How to protect against the latest payload-less social engineering attacks [Q&A]
Social engineering is one of the most common approaches taken by cybercriminals in order to steal data or get users to install malware.
But a new generation of payload-less attacks is now starting to emerge. How can businesses protect themselves from these threats? We spoke to Evan Reiser, CEO and co-founder of email security specialist Abnormal Security to find out.
BN: What are the newer types of modern social engineering attacks that you are seeing in the wild and why do they evade most security teams?
ER: Email has been the leading attack vector for cyberattacks for years. In response, organizations have invested heavily in email security solutions. Yet in spite of increasing awareness, business email compromise (BEC) losses continue to grow. The FBI's Internet Crime Complaint Center (IC3) says BEC scams have led to $26 billion in losses.
Today's threat actors are creating increasingly sophisticated BEC attacks that rely on social engineering and lack the common threat signals to trigger detection. These attacks do not have attachments carrying malware. Nor do they contain URLs leading to malicious websites. The content of the email is generally simple, and the attacks are customized for each individual target. The payload-less nature of these BEC attacks evades detection from traditional email security solutions.
The Abnormal Security Research Team is seeing a rise in these types of payload-less attacks. Through investigations within our Threat Center, the team has found that 69 percent of payload-less attacks impersonate someone the recipient knows; while unsafe engagements with payload-less attacks are 17 times more likely than unsafe engagements with other types of attacks. And in recent weeks, the team has seen a rapid rise in the number of COVID-19 related attacks.
BN: Why are payload-less attacks considered a greater threat than traditional phishing attacks?
ER: BEC attacks in general represent a small portion of the total email attack vector. We find that of all the attacks our customers are facing, only five percent are payload-less. However, while this is a small percentage compared to payload-based spam and malware campaigns, BEC attacks are nearly always hand-crafted and incorporate heavy elements of social engineering. As such, they disproportionately represent the greatest financial risk.
BN: What are the typical characteristics of payload-less attacks?
ER: The most sophisticated BEC attacks fall into a few categories. For example, executive impersonation is one of the easiest attacks for threat actors to execute. These types of emails may be coming from reliable and known email services such as Gmail. Due to the widespread use and general business need to communicate to individuals using these services, emails from those sending domains cannot be simply blocked.
Conversation hacking techniques are used with both vendor and employee compromise attacks, both of which are extremely difficult to identify. With vendor compromise, the emails are coming from trusted relationships and attackers may reply back to an existing email thread to further seem credible. And with employee compromise, not only are the emails coming from trusted employees, the internal-to-internal (i.e. intra-domain mail flow) is not commonly scanned by traditional email security solutions.
Credential phishing attempts are impersonation attempts of a known brand such as Microsoft, Amazon, FedEx, Google, etc. While some email security solutions may detect these attacks (high entropy URLs, previously seen URLs as part of a threat intelligence source, etc.) these attacks are difficult to reliably catch. The credential phishing sites do not typically contain malware making typical sandboxing approaches ineffective.
Unsurprisingly, over the past few weeks the research team has observed that the majority of email attacks have a COVID-19 related element. In February 2020, the team looked at the most common characteristics of payload-less attacks and statistics related to how often they are used by threat actors. At the time, they found:
- 65 percent Engagement (the threat actor asks something like 'Are you there?')
- 18 percent Bitcoin Extortion
- 10 percent Gift Card Fraud
- 7 percent Fraudulent Payroll Update
In April 2020, the team saw a 90 percent increase in COVID-19 related attacks. It found that the majority of attacks were driven by COVID-19 spam, which increased by 150 percent. Attacks have included COVID-19 vaccine donation scams, WHO donation scams, COVID-19 medication scams, stimulus payment attacks and Zoom malware attacks preying on job layoff fears.
BN: What steps can security teams take to ensure they aren't failing to detect payload-less attacks?
ER: In order to protect against modern social engineering attacks, today’s security teams need to analyze a broader set of data in order to better understand the context of communications. For example:
- Perform identity modeling of both internal and external (partners, vendors, customers) entities, and analyze more data sources as a part of that modeling.
- Create relationship graphs to understand not only the strength of each connection and the frequency of communication, but also the content and tone of the communication.
- Perform email content analysis using techniques like computer vision techniques, natural language processing, deep URL analysis and threat intelligence.
These techniques will provide automated insights that a human analyst can review. The increasing sophistication of attacks means that security teams need to employ more sophisticated protections. Leveraging techniques that offer a better understanding of the context of communications is the best place to start.
BN: In addition to the steps security teams can take, how should companies be thinking about security awareness training together with effective email security?
ER: While the bulk of the responsibility to stop BEC attacks should fall on the security team, it’s still important to examine the type of security awareness training you're offering. Traditionally, security awareness training has focused on the mechanics -- giving employees a mental checklist to look to see if they recognize the domains, the sender or the email addresses; if they see misspellings in the email or weird links.
This type of analysis will help employees avoid falling victim to the average phishing email, but it doesn't really help employees if they’re targeted with a sophisticated payload-less email. Today’s BEC emails reach new heights in terms of personalization and are often very thoughtfully put together with information that sounds like only the purported sender could send.
It’s time to shift the focus of security awareness training away from traditional phishing tactics and encourage employees to use their judgement: pause and think about the content. If someone is asking you to bypass a business process, think about what they’re asking and if this is normal. Threat actors have become more sophisticated and security awareness training must educate employees about how tactics have evolved.
The entire organization should receive security awareness training -- from the C-suite to the finance team to the marketing department. But while this is important, you also don’t want all your employees to be spending 10 minutes of every day analyzing emails. A more educated workforce is simply supplemental to the efforts of your security team and the technology you have in place.