The threat landscape is constantly evolving with new ways to attack being developed by criminals every day. The threat is especially dangerous for businesses whose email contains important financial and proprietary information. Take a look at these rising threats and a few ways to protect yourself.
Drive by Email
In the good old days, an email infection usually meant that someone fell for an email link to “click here,” “buy now,” or “learn more.” Not so anymore. A new breed of malicious email embedded with HTML and Java script can infect just by opening it. The process is similar to a drive by download on a website where as soon as you hit the site, the script runs, and you’re infected. This email threat does the same as soon as you click to open the message giving you a loading message while it infects your system.
Recent attacks of this sort have used updates from the FDIC to lure clicks. While not a new technique, January 2012 showed a notable increase of 1,225% in these types of attacks compared to December 2011.
Defend yourself: Disable HTML emails. For messages you trust, you can always physically enable HTML on the individual message.
Typo-squatting and doppelganger domains are also common techniques for malicious websites. You type in “shoesstore.com” or “shoe.store.com” instead of shoestore.com and find yourself on a similar-looking page giving your credit card number to criminals. This technique has moved into the inbox in the same form. By exploiting our natural tendency for typos, criminals are buying up misspellings of popular websites hoping you’ll mis-key your email to firstname.lastname@example.org as email@example.com. That puts the criminal in a position to play the middle man, forwarding your messages to the real shoestore.com to get sensitive company information out of them and sending emails back to you to get personal information out of you.
In a six month period, one study collected over 120,000 individual emails containing trade secrets, business invoices, employee data, network diagrams, usernames, and passwords gained from doppelganger domains.
Use your contacts list for commonly used email addresses to avoid mistakes. Register common misspellings and sub-domain typos before criminals can and file domain name disputes when you find typo-squatting and doppelganger domains.
According to Symantec data, targeted phishing attacks quadrupled last year with the very large and the very small businesses most vulnerable. Part of that growth was due to a more personalized type of targeted or spear phishing called whaling. Just like a spear phisher, whalers use publicly available information to identify targets. However, unlike spear phishing, whaling specifically targets those at the top levels of business and government. These targets are more valuable because they often have access to private data and system passwords, and tend to have large banking and securities accounts to exploit. Using information easily scraped from the internet, like location check-ins, Facebook, LinkedIn, and Twitter updates, and browser history, criminals target these high-value marks with cleverly crafted messages that look legitimate.
For example, after researching a sys admin, an attacker sent an email about discounted health insurance for families of more than four; the attacker already knew he had five kids. The sys admin clicked the link and became infected.
Defend yourself: Call before opening an unsolicited, suspicious email. The number one method of this attack is sending seemingly inter-company emails. Be careful about what information you post about yourself online and who has access to it – even if you’re not a CEO or VIP.
Awareness training also helps employees be more vigilant about these and traditional threat techniques. However, protection means more than just software and training, it must also include the expertise to recognize and respond attack signatures before they manifest and the ability to quickly understand and adjust to new threats. If that’s not feasible or not aligned with your business goals, business email hosting delivers the software and a team of email experts to watch out for and protect your email.