Nowadays, you don't have to work as hard; as Frank himself said in an interview with the Wall Street Journal, "Today, one simply sits down, opens a laptop and says, 'Who's my victim today?'” Scamming tactics may be more advanced now, but the psychology of scamming hasn't changed – and for hackers, Christmas time has proven to be the most wonderful time of the year. According to the FBI, cyber-criminals could make £1 billion - or even more - this year from online scams, much of it during the holiday season.
With eager shoppers combing the Internet for early bargains, the crooks have already prepared to pounce, luring shoppers into social engineering scams via spam mail, phishing, click fraud, and other malicious offers – and employees of large companies are anything but immune. A 2016 study by the SANS Institute shows that an unbelievable 95 percent of data breaches begin with an email campaign, with employees tempted to click on an item – a web link, a malware-laden document – that will provide entree to hackers who will eventually find their way to the valuable information that will give them access to company secrets, or allow them to run a simple ransomware campaign to reap rich rewards.
In a sense, then, employees are the “weak link” in an enterprise security system. They are just as vulnerable as anyone else to the offers of a too-good-to-be-true deal on this season's hot toy, or a discount voucher for air travel for their Christmas vacations (a scam that is now making the rounds for potential British Airways passengers). Besides the temptations of sales and offers, employees are perfect targets for advanced social engineering tactics. An invitation to a Christmas party at the boss's house; a message from an alleged colleague regarding the holiday grab bag; a company-wide contest for the best fruitcake, with rewards. All these are email messages hackers can (and have) used to tempt employees of large corporations to spread malware that gets them into a corporate system. All it takes is one convincing-looking message targeted to one corporate email address, with one employee tricked into thinking that they are looking at a legitimate message or document, for hackers to pull off their scam.
One would expect that enterprise-level security systems would be able to catch attacks with malware-laced documents – but if that were the case, hacking wouldn't be growing at the rapid pace that it is. This year has seen more – and more devastating – high-profile enterprise attacks than ever, with companies like Verizon on down hit by major, widespread attacks like WannaCry and NotPetya, In the first quarter of 2017, for example, ransomware attacks (which, for maximum lucrativeness, target mostly businesses) were up an amazing 250 percent over the fourth quarter of 2016. They're still compiling the numbers for the rest of this year, but there is no reason in the world not to believe that malware and hacking will continue to grow at double, or even triple digit rates.
The reason for hacker success is, at least partially, due to the lack of effectiveness of traditional solutions. Signature-based anti-virus programs have long been easy targets for hackers, as they are largely ineffective against zero-day attacks. But even more sophisticated solutions like sandboxes have been increasingly ineffective. Hackers have figured out a way to use VBA macros, which can hide their activities when they detect they are inside a sandbox, and activate their code when they get past the sandbox. The tactic takes advantage of VBA's support of referencing methods from other remote VBA projects, with the VBA code that we'll call “tainted” code remaining dormant while it is in the sandbox. As VBA code is perfectly legitimate, it will not get flagged by the sandbox, and by the time it gets onto a server or even an employee's computer, it's too late.
If you can't rely on sophisticated sandboxes to protect the enterprise environment anymore, what's left? One tactic that provides a lot of promise is Web isolation, a scheme that renders content in an isolated environment, checking it for nefarious code before it is passed onto the endpoint. According to Gartner, the system is a preferred method of deflecting hacker threats. “Information security architects can't stop attacks,” according to Gartner, “but they can contain damage by isolating end-user Internet browsing sessions from enterprise endpoints and networks.”
Since so many attacks are delivered through email, it stands to reason that isolating users from email should be done in the same manner – keeping messages away from endpoints until they can be inspected and verified as clean. One strategy for that is CDR - Content Disarm and Reconstruction – a new idea that applies the concept of isolation to email. Messages that contain attachments – including those with macros that sandboxes and anti-virus systems cannot detect – are dissected and analysed for malicious code. The files are then reconstructed and passed onto the system, keeping all functionality intact. Tactics like these work, not just at holiday time, but year round, protecting enterprise systems from hackers, and ensuring that they don't have a happy holiday system at our expense.
Contributed by Itay Glick, CEO of Votiro
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.