An insidious form of email phishing is hitting companies. But there’s no malware, no attachments -- none of the things that might tip off IT departments; nor are victims asked to wire transfer money.
Instead, users are lured to a fake log-in page by emails that appear to come from a trusted service like Microsoft Outlook, DocuSign or Google Docs. The goal is not to download malware, but to “harvest employee credentials,” warns Asaf Cidon, VP of email security, Barracuda.
Barracuda sees these attacks as the biggest email security threat of 2018.
“In order of magnitude, they’re more common than employee impersonation attacks,” Cidon says. “In our customer base, we’re seeing them five to ten times more frequently than emails impersonating employees.”
Cidon adds that several characteristics allow these cyber criminals to bypass traditional email security systems. For example, “the links themselves are not the links that were used before in a phishing attack, so they will not appear on blacklists,” he says.
Some links will be to a “legitimate small business website,” Cidon continues. “The attacker will put in a fake sign-in page within that website.” In addition, he says, the emails often have "some kind of personalized aspect" such as a name.
These attacks are having a severe effect on beleaguered IT staff. “The attackers are stealing employee credentials, and sending out hundreds of additional emails from that employee’s account,” Cidon says. “There are hundreds of compromised accounts. IT people have to delete all these emails and reset all the passwords.”
Link protection technologies like “safe links” will not fend off these attacks.
“A lot of the security industry hasn’t been talking about it, because to be blunt, they don’t have solutions,” Sidon claims. “Microsoft itself doesn’t stop emails that are impersonating Microsoft." The same goes for Google.
Barracuda has heard about the problem from several clients, from universities to airlines, and says it can combat it with its Barracuda Sentinel solution.
How does this differ from other security products? It can be taught to detect “social engineering that typically evade trad email security systems,” Sidon says. “We trained our system to understand what a normal email from Microsoft or Dropbox would look like.”
He explains, “We’ve seen tens of thousands of emails from Microsoft, so we expect to come from specific email addresses or an affiliated domain. We analyze the body and expect the links to go to specific Microsoft-affiliated websites…if a bogus address, and link going to obscure website, might not be a blacklist, but they’re not going to Microsoft, so that raises a systems alarm.”
All well and good -- but wouldn’t it help if employees didn’t open these links to begin with? See if you can tell if they’re phony. Here’s one example:
"Important Notice: You Have 92 Undeliverable Message
Office server detected that you have (19) clustered messages undelivered since 22nd of January 2018 UTC"
Another subject line says, “You Have Just Receivied (1) New Security Document Via Google Docs!”
Here’s yet another: “Error sending failure.”
“We are informing tou to add free storage to avoid losing your incoming/Outgoing emails, create the best experience possible with Microsoft.
"By adding free storage, you’ll help us understand what’s going well, and what we can do better.
"It will take only 5-10 minutes.”
Here’s one clue: As with other spam emails, watch out for grammar and weird capitalization.