to look for patterns based on historical traffic, analyze new traffic in real-time, and make predictions about what needs to be analyzed in a cloud-based advanced malware detection service.

Look for a security solution that can identify mass customized campaigns targeting multiple companies at the same time, pick out the unique characteristics across them to form a pattern, and proactively sandbox these threats to declare the pattern malicious which can help increase detection. Additionally, the security solution should have an approach to manage the messages that do get through. With Longlining attacks typically capable of more than 800,000 messages per minute, many may reach users. The security solution should be capable of rewriting the various URLs in those messages, as well as predictively sandboxing suspicious URLs, so that recipients can be blocked from reaching the malicious destination once advanced malware detection has confirmed destination websites to be bad. This would typically help minimize the amount of effort required in clean-up and remediation.


Watering Hole

watering holeHow does it work?
A targeted attack designed to compromise users within a specific industry or function by infecting websites they typically visit and luring them to a malicious site. Watering Hole attacks, also known as strategic website compromise attacks, are limited in scope as they rely on an element of luck. They do however become more effective, when combined with email prompts to lure users to websites.

Attackers that are attempting opportunistic attacks for financial gain or to build their botnet can achieve this by compromising popular consumer websites. But the targeted attackers that are after more than financial gains tend to focus on public websites that are popular in a particular industry, such as an industry conference, industry standards body, or a professional discussion board. They will look for a known vulnerability on the website, compromise the site, and infect it with their malware before they lie in wait for baited users.

Attackers will even prompt users to visit the sites by sending them ‘harmless’ and highly contextual emails directing them to specific parts of the compromised website. Often, these emails do not come from the attackers themselves, but through the compromised website’s automatic email notifications and newsletters that go out on a constant basis.  This makes detection of the email lures particularly problematic.

As with targeted attacks, typically the user’s machine is transparently compromised via a drive-by download attack that provides no clues to the user that his or her machine has been attacked.

How can I protect against it?
Web gateways to defend the enterprise against opportunistic drive-by downloads that match a known signature or known bad reputation can provide some detection capability against opportunistic Watering Hole attacks. To defend against more sophisticated attackers, enterprises should consider more dynamic malware analysis solutions that check for malicious behavior on the most suspicious destination websites that user’s browse to.

To protect against targeted email lures to Watering Holes, look for an email solution that can apply similar dynamic malware analysis at the time of email delivery and at click-time by the users. Additionally, to defend the organization effectively, the solution must provide for mechanisms to protect the user whether or not they are on the corporate network and traversing through on-premise security controls.


Spear Phishing

spear phishingHow does spear phishing work?
Socially-engineered and sophisticated threats sent to an organization’s users that are typically designed to steal information. Spear phishing is a phishing attack where attackers typically personalize messages to the user based on publicly available information about them. This can range from topics surrounding the recipient’s area of expertise, public appearances at conferences, neighborhood and tax information that is public record, and any information that attackers can glean from social networks. When an organization’s senior executives are targeted using spear phishing, it is also referred to as Whale Phishing.

An example of a spear-phishing attack can be something simple like “Wade, based on your love of the early reds this year, I’d suggest a visit to Domaine Maleficient, which Bob also loved. Check out their e-store.” This spear phishing example can be highly effective if Wade’s public information indicates he is a wine enthusiast, a friend of Bob who also loves wine, and the email is coming from a Facebook connection through a spoofed email address or compromised account.

How can I protect against spear phishing?

Look for email protection solutions that use anomalytics to detect suspicious emails. Dynamic malware analysis that can analyze the destination websites for malicious behavior and simulate a real user system such that evasive techniques built into malware can be countered, driving the malware to reveal itself in a sandboxed environment. Sandboxing at the time of delivery of a suspicious email and when users click on a URL is likely to result in greater detection of these highly targeted threats.


Advanced Persistent Threat (APT)

persistanceHow does it work?
Mostly nation-state-sponsored attacks aimed at compromising an organization to carry out espionage or sabotage goals, but which aim to remain undetected for a longer period of time.

The term Advanced Persistent Threat (APT) is often misused. Rather than a specific technical approach to a threat, it is meant to describe the attacker (or group of attackers) and the attacker’s motivations behind the threat they pose, which are not simply one-time espionage, financial gain, and crime.

Advanced Persistent Threats (APTs) are either motivated by corporate espionage designed to steal valuable trade secrets and intellectual property, or to sabotage an organization’s plans and infrastructure.

Advanced Persistent Threat attackers use a variety of email-based techniques to create attacks, supported by other physical and external exploitation techniques. There are some typical characteristics of an Advanced Persistent Threats that are not found in other forms of attack:

  • Recon: Advanced Persistent Threat attackers typically have reconnaissance intelligence and know who the specific user targets and what the systems are that can help them achieve their goals. This information is often gleaned through social engineering, public forums and, most likely, nation-state security intelligence.
  • Time-to-live: Advanced Persistent Threat attackers employ techniques to avoid detection for extended periods of time, not just looking for a short-lived infection period that is typically seen in financial gain motivated attacks. They attempt to clean up their trail and usually perform their functions during non-business hours. They always leave backdoors so they can re-enter, just in case their original access is detected. This allows them to remain persistent.
  • Advanced Malware: Advanced Persistent Threat attackers use the full spectrum of known and available intrusion techniques, and in any given attack combine a number of methodologies to reach their goal. Advanced Persistent Threat attackers do make use of commercially available crimeware and kits, but many also typically have the technology and expertise to create their own custom tools and polymorphic malware when required for customized environments and systems.
  • Phishing: Most Advanced Persistent Threats, employing internet-driven exploitation techniques start with social engineering and spear-phishing. Once a user machine is compromised or network credentials are given up, the attackers actively take steps to deploy their own tools to monitor and spread through the network as required, from machine-to-machine, and network-to-network, until they find the information they are looking for.
  • Active Attack: In Advanced Persistent Threats there is a significant level of coordinated human involvement from the attacker, rather than fully automated malicious code which just sends back data collected to the attacker in typical crimeware attacks. The adversary in this case is a well-funded, motivated, skilled, and highly directed attacker making their approach and response extremely active.

How can I protect against Advanced Persistent Threats?
There is no one silver bullet to protecting a company against APT actors. These advanced persistent threats and the attackers are looking to remain persistent once they are inside the organization, so utilizing a combination of technologies that can triangulate logs and identify out-of-norm behavior within the enterprise network is key. The focus of the defense strategy should be to pick best-in-class detection solutions that together can provide intelligence on the targets, the methods used by the attackers, the frequency of their activity, the origination of the advance persistent threat, and the risk associated with the attacker’s motives.

Based on the Verizon Data Breach Investigations Report, 95% of targeted threats and APTs using some form of spear phishing as a starting point of the attack, and hence a part of APT defense strategy for an enterprise should include a detection solution that attempts to look for targeted threats in email based on unusual patterns in traffic, rewrites the embedded URLs in suspicious emails, and then maintains a constant watch on the URL for malicious behavior in a sandbox. Such an approach would potentially protect and/or detect such attacks, and knowing which users have been compromised, when, and for how long is a major advantage in learning more about the APT adversary and their motivations.