Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:45 PM
Connect Directly

How Today's Cybercriminals Sneak into Your Inbox

The tactics and techniques most commonly used to slip past security defenses and catch employees off guard.

Cybercriminals are constantly altering their techniques to bypass increasingly advanced technical controls in order to deliver credential phishing attacks, business email compromise (BEC), and different forms of malware to unsuspecting users who rarely think twice about clicking.

Between Oct. 2018 and March 2019, researchers with the Cofense Phishing Defense Center analyzed 31,429 malicious emails. At 23,195, credential phishing attacks fueled the bulk of emailed cyberattacks, followed by malware delivery (4,835), BEC (2,681), and scams (718). Subtle tactics like changing file types, or using shortened URLs, are giving hackers a hand.

"We do continue to see them evolve with simple adjustments," says Cofense co-founder and CTO Aaron Higbee. Credential-phishing emails using fake log-in pages are tough to stop at the gateway because often associated infrastructure doesn't seem malicious. Some campaigns, to disguise malintent, send emails from genuine Office 365 tenants using already compromised credentials or legitimate accounts – and a fake login page hosted on Microsoft infrastructure is "nearly impossible" to distinguish.

Researchers report many secure email gateways don't scan every URL; instead, they only focus on the type of URLs people actually click. But with more phishing attacks leveraging single-use URLs, enterprise risk grows. Attackers only need one set of legitimate credentials to break into a network, which is why credential phishing is such a popular attack technique, they explain.

Cloud adoption is changing the game for attackers hunting employee login data. Businesses are shifting the location of their login pages and, consequently, access to network credentials.

"As organizations continue to move to cloud services, we see attackers going after cloud credentials," Higbee says. "We are also seeing attackers use popular cloud services like SharePoint, OneDrive, Windows.net to host phishing kits. When the threat actor can obtain credentials, they are able to log into the hosted service as a legitimate user."

It's tough for organizations to defend against cloud-based threats because they don't always have the same visibility to logs and infrastructure as they do in the data center. It's a complex issue, Higbee continues, because businesses may engage with cloud providers and fail to include security teams, which need to be kept in the loop on monitoring and visibility needs.

Special Delivery: Malware

More attackers are using atypical, different file types to bypass attachment controls of email gateways and deliver payloads. As an example, researchers point to when Windows 10 changed file-handling for .ISO files, which gave hackers an opportunity to shift away from the .ZIP or .RAR files usually inspected by security tools. In April 2019, Cofense saw attackers rename .ISO files to .IMG, successfully transmitting malware through secure gateways.

"The gateway sees this as a random attachment, but when you download the file to the device, Windows 10 treats it as an archive and opens it in explorer allowing the victim to click the contents within," says Higbee. "Nothing changed in the malware, just the file extension name."

There is a challenge in defending against these types of threats because, as Higbee points out, there are legitimate attachment types you can't block without disrupting the business. "We see this with PDF files that include links to the malicious site that might be a spoofed login page where they could capture credentials," he adds. Businesses can't blindly block these file types.

Some attackers rely on "installation-as-a-service," through which they can pay to have malware installed on a machine, or group of machines, anywhere in the world. As Cofense points out, Emotet started as a banking Trojan but gained popularity as a loader for other malware; now, its operators have transformed Emotet into a complex bot responsible for several functions.

Cyberattackers who sent malware via malicious attachments in the past year exhibited a strong preference (45%) for exploiting a Microsoft Office memory corruption vulnerability (CVE-2017-11882). In previous years, they had heavily used malicious macros, which only accounted for 22% of malware delivery tactics this past year.

CVE-2017-11882 lets attackers abuse a flaw in Microsoft Equation Editor that enables arbitrary code execution. They can chain together multiple OLE objects to create a buffer overflow, which can be used to execute arbitrary commands often involving malicious executables. Equation Editor is an old application and lacks security of recent Microsoft programs; researchers expect the flaw will be exploited less as companies patch and use newer apps.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
6/13/2019 | 2:47:19 AM
Always be vigilant
This problem needs one simple solution -- better awareness. The more we become educated, the more we will be on our guard. Employees need to be told of the various ways cyber criminals work so as to detect potential harm before they can strike. When people become educated, they are more prepared and will always remain vigilant.
User Rank: Ninja
6/4/2019 | 3:52:30 PM
"If you don't need it, don't read it, delete it."
My golden rule. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...