JRB - Fotolia
Cyber attackers are increasingly using fraudulent emails to trick organisations’ employees into helping them achieve their criminal aims.
Email spoofing, or creating email messages with a forged sender address that appears to come from a company executive, is increasingly being used to trick staff into sending them data or money.
This type of attack is known as a whaling attack, business email compromise (BEC) and CEO fraud.
Scott Crawford, security research director at 451 Research, says email remains a popular attack vector for cyber criminals because it is one of the most direct paths of entry into the enterprise by using social engineering techniques.
“This means that attackers will continue to prioritise email – and defences must level up accordingly,” he said, adding that whaling is becoming a more frequent variant of spear-phishing, and is a tactic cyber criminals are using with great success.
In January 2016, Austrian aircraft industry supplier FACC was hit by a $54m cyber fraud believed to have been carried out using this method, and in March 2016, an employee at US retailer Sprouts Farmers Market was tricked into sending employee tax deduction records to cyber criminals.
Fortunately, when the UK’s Athona Recruitment was targeted in a similar way, a savvy finance manager reported it to IT manager Michael Paul, who enlisted the help of London-based email and data security firm Mimecast to ensure it did not happen again.
“The email appeared to come from the MD and was even written in the same style as legitimate emails from him, and was requesting an urgent money transfer, but the finance manager noticed that the sender’s address did not match every detail of the MD’s usual email address,” Paul told Computer Weekly.
Beta testing site
As a new customer, Paul was able to sign up Athona as a beta testing site for Mimecast’s Impersonation Protect cloud-based anti-whaling service, which in April 2016 became part of the security firm’s Targeted Threat Protection secure email gateway product.
The service uses scanning techniques to prevent attacks by monitoring all email traffic for elements commonly used by criminals, including employee and domain names, and other keywords such as ‘wire transfer’, ‘tax form’ or ‘urgent’.
“Once it was deployed, the system detected the next attempted whaling attack by recognising the MD’s name and other keywords in the message,” said Paul.
The service enables IT administrators and security organisations to simply block suspicious emails or display additional security warnings for employee awareness.
“The best thing is that you configure just one policy and it’s working,” said Paul. “Problem solved with no staff training required.”
Steven Malone, director of security product management at Mimecast, said whaling attacks have been growing around the world as cyber criminals change their tactics to circumvent traditional email security techniques.
“Even the smartest employees can fall victim to these malware-less attacks designed to steal money or confidential data,” he said. “Employee education and rigorous business processes play an important role, but we believe advanced pattern recognition can play a larger role in identifying social-engineering attacks.”
Whaling attacks accelerating
Mimecast developed Impersonation Protect in response to research that showed whaling attacks were accelerating around the world.
More recent research, in March 2016, revealed that the UK is one of the most highly targeted countries in the world, and a report by the City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that between July 2015 and January 2016 there was a marked increase in CEO fraud, with 994 reports made to Action Fraud.
The Mimecast research, which polled more than 400 IT professionals in the UK, the US, Australia and South Africa, revealed that in the first three months of 2016, 75% of UK respondents and 67% of all respondents saw an increase in whaling attacks aimed at tricking employees into making payments to bank accounts controlled by criminals, while 38% of UK respondents and 43% of all respondents saw an increase in attacks asking for confidential data.
Recognising the risk of whaling attacks, Paul implemented Mimecast’s Impersonation Protect service soon after being alerted by the finance manager.
“It is scary how focused these attacks are and how easy it would be for them to go undetected because the emails are so well crafted and come through only a few times a month,” he said.
Since implementing the service, Paul said he has been impressed by the fact that there have been no false positives despite the high volume of emails and correspondents with similar or the same names from different organisations, and he believes that although there are only a few alerts a month, the service is valuable.
Well worth the investment
“The fact that a business with fewer than 150 employees is being targeted by such sophisticated attacks means it is well worth the investment because the potential financial losses are huge,” he said.
Impersonation Protect proved to be a bonus for Athona, however. The core business requirement of storing, managing and protecting a large number of email messages containing personal data was the main reason for the firm becoming a Mimecast customer in the first place.
Athona, which specialises in providing staff to the medical, healthcare, nursing and education markets, is required to hold a lot of personal information because of legal requirements introduced following the inquiry into medical doctor turned serial killer Harold Shipman.
“We have to retain so much information to ensure we are comfortable that any doctor, teacher or nurse we send out is 100% compliant and working with the law,” said Paul.
In 2014, Athona had only about 80 staff housed in a single building and used an on-premise Microsoft Exchange Server, with email archiving performed using removable media to store snapshots of the Exchange environment taken at regular intervals.
Read more about phishing
- Whaling attacks take phishing to the next level with much bigger targets.
- Security experts say a phishing attack on US retailer Sprouts Farmers Market shows the need to educate employees and correctly configure IT systems.
- Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
- Targeted malware attacks and social engineering schemes such as phishing and whaling pose a growing security threat because cyber criminals are getting help from unwitting users.
“But this meant that retrieving information when needed became increasingly tricky, and we were forced to extend Exchange’s standard 14-day retention period to 365 days,” said Paul. “But as the business grew, so did the amount of data being stored, which increased even further when we opened a second office.
“In terms of management, we were facing a massive task of managing about 2.5 terabytes worth of Exchange information by July 2015, and searching for specific data in it was getting slower and slower. We were really starting to feel the impact on the live environment.”
Faced with the high costs of upgrading Exchange Server and Microsoft Office software to meet the company’s archiving requirements, Paul began to look at alternatives.
But all the on-premise options were unable to scale to support two separate office sites, which led Athona to look at cloud-based systems that can scale up or down as necessary.
“Mimecast provided a way of bringing it all together in the cloud, and when we took over the IT of our sister company Organic Talent, we were able to add their email to Mimecast literally overnight to provide archiving as well as all the other security benefits,” said Paul.
In addition to Impersonation Protect, Mimecast’s Targeted Threat Protection service offers protection against malicious links and attachments using sandboxing.
“These additional benefits that I could deliver to the business, including spam filtering, is what set Mimecast apart from all the other options for solving the archiving challenge, with about 40,000 illegitimate and malicious emails being blocked each week,” said Paul.