- Security TWENTY
- Women in Security
Kelvin Murray, pictured, Senior Threat Research Analyst at cyber-security product company Webroot, considers hacked email reply chains, and what can be done to stop them.
Phishing has been a prevalent part of cybercriminal activity for over 30 years. To be such a regularly occurring point of attack, it needs to evolve and adapt to the latest defences. Our research shows that phishing continues to evolve – and remains a major threat. The phishing tactics of today have changed significantly, becoming so sophisticated that it is now very difficult to spot certain scams – especially in the case of hijacked email reply chains.
Hijacking an email reply chain is a process where a criminal gains access to a colleague or supplier’s email address and impersonates the user, tricking the victim into accepting any malicious attachments sent across. The attacker will then send the victim a link or attachment, like an invoice or a link to a website, which will have a malicious payload attached. The payloads most commonly used are the banking Trojans Ursnif or Gozi – but Emotet is also used. If the victim unwittingly receives the malware, then they will likely have their credentials and lots of other data such as banking information stolen.
Ursnif and Gozi campaigns
The difference between a regular phishing attack, and a hijacked email chain, is authenticity and believability. Criminals put a lot of time into these campaigns, breaking into email accounts, observing business conversations, negotiations, and transactions. After lying in wait, attackers will launch their attempt to catch the victim unaware, leveraging banking trojans to infect the victim’s computer. The entire conversation can look legitimate, featuring the correct logos, email addresses and, with enough preparation from the attacker, the correct tone of voice. A message like this is not very likely to be flagged by email filtering and will usually catch the victim due to its believability. There are numerous reports of these attacks occurring online.
Currently these conversation-hijacking attacks are being leveraged to distribute banking trojans. However, it’s possible that future attacking campaigns could evolve into distributing other forms of malware, and in larger batches. Gozi has not be attributed to a specific group just yet, but its distribution is indicative of the actions of an organised crime ring.
What can you do?
In a world filled with such advanced threats, staying secure may seem impossible. However, there are several techniques you can employ to keep yourself protected. Most security-conscious internet users already employ caution when receiving emails from people they don’t know. Sadly, this is no longer enough to fend off advanced attacks. Attackers commonly try to spoof email addresses to fool the victim into thinking they’re receiving an authentic email from someone they know. The most important thing you can do it to err on the side of caution when it comes to emails asking you to download attachments.
Secondly, it is imperative that macros are never turned on, and users should not trust a document that asks you to turn macros on. This is especially poignant in Microsoft Office files that want you to show hidden content, as this is an often-used attack vector for criminals. Keeping your operating system, and all applications, up to date is an effective barrier to certain attacking efforts.
Last but certainly not least, protecting your own email account will make it incredibly tricky for attackers to carry out their attacks. Attackers can use a bevy of techniques, such as alternate inboxing, to impersonate you and send messages from your account without your knowledge. Reinforcing your account by implementing strong passwords, using two-factor authentication, and using a secure password manager, are all effective techniques in tightening security for your account. If you’re working in an office, encourage colleagues to adopt these best practices to tighten cybersecurity around the office with very minimal effort. Finally, if you become suspicious of an email from a colleague, the best way to check its legitimacy is to pick up the phone and talk to them. Being able to confirm the legitimacy of an email over the phone is a guaranteed way of avoiding an attack through that vector. Additionally, if you receive an email from a company, look up the company’s publicly listed number, not the one included in the email, and call them to verify.