Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11:00 AM
Robert Lemos
Robert Lemos

Stealing Corporate Funds Still Top Goal of Messaging Attacks

Cybercriminals focus on collecting credentials, blackmailing users with fake sextortion scams, and convincing privileged employees to transfer cash. The latter still causes the most damage, and some signs suggest it is moving to mobile.

Attackers continue to use many of the same phishing techniques as in the past, but, increasingly, the scams are much more targeted and, in some cases, have moved to mobile devices, according to two reports published today.

In its report, messaging-security firm Barracuda Networks found that 83% of targeted phishing attacks, also known as spear-phishing, appear as a message from an administrator at a popular service, asking for the user to log in. The scams use a variety of reasons, from claiming the account has been frozen to asking the user to review a document.

Overall, attackers are moving to spear-phishing attacks because they are relatively low volume and can be sent from popular e-mail services, making it less likely they will be blocked, says Asaf Cidon, vice president of content security at Barracuda.

"Because they are not sending a high volume of attacks — it's quality and not quantity — and it is usually a human manually sending the e-mail and tailoring it, they can afford to send it from a Gmail account," he says. "And basically the popular e-mail security services and cloud providers won't block the e-mail because those services have a high reputation."

Despite advances in anti-spam systems, fraudulent messages continue to reach end users, aiming to take advantage of nontech-savvy workers to steal their credentials, convince them to pay fake invoices, or convince them that lurid secrets are in criminals' hands.

While e-mail scams that attempt to fool users into giving up their credentials for popular services are the most numerous, the most costly threat continues to be business e-mail compromise (BEC), where the fraudster attempts to fool an employee into paying a fake invoice. While BEC attacks only make up 6% of all spear-phishing attacks, according to Barracuda, they account for the most losses.

In 2017, for example, more than 15,000 BEC complaints  were filed with the Internet Criminal Complaint Center (IC3), amounting to an adjusted loss of $675 million, according to the center's annual report. By comparison, ransomware only accounted for $2.3 million in losses in 2017, the latest data available, according to the annual IC3 report.

Reprising the theme of using high-reputation services, more than 60% of BEC attacks come from one of 10 different e-mail service providers, Barracuda's Cidon says.

"What happened over time is that all these services actually started getting very high sender reputation," he says. "So, effectively, Gmail and Office 365 treat free e-mail services as very high-reputation sender domains.”

In some cases, attackers have also started moving victims over to text messaging as the primary conduit for the scam, according to the second report from messaging-security firm Agari. In its analysis, the firm described how the attack starts with a purported message from the company CEO asking for the employee's personal cell to "complete a task for me." The attacker then moves the discussion to SMS text messaging. 

Rather than aim for high-value accounts, the scam typically focuses on getting the employee to buy gift cards with the corporate credit card, the Agari report states. Gift cards have become a common way for scammers to cash out, with a quarter of fraud ending in payment by gift card, up from 7% in 2015, according to the U.S. Federal Trade Commission.

For victims of BEC scams, text messaging presents additional dangers. The attacker now has the target's mobile number, which allows them to potentially punish non-compliant victims with spam. Employees need to be trained to recognize such fraud, says Crane Hassold, director of threat research at Agari.

In addition, companies need to have a procedure in place to catch the fraudulent transactions before they occur, he says.

"There needs to be a secondhand verification for that request," Hassold says. "If someone is asking for a wire transfer, confirm through a second channel."

Perhaps the easiest way to monetize leaked credentials — no matter what service the username and password originates — is through the increasingly popular sextortion scam. Blackmail, primarily sextortion, accounts for 1 in 10 spear-phishing messages, Barracuda stated in its report. The attackers typically pretend to have access to an online cache of pornography accessed by the target, to have recorded the target watching pornography, or to be a law enforcement agency investing child pornography.

"The fact that, at this point, it is 10% of targeted attacks is surprising," Barracuda's Cidon says. "It didn't exist a few months back, and now it is one of the most popular attacks on e-mail."

The attacks are likely underreported because of the sensitive nature of the threats, he says. 

The vast majority (88%) of all sextortion e-mail messages used subject lines having to do with a security alert or requesting a password change, Barracuda said. The majority of e-mail messages (60%) used only 30 subject lines.

Messaging attacks will continue to be a major threat for companies because they offer an easy way to gain employee credentials, compared with other cyberattacks based on malware, says Agari's Hassold. 

"We have seen cyberattacks decrease significantly over the past couple of years compared to social engineering attacks," he says. "The ROI for social-engineering attacks is much lower. I do not have to stand up that much infrastructure, and I do not need a lot of technical knowledge."

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...