Last month, the United States Department of Justice (DOJ) announced the indictment of a Lithuanian man for allegedly stealing $100 million from two U.S. tech companies. While the names of the two compromised organizations remain concealed, the DOJ did reference an elaborate spear-phishing campaign as the trigger for the heist. Tom Brown, a former Manhattan federal prosecutor and managing director of Berkeley Research Group's cyber security practice, told Reuters that the attacks, “appear to be the largest email scam that I've seen.”
According to an article in Fortune, “to make the scheme more convincing, Rimasauskaus (the criminal) also used forged invoices that appeared to be from the tech company executives, and created fake corporate stamps with the companies' names.” This elaborate business email compromise (BEC) is indicative of the larger trend in phishing in which attackers go to extraordinary lengths to avoid suspicion of employees and security personnel who are increasingly conscious of malicious email hacks. In fact, the FBI reported a 270 percent year-to-year increase in BEC attacks in 2016 (other studies peg the percent increase as closer to 1000 percent); including the highly publicized attack against Snapchat in which an employee was spoofed into leaking company payroll data.
Unfortunately, the news confirming the massive BEC attack on two U.S. tech firms is yet another example of the cybersecurity industry being outmaneuvered by attackers using some of the oldest trickery in the book. With more than 95 percent of cyberattacks, including the impersonation revealed in this hack, originating as a result of spear phishing, it’s time for security pros to shutter themselves from the industry’s noise and shiny objects to develop defensive strategies that truly interrupt attackers from doing what they do best - executing highly sophisticated and personally tailored phishing emails.
The Dangerous Effectiveness of Email Spoofing
From what we know about these attacks so far, the attackers? used a fake email account to impersonate a third-party vendor as a means to gain network access for reconnaissance. According to court documents obtained by The Verge, the attacker was successful "by masquerading as a prominent Asian hardware manufacturer.” Such attacks that target specific personnel for comprehensive exploration purposes can be highly evasive.
Sophisticated hackers, cyber criminals and nation states are increasingly utilizing email spoofing because many cybersecurity solutions are not designed to identify non-context based attacks or filter malicious emails at the gateway level. This deficiency marginalizes many security teams; confining them to a reactive security posture that prioritizes minimizing damages over proactive attack identification and remediation. For the two U.S. tech companies, the spear-phishing attack that “tricked employees into depositing tens of millions of dollars into bank accounts in Latvia, Cyprus, and numerous other countries” was met with zero initial resistance.
Mitigating Email Spoofing Risk with Machine Learning
One way to tackle such attacks is to profile individual email correspondents and look for impersonation attacks using Machine Learning (ML). With ML, algorithms continuously improve in detection of both anomalies and irregular communications patterns based on learned experiences, negating false positives and bolstering proactive defenses. Using a “bottom-up approach,” machines can observe every employee mailbox individually, collecting statistics about the sender, not just based on the volume of emails going through, but also on the actual correspondent and attachment/link interaction. This approach is proven more thorough than gateway/ISP solutions that rely on volume only. With local reputation analysis, users can better spot spear-phishing and email spoofing attempts, which ultimately enables the ML algorithm to get smarter in real-time.
In addition, ML can make sure that each and every email landing in an employee mailbox is evaluated, visualizing the results for non-tech savvy employees. That consistency is important to counter the proliferation of BEC spoofing and impersonations, since those attacks always appear as coming from high levels within an organization. Most importantly, whenever ML identifies a malicious email, communications between the machine and people or technology solutions can occur in real-time, triggering automatic responses and/or SOC team notification.
Email spoofing is not going to disappear any time soon. In fact, successful attacks, such as the one against two U.S. tech companies, will only increase the frequency of impersonation attacks. Overall, a combination of a vigilant workforce and ML is needed to reduce the risk of increasingly sophisticated and frequent attacks before it’s too late.
About Eyal Benishti
Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the information security domain.