Email is dead ... Long live malicious email

email is one of the main routes for delivering malware into the enterprise, but despite frequent reports of its demise, it appears here to stay, so companies had better tailor their security posture accordingly says Carl Leonard.

Carl Leonard, ‎principal security analyst, Forcepoint
Carl Leonard, ‎principal security analyst, Forcepoint

As end-users increasingly use social media, online collaboration systems and phone messaging for informal processes, email has repeatedly been lauded as ‘dead' by numerous commentators, the sinking ship of the communication world. Email though is the proverbial survivor of the internet, fighting off these new challengers and, not only staying afloat, but remaining the number one way of communicating in the corporate world and arguably becoming more important and more formal in terms of content than ever before. A recent Radicatti Group research report estimates that there are currently 2.586 billion email users worldwide (including both business and consumer users) with 4.35 billion email accounts that is predicted to increase by 26 percent to 5.59 billion by 2019. However, whilst email is undoubtedly engrained in the language of business and has very positive growth forecasts, no one would ever claim that email is not without its faults.

Attack vectors

Email is the primary attack vector for cyber-criminals, leaving holes for hackers and cyber-criminals to exploit with phishing scams and other malicious attacks. Email-based cyber-attacks have recently resurrected as a key weapon in cyber-criminals' arsenal, according to Forcepoint's 2016 Threat Report. Last year saw a 360 percent increase in malicious content being spread via email compared to the previous year – despite a dramatic drop in the amount of email that is spam. Spam email surged to 88.5 percent of all email in 2014 but dropped to just 68.4 percent in 2015 which, combined with the increase in malicious content, shows cyber-criminals are wising up to the power of email as a tactic for personal and corporate data theft. Malware or malicious web links inside an email can leverage vulnerabilities to compromise machines and eventually whole networks via the internet.

Email and web attack vectors have a significant convergence and in 2015 nine out of 10 unwanted emails contained a URL. It is this convergence that sees email as a vector for data loss, whether accidental or malicious. Accidental data loss often sees an employee clicking on suspicious links in email, unknowingly enabling malicious code to download onto their machine. Accidental loss can also happen through bad processes or mistakes by employees highlighting the continuous need for email encryption to safely deliver the right data to the right audiences. Malicious outsiders often trick employees through social engineering tactics into opening malicious emails or browsing to a compromised website – either way, data breach investigations reveal that most attacks began with a malicious email or other social engineering tactic.  

The blame game

Dridex banking malware and various ransomware campaigns are largely responsible for the rise in email threats. The Dridex Trojan malware that was set up by cyber-criminals in Eastern Europe to steal millions from bank accounts across the world, used malicious email lures with an invoicing theme. The emails contained Microsoft Word MHTML attachments with malicious macros that can be used to execute code. It also targeted many with the Dridex botnet 220 campaign, which enabled the criminals to take ‘clickshots' when potential victims were accessing certain banking websites. Forcepoint data found that malicious macros embedded into Microsoft Office file types were a prominent attack-delivery mechanism in 2015.

Last year's Threat Report revealed three million malicious macros observed over a thirty-day period at the end of 2014. In performing a similar sampling period at the end of 2015, Forcepoint found more than four million macros, up 44.7 percent from 2014. Businesses should be extra cautious of email messages that include any source information they are not already familiar with, including the email sender, company sender domains and email bodies with little to no contextual information. Employees used to handling invoices should be careful of suspicious messages sent from familiar names or aliases, and to be on the safe side, follow up with a separate email thread or phone call to validate submitted invoices or balance transfer instructions.

Malicious email campaigns

Malicious actors distributing malware over e-mail are not only constantly changing their techniques within an attack vector but also within the landscape to bypass security solutions.  There is always a natural ebb and flow with malicious emails having seen a big spike last year but also at certain periods this year. External influences such as law enforcement activity and competition in the underground market can influence the output of botnets. The challenge for businesses is that they must be ready at all times. Waiting for a spike and then considering how to handle the issue is going to be too late. Instead, having email security solutions in place ready and waiting for landscape changes, will ensure that you can regain control from the malware authors and allow your systems to “go with the flow” of tactic changes.

Only recently, researchers at Forcepoint discovered an email campaign distributing double zipped files with Windows Script Files (WSFs) inside which, when executed, download the Cerber crypto-ransomware. Cerber is a highly customisable crypto-ransomware that encrypts local files and requests a payment to get files decrypted, which is believed to be being sold under a ransomware-as-a-service model on Russian underground forums. This means there is no one malware author, but rather several actors distributing their own Cerber builds in different ways – some via exploit kits and others via email.

In this instance the attacker used two techniques to try and trick the user into downloading the malware. Firstly, there is a malicious attachment. Secondly, there is a convincing looking unsubscribe link at the bottom which ends up redirecting the user to a similar ZIP file. Users must be educated to not to open unexpected or unfamiliar attachments in email messages or click on unknown hyperlinks.

Irreplaceable reputational damage

Employees in even the most restricted and secure workplaces typically cannot be productive without the Web and email, making these mediums ideal for serving up malicious payloads in the form of links to malware-laden Web sites and malicious email attachments. There are steps that business can take to better protect themselves from email threats as this has to be a key focus for businesses in the next 12 months. Any business that ignores the threat that email poses leaves themselves vulnerable to data theft, and in turn tougher penalties from the authorities, attacks that cost them millions of pounds to fix, and potentially irreplaceable reputational damage.

Malware authors will always evolve, so changes in the tools, techniques and procedures they are using is guaranteed. Organisations must therefore re-evaluate their security posture to consider technical and human elements, while also educating their employees to act as a first line of defence against scams and flag any anomalous behaviour. 

Whilst we have focused on the external threat from malicious emails, it is worth remembering that email is also a common vector for data loss.  Bad business processes or a lack of user awareness can lead to users sending critical or sensitive data out through email by mistake. This can be either to the wrong recipient or to personal email accounts as a means to be more productive.  However, sometimes sensitive information does need to be transmitted to outside parties. In that case organisations can look to integrate Data Loss Prevention (DLP) and email encryption tools to manage data loss and the flow of sensitive or critical data.

Whether it is malicious or accidental data loss, email is here to stay and businesses must take the necessary steps to ensure that they have complete visibility of threats across the threat lifecycle, and that their security solution is adaptive to shifts in malicious tactics.

Contributed by Carl Leonard, ‎principal security analyst, Forcepoint