Detecting phishing scams disguised as updates
In this post, we look at how cyber criminals are expanding phishing and other targeted malware campaigns.
The struggle with a larger attack surface
In this post, we look at how cyber criminals are expanding phishing and other targeted malware campaigns. How are they successfully executing them for financial gain, notoriety or theft of IP to gain a competitive advantage. It’s an urgent matter, since the recent changes have increased the attack surface at most of our organisations. The recent changes also create new opportunities for malicious adversaries to leverage the high levels of public interest in covid-19 for their attacks.
According to the 2019 Verizon DBIR, phishing is still the number one attack method behind data breaches. Phishing is essentially a form of social engineering: threat actors are looking for ways to trick victims into clicking on something malicious in an email. This can be either a link or an attachment. The more compelling and realistic the content, such as urgent information during the pandemic, the more likely the recipient is to click on it.
Phishing is just the entry point and can lead to malware infection, lateral movement across the network, account takeover, identify theft and more.
Hidden in a steady stream of communication and updates
We all experienced the deluge of communications from CEOs, HR, products and marketing about remote work, schools, health best practices, and other updates. It creates a perfect storm for people to fall victim. For well-crafted phishing emails, disguised as official communication from corporate or other related organisations. They use an official-sounding mailing alias or one that resembles popular companies or products the victim may be familiar with.
In a sophisticated phishing email, the urgency and call to action are very clear, but the threat actors can hide in the flood of information and leverage pandemic-themed emails. They use it as an entry point into a corporate network by compromising the recipient.
Additionally, working within a new environment at home (with family members) can be distracting. Many working professionals have found themselves in a situation where their kids may be home from school. It forces them to split attention between work and private life. This may further reduce the attention being paid to the email communications.
Who might be doing this?
Threat actors take advantage of topical subjects for a variety of reasons.
- Nation-state actors seek to sow misinformation and panic by leveraging the urgency for getting the most up-to-date information about the pandemic.
- Threat actors seek direct access to people’s credentials, personal information, or payment card information.
- Cyber criminals want to breach corporate networks through phishing targeted at employees, well hidden in the increased stream of inbound traffic.
A recently discovered phishing campaign that researchers call “Vicious Panda” was deployed by an Advanced Persistent Threat (APT) group. This campaign used the pandemic theme to infect victims with a previously unknown malware. Researchers detected two suspicious Rich Text Format (RTF) files targeting the Mongolian public sector. A custom and unique Remote Access Trojan (RAT) was executed once a phishing email was opened. The malware then took screenshots of the device and catalogued a list of files and directories and downloaded files.
In another case, cyberattackers took advantage of people searching for information about covid-19 and created a weaponised coronavirus map app. This tool infects victims with a variant of the information-stealing AZORult malware. The online map shows an image of the world depicting viral outbreaks with red dots of various sizes, depending on the number of infections. The map cited Johns Hopkins University’s Centre for Systems Science and Engineering as its supposed data source.
An unprecedented challenge for security teams
In the rapid shift to a fully-remote workforce, security leaders must find a balance between productivity and security. Unfortunately, manually configuring rules and defence mechanisms, capable of handling these new conditions, could take weeks.
Luckily, some security approaches, that make use of machine learning or behaviour analytics, can automatically adapt to the environmental changes of this new working structure. They can alleviate the heavy work load for security teams.
The advantage of behaviour analytics is its ability to baseline normal activity of users and machines within an organisation. Hereafter these tools automatically find deviations from that normal activity that may indicate a compromise. This allows an organisation’s security controls to adapt to changes in the business environment. They can automatically adjust if these conditions become the new normal.
It takes away the effort involved in rewriting or re-configuring rules. By reducing the time to stitch all activities together, security ops teams can focus on dealing with the threat.
Behavioural analytics in action
Behavioural analytics can help identify a number of abnormal circumstances which may be indicative of a phishing attempt, including:
Step 1: Re-educate employees on phishing
- Abnormal attachments
- Abnormal volume of incoming/outgoing emails for a user/group/organisation
- First time/abnormal domains for a user/group/organisation
- Abnormal volume of domains for a user/group/organisation
- Abnormal email countries of origin for a user/group/organisation
Employees get numerous updates on the latest health and travel policies related to covid-19. Since behavioural analytics deals with monitoring user behaviour, a good first step is to re-train employees to mitigate risky behaviour. This is essential in keeping both individuals and companies protected.
The following prevention tips may seem like common sense for your employees. But reframing them in how they relate to the pandemic, can make them more effective:
- Ignore unprompted emails that request an urgent response.
- Check sender email addresses and domains.
- Pay close attention to spelling/grammatical errors.
- Hover over links to check their destination before clicking.
- Don’t open attachments unless they are expected.
- Use additional caution for unrecognised senders.
If an email looks even mildly suspicious, employees shouldn’t interact with it. It’s essential to validate the message and content directly with the company/website the email purports to be from.
Recently, the number of phishing emails ostensibly from companies’ trusted business partners and public organisations increased. Criminals are taking advantage of the numerous communications, Enterprises will need to consider incorporating advice on identifying these scams into their updates.
Step 2: Improve your email security posture
To leverage behavioural analytics to detect phishing scams, it is important to collect email, authentication, cloud, proxy, VPN and endpoint logs. Our SIEM, Exabeam, partners with a variety of technologies to aggregate logs. Once logs are ingested, Exabeam Advanced Analytics models the data sets for each user, peer groups and the organisation. Modelling data from different perspectives gives your Security Operations Centre a multi-dimensional perspective on identifying abnormalities within the environment.
Once a phishing email is detected, Exabeam allows security analysts to quickly respond by leveraging the organisation’s security ecosystem. For example, Exabeam Incident Responder can automate several tasks as part of a response to a phishing email:
- Collect the malicious file from the victim system
- Sandbox the file
- If malicious, add to a block list
- Check the file against threat intelligence
- If malicious, add to a blocklist
- Hunt for the file
- Isolate the system
- Disable the user account
- Identify other users that received the same email
- Remove the email from the recipient’s mailbox
Through these series of steps, security analysts, who are dependent on other teams within the organisation, can use this security ecosystem to implement a faster response. They mitigate the risk of additional compromised systems and users.
In addition to offering your employees phishing prevention advice, consider deploying a ‘defence in depth strategy’:
Want to know more?
- Security awareness training, including how to spot phishing emails as mentioned above
- Implementing relevant security products such as email security and threat intelligence solutions. They help identifying threat campaigns targeting your organisation
- Implementing behavioural analysis to help identify users who are behaving anomalously and may have fallen victim to the phishing campaign.
- In the near term, consider creating rules that look for any email with the word “corona” in the domain to identify potential phishing attacks. Elevate risk points for that specific situation.
Maybe you want to know more about the advantages of a SIEM and how it works with your other security applications? Leave your information and we’ll get in touch with you.