Advanced email attacks usually follow a common progression, or “kill chain,” of events
that email security intelligence should acknowledge and make use of in order to stop
attacks before they cause damage. The attack steps include the following:
1. Gathering information on targets.
Spearphishing starts with identifying key,
high-value individuals in the company to target. These are usually people in
HR (who have access to valuable employee data), finance (with access to wire
transfer accounts), customer service or billing (with valuable customer financial
data) and IT (they make mistakes, too, and those mistakes can be a jackpot for the
attacker), as well as key personnel at email service providers, where more email
accounts can be harvested (such as what happened in the infamous Epsilon case,
which affected 75 large email clients in 20116). These people are targets because
their credentials and the applications they have access to are of most value.
In targeted email attacks, the attackers have likely learned about their targets
and their roles through company announcements or social media such as
LinkedIn, Facebook and Twitter, where employees are divulging information
about their projects and possibly even collaborating with peers and partners.
Associations are critical to attackers who want to create convincing emails that
seem to originate from someone the target already knows or does business with.
Attackers may also be sitting on wireless networks at coffee shops, catching
personal email or business email sent from employees’ mobile devices. This may
get them access credentials, departmental information on the employees and
associations between personal and business contacts that the employee would
likely accept a link or attachment from. And even access to a lower-level account
can be a win for the attacker because once inside the company, higher-level
access can be collected.
2. Creating convincing emails.
With information about their targets and
their targets’ associations, attackers then craft the emails so that they seem
legitimate enough to get intended targets to open an attachment or click
a link. Gone are the days when language, linking and other issues made it
easy to detect a phish. Spearphishers can create emails so realistic that they
appear to come from a trusted source and ask for information that the source
would normally request. For example, a recent article on CSO’s website7 told
about an extremely well-written phishing email that would have worked if
the comptroller hadn’t noticed that the CEO signed off as “Richard” when he
always used “Dick.” Everything else was right—details, grammar, even inside
information about the company. Fortunately in this case, the phish failed,
meaning it was a win for the intended victim, who happened to be educated
enough to notice the difference in the signature.
3. Hiding their origin.
Attackers can spoof email sender addresses to make
it look as if the email came from a trusted domain, and they employ other
methods of obfuscating the email’s malicious intent from users and security
systems. Return addresses and links can render almost perfectly when the
user puts the cursor over the address or link. For example, the attackers may
have hacked a legitimate domain and sent the email from there. Or they
might open their own domain with a very similar URL as the trusted source
they’re trying to impersonate. For example, attackers can make it look as if the
email came from www.mycompany.com by creating a domain with a single
character off in the URL, such as www.myconpany.com, that are difficult to
notice, particularly in the case of email on mobile devices where the screens
are small and visibility difficult. Such URLs, if newly registered and minimally
used, will often bypass network- and email-scanning systems because there is
no existing blacklist for them.
4. Delivering the payload.
The link will send the user to a malicious URL or
compromised reputable domain that takes the user’s credentials as he or she
logs in. The target of the attack usually predicts the payload. For example,
attackers seeking to collect financial system credentials will lead users to log into
what the users believe is the company’s commercial bank account to collect their
access credentials and infiltrate the account on their own to transfer funds from
wire accounts. The spearphishers may also just want to use the target to infiltrate
the company, such as in the case of a malicious attachment, where advanced
malware enters the organization and starts searching for credentials across any
department it is able to access.
5. Avoiding detection.
The attack tries to hide itself throughout the process.
Methods that attackers use to avoid detection include polymorphism and
shortened or obfuscated URLs to prevent blacklist detection. Once an attacker
has successfully gotten malware onto an enterprise’s network, the malware
can do any number of things, such as ensuring that it survives a reboot, giving
attackers remote access, turning off detection software or providing the attacker
administrative access to the entire network.