Endpoint
3/28/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How Identity Deception Increases the Success of Ransomware

As scammers hone their skills, their handiwork looks more credible to intended victims, making a successful ransomware scam more likely.

We've become used to seeing criminals attempting to defraud people using social engineering methods. One cornerstone of these attacks is identity deception, the criminals' way of establishing trust with their intended victims. Today, almost everybody with an email address has received phishing emails, many of which fraudulently claim to come from a trusted financial institution (or Nigerian prince!). The same techniques are used by criminals every day, whether to steal credentials, extort victims, or dupe people into sending data or funds — and identity deception is one of the most important tools in their war chest.

The danger begins when we no longer see the deception, but only the identity. As criminals hone their skills to make their emails credible, this increasingly is what's happening. It's all about context. When the context is right, it supports the deceptive identity and the intended victims become less likely to notice minor discrepancies. 

Email Identity and Deception
Before looking at context, let's examine the different ways in which email-based identity deception is perpetrated. One of the most common ways is spoofing. A spoofed email is like a letter with a fake return address. You look at the envelope and think you know who it is from, but you're mistaken. If you were to respond to a spoofed email, your response would go to the impersonated party.

A second, less common method is a look-alike domain. For example, a person receiving an email from [email protected] may believe this email comes from Wells Fargo Bank, as opposed to simply somebody having registered security1337.com and created a suitable subdomain and user.

A third way simply insinuates an identity by setting the display names accordingly. Say that the criminal determines that the name of his victim's boss is Alex Adams, and that his or her email address is "Alex Adams <[email protected]>" — and sends an email to the target from "Alex Adams [email protected]" Many users wouldn't notice the discrepancy between the display name (Alex Adams) and the user name (jamiedough014). And if the attacker were to choose a credible user name (such as [email protected]), matching the display name and the target of the impersonation, an even greater portion of users would fall for the deception.

For years, people have tried to push the boundaries of security awareness to ensure people don't fall for attacks like this. Unfortunately, things are headed in the wrong direction. Increasingly, we're reading our emails on mobile devices, where the only indication of identity is the display name — which means cybercriminals are having a field day! Today, more than 55% of emails are opened on mobile devices.

Email Context and Trust
Now, let's return to context and how it's used to make email messages deceptive. A recent example is from the day after the U.S. presidential election. A large number of credible-looking emails were sent to left-leaning nongovernmental organizations (NGOs) touting insights into election fraud and containing malware attachments. The attackers knew that a large number of recipients would be unable to resist clicking. It's also interesting to note how these emails circumvented antivirus technologies; by placing the malware file in an encrypted ZIP file and enclosing the password in the email, the attackers effectively blocked automated filters from inspecting the email attachments.

Now, imagine an email that appears to come from someone you trust and mentions things that are contextually relevant. You wouldn't think twice about responding. This is why identity deception is enabling attackers to get rich. For example, consider an attacker who knows you're taking a trip and finds information about your itinerary. He can send you an email that appears to come from your travel agent and contains a supposed itinerary modification. You need to know what has changed, so you open the file, and … oh, too bad, your hard drive has just been encrypted, but for $2,500, you can have the decryption key. And it's easy for cybercriminals to find your itinerary and your contact email address using brute-force methods.

Ransomware
One of the ways in which criminals monetize identity deception is with ransomware. A recent report shows that attacks on businesses increased threefold between January and September of 2016, going from one attack every two minutes to one every 40 seconds. 

The objective of ransomware is to get activated — that is, getting a recipient to open an infected file, which typically encrypts the victim's hard drive. The attacker then offers to provide the victim with the key to unlock the hard drive — for a price. As payments are made using Bitcoin, they can't be traced or reversed, and the criminals securely collect the bounty.  

One of the most recent examples to make the news was the attack on the St. Louis Public Library in January. The cybercriminals used malware to infect approximately 700 computers at 16 different locations and demanded $35,000 in Bitcoins for the decryption of the infected files. Luckily, the library didn't have any personal or financial information stored on these computers, and they had a backup system, so they chose not to pay the attackers. However, many other organizations aren't so lucky. According to the FBI, cybercriminals collected $209 million in reported ransomware payments in the first quarter of 2016 alone.

As long as ransomware attacks are successful, we're all at risk. In a recent article, Jeff Schilling suggests several good approaches toward mitigating the risk of ransomware. However, the level of complexity going into these attacks means that it's increasingly unlikely they will be spotted, so it's increasingly likely that the frequency of these attacks will continue to grow. As attackers get better at automating these attacks, and at creating better context that drives clicks, organizations will need to have a stronger understanding of identity deception, and develop more sophisticated ways of preventing these attacks from ever reaching their intended targets.

Related Content:

Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. In his role at Agari, he leads the company's security research with a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
markus jakobsson
50%
50%
markus jakobsson,
User Rank: Author
3/29/2017 | 7:37:11 PM
Re: Favorite attack vector for hackers will always be us

I agree with your first statement, "humans will always be the easiest attack vector for hackers". But I have increasingly come to realize that your second statement, "we need to continue training users", is not the logical conclusion. 

This may seem paradoxical at first: if humans are the weak link, why not train them? But as attacks become more and more sophisticated, the sheer effort of training will become unbearable -- and start paying off less and less. Similarly, as the number of versions of the attacks we see mushroom, it will be harder for regular mortals to keep things straight. And this is what is happening.

So what can we do to deal with the fact that humans are, and will remain, the easiest attack vector? We need software that reflects the perspective of the human victims. What makes people fall for attacks? If we can create filters that identifies what is deceptive -- to people -- then we hare addresssing the problem. 

Am I talking about artificial intelligence? Not necessarily. This can be solved using expert system, machine learning, and combinations thereof. What I am really talking about is software that interprets things like people do, and then filters out what is risky. Can we call this "artificial empathy"?

markus jakobsson
50%
50%
markus jakobsson,
User Rank: Author
3/29/2017 | 7:36:25 PM
Re: Favorite attack vector for hackers will always be us

I agree with your first statement, "humans will always be the easiest attack vector for hackers". But I have increasingly come to realize that your second statement, "we need to continue training users", is not the logical conclusion. 

This may seem paradoxical at first: if humans are the weak link, why not train them? But as attacks become more and more sophisticated, the sheer effort of training will become unbearable -- and start paying off less and less. Similarly, as the number of versions of the attacks we see mushroom, it will be harder for regular mortals to keep things straight. And this is what is happening.

So what can we do to deal with the fact that humans are, and will remain, the easiest attack vector? We need software that reflects the perspective of the human victims. What makes people fall for attacks? If we can create filters that identifies what is deceptive -- to people -- then we hare addresssing the problem. 

Am I talking about artificial intelligence? Not necessarily. This can be solved using expert system, machine learning, and combinations thereof. What I am really talking about is software that interprets things like people do, and then filters out what is risky. Can we call this "artificial empathy"?

JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Moderator
3/29/2017 | 10:02:27 AM
Favorite attack vector for hackers will always be us
Technology will advance and attacks will evolve, but one thing will remain: humans will always be the easiest attack vector for hackers.  So we need to continue training users and testing them as described earlier in an article on dark reading.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.