1 in 101 emails have malicious intent. We analyzed a data sample of over half-a-billion emails received between January and June 2018 to bring you the latest intel on – and trends in – both malware and malware-less attacks.
With only 32% of traffic seen in the dataset considered to be non-spam and free of malicious intent (and therefore suitable for the inbox) the other 68% is blocked or quarantined for a number of reasons. On the connection level, this is based principally on threat intelligence that identifies abnormalities in email traffic, namely a bad IP address or domain reputation, invalid Sender Policy Framework (SPF) record or non-DNS domain creation. On the content level, advanced threats such as malware and malware-less attacks encounter antivirus and anti-spam (AV / AS) engines, algorithms, Advanced URL Defense, Multi-Vector Virtual Execution (MVX) engine and increasingly, machine learning.
Cyber criminals constantly invent, and also evolve their attack techniques to bypass email security. A commonplace example of the latter in the US is W2 fraud. A W2 is an IRS form which must be filed by employers for every worker from whom income, social security or Medicare tax is withheld. Containing the name, address and Social Security number of the employee as well as the financial data, a compromised W2 represents an invaluable tool enabling a cybercriminal to file fraudulent tax returns (and claim the refund for themselves) or sell the information on the dark net. Emails attacks targeting accounting and human resources personnel designed, to socially engineer access to W2s, increase toward 15 April, the deadline for Federal income tax returns. After that date, attackers tend to switch to malware-based threats – normally in the guise of a refund notification but actually containing malicious links or attachments.
On average, 81% of all the malware-less attacks were categorized as phishing rather than impersonation attacks – understandable as the latter tend to be more personalized, requiring more effort on the part of the cyber criminal to make them plausible. Whilst phishing emails may be sent using a more scatter-gun approach, they are likely to be blocked by an email security service. The frequency of impersonation attacks over the six-month period scrutinized remained relatively constant, whereas phishing attacks continued to increase.
Impersonation attacks such as CEO fraud and business email compromise (BEC) have become increasingly popular for cyber criminals. Being text-based and appearing as innocent traffic, they represent quite a challenge for email security solutions. This places the onus on the employee to determine authenticity, which is why cyber criminals are frequently successful in persuading the recipient to comply with requests by using one or more social engineering techniques. One of these is the shift from domain name spoofing towards friendly name impersonation – simply changing the display/username rather than having to go through the process of buying and registering a domain name that can be confused with that of the target.
The data from the sample set highlights the importance of organizations investing in the protection of their weakest Achilles heel - email. Attacks continue to increase in volume and sophistication, using outside influences such as the tax season mentioned above, as well as appealing to basic human emotions to gain access to corporate assets. Effective protection requires multiple layers to succeed, not least an intelligence-led technical solution and employee education about the ever-present threat.