With October being Cyber Security Awareness Month, we asked Yves, our Technical Support Director and all-around email security superstar, to share what keeps him up at night and where he thinks you should be focusing your efforts in improving cyber security awareness – and being more protected as a result.
Almost all of the threats we are seeing these days exploit the weakest link they can in the chain of information security – humans (at least the successful threats do).
Originally, Email-borne threats were by today’s standards pretty obvious – attackers would transmit self-extracting executables to users and people would fall for it and run them, getting infected in the process. Most service providers have implemented filtering systems that block the most obvious stuff (blocking by attachment type, putting in basic virus filtering, etc …). These attacks were meant to infect specific platforms, most of time to “enslave” the machine to form botnets.
However in the past few years, Business Email Compromise or (BEC), CEO Fraud, Whaling or Spearing, have come to the fore. These attacks work by sending out highly tailored emails to very specific targets in companies to get people to make money transfers to fraudulent parties instead of directly attacking the machine the person uses to infect it.
Some of these very specific attacks also encourage users to click on malicious links to get drive by download content in the hopes of infecting a user’s machine. They then mine the C-Level folk assuming that more information can be gleaned from the data contained. They also might go the ransomware route, proceeding to infect the machine with encryption worms (ie: Cryptolocker and their descendants) in order to extract money via blackmail.
So, the crimes over the years have gone from direct security threats targeting machines to actually extracting money from specific individuals in organisations. Because people are using a greater diversity of (heterogeneous) machines, attacking the machines themselves is becoming less of a priority – attackers don’t necessarily know how or on what device and operating system the targeted party will retrieve that email. 7 Or 8 years ago, most people were still using PCs to check their email as their primary communication platform. Today it’s not true anymore. Most people regularly move between use desktop, laptop, mobile and tablet devices.
Because the number of communications platforms is growing more heterogenous instead of homogenous, the only thing you can say for sure is that we’ll see more of these money-extracting/blackmail type emails targeting human victims as opposed to more conventional machine (or platform specific) threats.
One thing the American election has shown is the massive ability of interested parties to manipulate political opinion, or foment division in groups (regardless of political orientation). I wouldn’t be surprised if we start seeing politically interested attacks using the same attack vectors as BEC threats.
Example: Using phishing techniques, pretending to be the CEO of company X, you could try to induce CEO of company Y to do foolish moves that in turn makes stock prices dive or climb. Think of a very sophisticated fraud scheme to get stock prices to fluctuate in your favor. I’m thinking of very advanced pump and dumps.
Imagine a pump and dump where spammers would send “Buy Alerts” to people with a stock name. These spammers would pre-emptively buy these penny-stocks at low value, send out these spam blasts hoping that people would buy, driving up the price and then dump these stocks, making a quick profit.
Truly sophisticated criminals will probably leverage email to manipulate markets, individual companies and shareholders for financial and political aims – and the only defence will be educational/psychological. Technology won’t help much.
Overall you still need the technology as much as ever. Attacks are easy to launch, and there are very little barriers to launch, along with the ability to collect ransoms relatively anonymously. Those security elements can be covered quite comprehensively with technology. Beyond that it’s the future of highly targeted and automated malicious campaigns that remain the most frightening on our list.
Leave a Comment