Endpoint
3/28/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How Identity Deception Increases the Success of Ransomware

As scammers hone their skills, their handiwork looks more credible to intended victims, making a successful ransomware scam more likely.

We've become used to seeing criminals attempting to defraud people using social engineering methods. One cornerstone of these attacks is identity deception, the criminals' way of establishing trust with their intended victims. Today, almost everybody with an email address has received phishing emails, many of which fraudulently claim to come from a trusted financial institution (or Nigerian prince!). The same techniques are used by criminals every day, whether to steal credentials, extort victims, or dupe people into sending data or funds — and identity deception is one of the most important tools in their war chest.

The danger begins when we no longer see the deception, but only the identity. As criminals hone their skills to make their emails credible, this increasingly is what's happening. It's all about context. When the context is right, it supports the deceptive identity and the intended victims become less likely to notice minor discrepancies. 

Email Identity and Deception
Before looking at context, let's examine the different ways in which email-based identity deception is perpetrated. One of the most common ways is spoofing. A spoofed email is like a letter with a fake return address. You look at the envelope and think you know who it is from, but you're mistaken. If you were to respond to a spoofed email, your response would go to the impersonated party.

A second, less common method is a look-alike domain. For example, a person receiving an email from [email protected] may believe this email comes from Wells Fargo Bank, as opposed to simply somebody having registered security1337.com and created a suitable subdomain and user.

A third way simply insinuates an identity by setting the display names accordingly. Say that the criminal determines that the name of his victim's boss is Alex Adams, and that his or her email address is "Alex Adams <[email protected]>" — and sends an email to the target from "Alex Adams [email protected]" Many users wouldn't notice the discrepancy between the display name (Alex Adams) and the user name (jamiedough014). And if the attacker were to choose a credible user name (such as [email protected]), matching the display name and the target of the impersonation, an even greater portion of users would fall for the deception.

For years, people have tried to push the boundaries of security awareness to ensure people don't fall for attacks like this. Unfortunately, things are headed in the wrong direction. Increasingly, we're reading our emails on mobile devices, where the only indication of identity is the display name — which means cybercriminals are having a field day! Today, more than 55% of emails are opened on mobile devices.

Email Context and Trust
Now, let's return to context and how it's used to make email messages deceptive. A recent example is from the day after the U.S. presidential election. A large number of credible-looking emails were sent to left-leaning nongovernmental organizations (NGOs) touting insights into election fraud and containing malware attachments. The attackers knew that a large number of recipients would be unable to resist clicking. It's also interesting to note how these emails circumvented antivirus technologies; by placing the malware file in an encrypted ZIP file and enclosing the password in the email, the attackers effectively blocked automated filters from inspecting the email attachments.

Now, imagine an email that appears to come from someone you trust and mentions things that are contextually relevant. You wouldn't think twice about responding. This is why identity deception is enabling attackers to get rich. For example, consider an attacker who knows you're taking a trip and finds information about your itinerary. He can send you an email that appears to come from your travel agent and contains a supposed itinerary modification. You need to know what has changed, so you open the file, and … oh, too bad, your hard drive has just been encrypted, but for $2,500, you can have the decryption key. And it's easy for cybercriminals to find your itinerary and your contact email address using brute-force methods.

Ransomware
One of the ways in which criminals monetize identity deception is with ransomware. A recent report shows that attacks on businesses increased threefold between January and September of 2016, going from one attack every two minutes to one every 40 seconds. 

The objective of ransomware is to get activated — that is, getting a recipient to open an infected file, which typically encrypts the victim's hard drive. The attacker then offers to provide the victim with the key to unlock the hard drive — for a price. As payments are made using Bitcoin, they can't be traced or reversed, and the criminals securely collect the bounty.  

One of the most recent examples to make the news was the attack on the St. Louis Public Library in January. The cybercriminals used malware to infect approximately 700 computers at 16 different locations and demanded $35,000 in Bitcoins for the decryption of the infected files. Luckily, the library didn't have any personal or financial information stored on these computers, and they had a backup system, so they chose not to pay the attackers. However, many other organizations aren't so lucky. According to the FBI, cybercriminals collected $209 million in reported ransomware payments in the first quarter of 2016 alone.

As long as ransomware attacks are successful, we're all at risk. In a recent article, Jeff Schilling suggests several good approaches toward mitigating the risk of ransomware. However, the level of complexity going into these attacks means that it's increasingly unlikely they will be spotted, so it's increasingly likely that the frequency of these attacks will continue to grow. As attackers get better at automating these attacks, and at creating better context that drives clicks, organizations will need to have a stronger understanding of identity deception, and develop more sophisticated ways of preventing these attacks from ever reaching their intended targets.

Related Content:

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. In his role at Agari, he leads the company's security research with a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
markus jakobsson
50%
50%
markus jakobsson,
User Rank: Author
3/29/2017 | 7:37:11 PM
Re: Favorite attack vector for hackers will always be us

I agree with your first statement, "humans will always be the easiest attack vector for hackers". But I have increasingly come to realize that your second statement, "we need to continue training users", is not the logical conclusion. 

This may seem paradoxical at first: if humans are the weak link, why not train them? But as attacks become more and more sophisticated, the sheer effort of training will become unbearable -- and start paying off less and less. Similarly, as the number of versions of the attacks we see mushroom, it will be harder for regular mortals to keep things straight. And this is what is happening.

So what can we do to deal with the fact that humans are, and will remain, the easiest attack vector? We need software that reflects the perspective of the human victims. What makes people fall for attacks? If we can create filters that identifies what is deceptive -- to people -- then we hare addresssing the problem. 

Am I talking about artificial intelligence? Not necessarily. This can be solved using expert system, machine learning, and combinations thereof. What I am really talking about is software that interprets things like people do, and then filters out what is risky. Can we call this "artificial empathy"?

markus jakobsson
50%
50%
markus jakobsson,
User Rank: Author
3/29/2017 | 7:36:25 PM
Re: Favorite attack vector for hackers will always be us

I agree with your first statement, "humans will always be the easiest attack vector for hackers". But I have increasingly come to realize that your second statement, "we need to continue training users", is not the logical conclusion. 

This may seem paradoxical at first: if humans are the weak link, why not train them? But as attacks become more and more sophisticated, the sheer effort of training will become unbearable -- and start paying off less and less. Similarly, as the number of versions of the attacks we see mushroom, it will be harder for regular mortals to keep things straight. And this is what is happening.

So what can we do to deal with the fact that humans are, and will remain, the easiest attack vector? We need software that reflects the perspective of the human victims. What makes people fall for attacks? If we can create filters that identifies what is deceptive -- to people -- then we hare addresssing the problem. 

Am I talking about artificial intelligence? Not necessarily. This can be solved using expert system, machine learning, and combinations thereof. What I am really talking about is software that interprets things like people do, and then filters out what is risky. Can we call this "artificial empathy"?

JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
3/29/2017 | 10:02:27 AM
Favorite attack vector for hackers will always be us
Technology will advance and attacks will evolve, but one thing will remain: humans will always be the easiest attack vector for hackers.  So we need to continue training users and testing them as described earlier in an article on dark reading.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.