Google and Microsoft should be doing more to screen out malicious emails, according to Mario Vuksan, CEO of Reversing Labs, speaking at RSA 2016.
Vuksan's company specialises in deep file and payload analysis, and he said that too many companies were being victimised by ransomware and BEC – business email compromise. BEC, sometimes also called whaling, involves a fraudster impersonating a senior executive of a company to convince a member of staff to transfer money or reveal sensitive information.
In almost all cases, the fraudster relies on malformed headers to spoof the origin and reply-to address in the email to make the mail look legitimate.
The FBI has received complaints about BEC attacks totalling $2.5 billion (£1.9 billion) in the past three years, but Vuksan believes that figure would be a gross underestimate of the extent of the problem and doesn't begin to address the scale of the problem globally.
While it would be easy to dismiss successful BECs as a product of user error, email technology isn't helping users find the clues that would indicate the email has been spoofed.
Popular email services like Gmail and Office365 don't allow the user to analyse these. “If you look at these emails on your phone, it looks like it's coming from your CEO,” Vuksan said.
“For the benefit of smaller organisations [especially], I would hope to see more help from Google and Microsoft,” he said. “A lot of these emails just go straight through – Google has phenomenal anti-spam engines, but BEC emails go through just like that.”
He added: “They could do more – I know they are doing a lot, they have a great security team, but this particular threat has really exploded in the last year or two. And I hope it's on their radar to address different ways to deal with it.” Screening out malformed headers by default shouldn't be difficult, he said.
The battle against advanced threats also requires users to increase their operational intelligence, he said.
“I'm hoping they will not treat their work phones as playgrounds for everything but be careful about what's being installed because there's all sorts of weird situations that they could bring their employer into.”
Too many organisations are failing to define and implement a proper backup and restore policy.
And when it comes to BECs, users need to adopt a system which is distinctly non-cyber. “With BEC, we have to drive home the need for dual signatures and so on – not cyber but absolutely obvious,” he said.
Vuksan also addressed the problem of the repackaging of trusted applications from app vendors like Google Play and Apple. He called for better authentication procedures from these vendors to help users identify rogue software.
The internet of things (IoT) is another area where malware creators are managing to infiltrate their software into devices, through open source and third-party software libraries. A major flaw with many IoT devices is how difficult it is to update the device's firmware, and consumers should be pushing legislators for sensible laws to require that IoT devices are patchable.