Cyber criminals can use clever psychological tricks to entice users to click on their malicious emails, and can be so adept at hiding their intentions that traditional email and gateway filtering fails to stop them.
Mark Sparshott, executive director at enterprise email security firm Proofpoint, has drawn these conclusions following an analysis of a large number of email-based attacks over several years.
Speaking at Computing’s IT Leaders’ Forum event in London this morning, Sparshott described the types of attack he sees most commonly, and how they work.
“Filtering so much email gives us great visibility of the types of attack out there. We see spear phishing [emails targeting specific individuals, with information about them enticing users to open messages], long lining [a handful of emails targeting a specific organisation, with advanced obfuscation techniques], watering hole [where a website commonly used by the target group is infected with malware] and malvertising [where malware-laden adverts are injected into reputable websites],” said Sparshott.
“All these attacks leverage clever techniques to bypass traditional reputation and content-based checking at the time of delivery. Once in the inbox, they leverage an understanding of how humans work to make them click the link, where the payloads that attack the system flaws on the device the user is browsing from occur,” he added.
He explained that traditional security systems scan emails for malicious content.
The more advanced solutions go further, scanning the links, and the sites those links direct users to for anything suspicious.
At the time the email is delivered, the email, and the sites it links to can all be clean. Once it has been safely delivered to users’ inboxes, however, the cyber criminals add the malware payload to their sites.
But users still need to open messages and click those links in order for the strategy to work.
“Cyber criminals manage the content of their emails to entice clicks,” said Sparshott. “It’s the same technique you might find a leading marketing agency using.”
He explained that they send out small bursts of traffic to samples of their desired audience using different templates with different content.
They then analyse the success rate, seeing how many people clicked their links – then use the most successful version for the main email burst, which could go out to a large number of organisations.
Proofpoint finds that 10 per cent of users click these links on average – and that’s after the messages have already got through anti-virus and spam filters. But the success rate varies per company, with only one per cent of users clicking at some firms, but up to fifty per cent at the worst offenders.
And not all organisations are equally targeted, continued Sparshott.
“Pharmaceutical and financial firms are targeted the most, then hospitality/ leisure. Large organisations are targeted slightly more than smaller, but generally sector matters more than size. Often a smaller supplier is a stepping stone to the main target, where the data the bad guys want really is.”
Sparshott also discussed the types of email that prove most successful for cyber criminals.
“The top three which achieve most success are social network communication, financial account warnings and order confirmation. That preys on human curiosity and desire to broaden one’s network, or to not lose money, or to check something you feel you didn’t order.”
The most successful type of attack of all, Sparshott said, is LinkedIn connection invitations.
“The LinkedIn lure is particularly effective, because it can look exactly as if it has come from LinkedIn itself. LinkedIn lures are twice as successful as others, and the most successful is the LinkedIn invitation.”
Sparshott also had a few words of advice for users when they receive these invitations in their email.
“When you get the invitation, don’t click accept or view, don’t click on anything. Manage it from the LinkedIn page from a new browser. Manage it from the inbox in LinkedIn itself, never from the email client.”