Cybercriminals are constantly altering their techniques to bypass increasingly advanced technical controls in order to deliver credential phishing attacks, business email compromise (BEC), and different forms of malware to unsuspecting users who rarely think twice about clicking.
Between Oct. 2018 and March 2019, researchers with the Cofense Phishing Defense Center analyzed 31,429 malicious emails. At 23,195, credential phishing attacks fueled the bulk of emailed cyberattacks, followed by malware delivery (4,835), BEC (2,681), and scams (718). Subtle tactics like changing file types, or using shortened URLs, are giving hackers a hand.
"We do continue to see them evolve with simple adjustments," says Cofense co-founder and CTO Aaron Higbee. Credential-phishing emails using fake log-in pages are tough to stop at the gateway because often associated infrastructure doesn't seem malicious. Some campaigns, to disguise malintent, send emails from genuine Office 365 tenants using already compromised credentials or legitimate accounts – and a fake login page hosted on Microsoft infrastructure is "nearly impossible" to distinguish.
Researchers report many secure email gateways don't scan every URL; instead, they only focus on the type of URLs people actually click. But with more phishing attacks leveraging single-use URLs, enterprise risk grows. Attackers only need one set of legitimate credentials to break into a network, which is why credential phishing is such a popular attack technique, they explain.
Cloud adoption is changing the game for attackers hunting employee login data. Businesses are shifting the location of their login pages and, consequently, access to network credentials.
"As organizations continue to move to cloud services, we see attackers going after cloud credentials," Higbee says. "We are also seeing attackers use popular cloud services like SharePoint, OneDrive, Windows.net to host phishing kits. When the threat actor can obtain credentials, they are able to log into the hosted service as a legitimate user."
It's tough for organizations to defend against cloud-based threats because they don't always have the same visibility to logs and infrastructure as they do in the data center. It's a complex issue, Higbee continues, because businesses may engage with cloud providers and fail to include security teams, which need to be kept in the loop on monitoring and visibility needs.
Special Delivery: Malware
More attackers are using atypical, different file types to bypass attachment controls of email gateways and deliver payloads. As an example, researchers point to when Windows 10 changed file-handling for .ISO files, which gave hackers an opportunity to shift away from the .ZIP or .RAR files usually inspected by security tools. In April 2019, Cofense saw attackers rename .ISO files to .IMG, successfully transmitting malware through secure gateways.
"The gateway sees this as a random attachment, but when you download the file to the device, Windows 10 treats it as an archive and opens it in explorer allowing the victim to click the contents within," says Higbee. "Nothing changed in the malware, just the file extension name."
There is a challenge in defending against these types of threats because, as Higbee points out, there are legitimate attachment types you can't block without disrupting the business. "We see this with PDF files that include links to the malicious site that might be a spoofed login page where they could capture credentials," he adds. Businesses can't blindly block these file types.
Some attackers rely on "installation-as-a-service," through which they can pay to have malware installed on a machine, or group of machines, anywhere in the world. As Cofense points out, Emotet started as a banking Trojan but gained popularity as a loader for other malware; now, its operators have transformed Emotet into a complex bot responsible for several functions.
Cyberattackers who sent malware via malicious attachments in the past year exhibited a strong preference (45%) for exploiting a Microsoft Office memory corruption vulnerability (CVE-2017-11882). In previous years, they had heavily used malicious macros, which only accounted for 22% of malware delivery tactics this past year.
CVE-2017-11882 lets attackers abuse a flaw in Microsoft Equation Editor that enables arbitrary code execution. They can chain together multiple OLE objects to create a buffer overflow, which can be used to execute arbitrary commands often involving malicious executables. Equation Editor is an old application and lacks security of recent Microsoft programs; researchers expect the flaw will be exploited less as companies patch and use newer apps.