The Rising Threat of Email Based Attacks, and How To ... · Fraud Legitimate Email URL Attachment Social Engineering Unsolicited Email Grey Mail Con Scattershot Targeted SPAM Destination

© 2017 Agari. All rights reserved. Confidential and Proprietary.

The Rising Threat of Email Based Attacks, and How To Counter It

October 9, 2017

Markus Jakobsson

© 2017 Agari. All rights reserved. Confidential and Proprietary.2

The last fifteen years in one minute


Email Identity Deception, circa 2004

3



4



5

L\

Look for misspellingsLook for poor grammar

Is it not addressed to you?Does it look unprofessional?


Email Identity Deception, 2016

6



7

Hi John

CHANGE PASSWORD

Slick logos



8

Hi John

CHANGE PASSWORD

Slick logos

L\

Look for misspellingsLook for poor grammar

Is it not addressed to you?Does it look unprofessional?

L\



9

Cyrillic o



10

Spoofed partially

protected subdomain


The amount of emailin one minute


Wanted email: ~60 million



Wanted email: ~60 millionScattershot attacks: ~3000



Wanted email: ~60 millionScattershot attacks: ~3000

Targeted enterprise attacks: ~55



Targeted enterprise attacks: ~55


2370% increase 2015-2016 (FBI/IC3)


Trend: increasing sophistication

greedimproved psychologybetter design competenceand a confluence of attack tools

16

$5Bn



greedmore targetingimproved psychologybetter design competenceand a confluence of attack tools

17




18

16%

“Social Phishing”, Jagatic et al.

Yield of generic attack

16%




19

16%

“Social Phishing”, Jagatic et al.

16%

Yield of targeted attack

73%




20




21



greedmore targetingimproved psychology

22

Incoming eFax: Elections Outcome Could Be revised [Facts of Elections Fraud]




23

Taylor Fax <[email protected]>




24

PIN CODE: 3209




25

PhishMe 2016 Enterprise Phishing Susceptibility and Resiliency Report

20.2%




26




27



greedmore targetingimproved psychologybetter design competenceand a confluence of capabilities

28




29




30




31


Things can (and will)

get worse


Why do people look in their spam folders?

33

1 3 1 4

11



34

1 3 1 4

11



35



36



37

your spam filter is not tuned correctly



38


look for a message sent by Google



39



If the message is in your spam folder



40



If the message is in your spam folder

Make sure to review the alert first



41

From: [email protected]



Inbox

42

Spam folder (quarantine)

~0%

~10%

~20%



43

trust transfer trick(For more details, look for my upcoming paper with

Hossein Siadati, Toan Nguyen, Nasir Memon)


How attackers can turn services into opportunity

44



45



46



47

There’s no account associated with this email.



48



49



50

You may need to check your Junk or Spam folder.



51



52



53



54



55

[email protected]



56

[email protected]



57

[email protected]

Att_Update <[email protected]>



58

[email protected]

Click here



59

just anothertrust transfer trick


use yourknowledgeagainst you

Another way attackers can


Did you know this?

61

bank checks can bounce


Did you know this?

62


Did you know this?

63

wirescan not

bounce


Attacker does: Victim thinks:

64

Ask victim for wire information

Drop fake checkin night deposit

I will receive money

Money was wired


Attacker does: Victim thinks:

65

Ask victim for wire information

Drop fake checkin night deposit

I will receive money

Money was wired

To sum it up:You may think you were paid. Maybe you were not.


Account Take Over on the rise

66



67



corrupt


monetize

corrupt



corrupt

collect + launch


monetize


Understandthensolve


Impostor Authentic

Spoof Look-alike Domain Display Name Deception Account OwnerCompromiseSender

Source Internal External

Classification

Fraud Legitimate Email

URL Attachment

Social Engineering

Unsolicited Email

Grey Mail

Con

TargetedScattershot

SPAM

Destination Internal External

StrangerTrusted partyEmployee webmail

Objective Monetary Data/Credential Theft Denial of Service

First understand the problem – then solve it


Impostor

Spoof Look-alike Domain Display Name Deception CompromiseSender

First understand the problem – then solve it

6%

10% 84%puny

but

exploding


Addressing deceptive display names

1.List of trusted parties.“Bo Bigboss <[email protected]>”

2.Incoming email “Bo BigBoss <[email protected]>”

3.High risk? Warn-and-deliver!“Stranger Danger! <[email protected]>”74




2.Incoming email. “Bo BigBoss <[email protected]>”





2.Incoming email. “Bo BigBoss <[email protected]>”



Impostor Authentic

Spoof Look-alike Domain Display Name Deception Account OwnerCompromiseSender

Addressing compromised accounts

OriginCompromised device Compromised credentials Compromised API access

Local scriptOAuth

Easiest for the attackersEasiest for the defenders



78



79

SMS to associated phone number

Proprietary


but filteringis not everything


Our view Attacker’s view

Filtering?keeps us safe

81

Filtering? press pedal harder!

Malicious emails sentrisk: loss/threat

Malicious emails sentopportunity: money


Our view Attacker’s view

Filtering?keeps us safe

82

Filtering? press pedal harder!

Malicious emails sentrisk: loss/threat

Malicious emails sentopportunity: moneyrisk: loss/threat opportunity: intelligence

(Look out for upcoming papers, one of which is with Hossein Siadati and Yifan Tian)


Want to talk?

[email protected]

Documents

The Rising Threat of Email Based Attacks, and How To ... · Fraud Legitimate Email URL Attachment Social Engineering Unsolicited Email Grey Mail Con Scattershot Targeted SPAM Destination