We've become used to seeing criminals attempting to defraud people using social engineering methods. One cornerstone of these attacks is identity deception, the criminals' way of establishing trust with their intended victims. Today, almost everybody with an email address has received phishing emails, many of which fraudulently claim to come from a trusted financial institution (or Nigerian prince!). The same techniques are used by criminals every day, whether to steal credentials, extort victims, or dupe people into sending data or funds — and identity deception is one of the most important tools in their war chest.
The danger begins when we no longer see the deception, but only the identity. As criminals hone their skills to make their emails credible, this increasingly is what's happening. It's all about context. When the context is right, it supports the deceptive identity and the intended victims become less likely to notice minor discrepancies.
Email Identity and Deception
Before looking at context, let's examine the different ways in which email-based identity deception is perpetrated. One of the most common ways is spoofing. A spoofed email is like a letter with a fake return address. You look at the envelope and think you know who it is from, but you're mistaken. If you were to respond to a spoofed email, your response would go to the impersonated party.
A second, less common method is a look-alike domain. For example, a person receiving an email from [email protected] may believe this email comes from Wells Fargo Bank, as opposed to simply somebody having registered security1337.com and created a suitable subdomain and user.
A third way simply insinuates an identity by setting the display names accordingly. Say that the criminal determines that the name of his victim's boss is Alex Adams, and that his or her email address is "Alex Adams <[email protected]>" — and sends an email to the target from "Alex Adams [email protected]" Many users wouldn't notice the discrepancy between the display name (Alex Adams) and the user name (jamiedough014). And if the attacker were to choose a credible user name (such as [email protected]), matching the display name and the target of the impersonation, an even greater portion of users would fall for the deception.
For years, people have tried to push the boundaries of security awareness to ensure people don't fall for attacks like this. Unfortunately, things are headed in the wrong direction. Increasingly, we're reading our emails on mobile devices, where the only indication of identity is the display name — which means cybercriminals are having a field day! Today, more than 55% of emails are opened on mobile devices.
Email Context and Trust
Now, let's return to context and how it's used to make email messages deceptive. A recent example is from the day after the U.S. presidential election. A large number of credible-looking emails were sent to left-leaning nongovernmental organizations (NGOs) touting insights into election fraud and containing malware attachments. The attackers knew that a large number of recipients would be unable to resist clicking. It's also interesting to note how these emails circumvented antivirus technologies; by placing the malware file in an encrypted ZIP file and enclosing the password in the email, the attackers effectively blocked automated filters from inspecting the email attachments.
Now, imagine an email that appears to come from someone you trust and mentions things that are contextually relevant. You wouldn't think twice about responding. This is why identity deception is enabling attackers to get rich. For example, consider an attacker who knows you're taking a trip and finds information about your itinerary. He can send you an email that appears to come from your travel agent and contains a supposed itinerary modification. You need to know what has changed, so you open the file, and … oh, too bad, your hard drive has just been encrypted, but for $2,500, you can have the decryption key. And it's easy for cybercriminals to find your itinerary and your contact email address using brute-force methods.
One of the ways in which criminals monetize identity deception is with ransomware. A recent report shows that attacks on businesses increased threefold between January and September of 2016, going from one attack every two minutes to one every 40 seconds.
The objective of ransomware is to get activated — that is, getting a recipient to open an infected file, which typically encrypts the victim's hard drive. The attacker then offers to provide the victim with the key to unlock the hard drive — for a price. As payments are made using Bitcoin, they can't be traced or reversed, and the criminals securely collect the bounty.
One of the most recent examples to make the news was the attack on the St. Louis Public Library in January. The cybercriminals used malware to infect approximately 700 computers at 16 different locations and demanded $35,000 in Bitcoins for the decryption of the infected files. Luckily, the library didn't have any personal or financial information stored on these computers, and they had a backup system, so they chose not to pay the attackers. However, many other organizations aren't so lucky. According to the FBI, cybercriminals collected $209 million in reported ransomware payments in the first quarter of 2016 alone.
As long as ransomware attacks are successful, we're all at risk. In a recent article, Jeff Schilling suggests several good approaches toward mitigating the risk of ransomware. However, the level of complexity going into these attacks means that it's increasingly unlikely they will be spotted, so it's increasingly likely that the frequency of these attacks will continue to grow. As attackers get better at automating these attacks, and at creating better context that drives clicks, organizations will need to have a stronger understanding of identity deception, and develop more sophisticated ways of preventing these attacks from ever reaching their intended targets.