By David Jemmett, founder and CEO, Cerberus Sentinel
Read the full article here…
We’re all likely to have experienced some form of phishing in our lifetimes and are likely to experience it again in the future. Time and time again, cybercriminals are resorting to tried and true methods of phishing and business email compromise (BEC) for financial gain. An overwhelming 80% of security incidents begin with a phishing attack and an average of almost $18,000 is lost every minute. Recently, a BEC scamming ring was caught which managed to successful hit nearly two million targets, obtaining almost $500 million. With such a high success rate, it is no surprise that criminals are continuing on the trend of phishing scams.
It’s a universal truth in security that phishing emails are in a constant state of development on the attacker end, becoming more and more sophisticated with criminals incorporating official-looking headshots, phone numbers and signatures from a genuine law firm. Those unfortunate enough to click on the attached PDF that would have no doubt found malware rattling through their computer and beyond, ensuing large amounts of damage. While we’re lucky to be in the industry we are, and understand these threats, not everyone has the same awareness or experience on their side.
Upon further investigation into some phishing emails I had recently received, I found that some details didn’t add up. For starters, the location of the sender didn’t match up with the location of the real attorney’s office, in fact, they were in completely different states. Then, we calling the phone number given in the email, which was answered as though it were a legitimate law firm but revealed that the phone number for this attorney was different to the one given.
These phishing emails can have data security implications for both those that are uneducated and the firms the cybercriminals are impersonating as it could lead to a lack of trust. However, one of the best, and only ways to confirm the legitimacy is to do rigorous research, and that is what we did.
Myself and one of the engineers at Cerberus Sentinel did some forensics on one of the emails and attached PDF to see what it intended to do. We took the email and put it into a safeguarded standalone sandbox where it redirected us to seven know malicious sites that would have uploaded into my browser via the PDF. Along with that, it also contained Ryuk-type program that would run as soon as I clicked the file, opening adobe on my system.
The results were astonishing. Not only was it redirecting to the malicious sites, but it also started giving out data to bad IPs. After only in a few minutes of this test, the sandbox was compromised through several file directories and connections with these bad IPs. Within a commercial network, this scam would have compromised both the device the email was received on and the network itself.
Worryingly, we are seeing such scams becoming more expertly targeted to individuals meaning they are more likely to open the emails, and without the necessary security awareness training, they are none the wiser. Yet, the increase in sophistication of phishing and BEC scams highlights the need for increase email security systems and training to bypass human vulnerability.