The past few years have seen a tremendous rise in the use of email as an attack vector for enterprises and larger entities.
These attacks have also evolved in sophistication, from the first examples of malicious links or attachments being included in emails, to the use of phishing, in which cyber criminals try to trick the recipient into clicking a link that leads to a Web site so similar in appearance to the genuine article, that it would defy all but the closest examination.
“The next step was the evolution from phishing, which had a ‘mud against the wall’ approach of mass emails to many recipients, to spear phishing, a highly targeted approach that sends a mail to specific recipients with the hope of breaching their organisation,” explains Simon Campbell-Young, CEO of Phoenix Distribution.
He explains that in the past, security tools designed to protect email systems were sufficient, as cyber crooks had to look at a trade off between cost and volume. “Designing an email attack that was both highly specific and totally randomised took quite a lot of effort, therefore limiting both its scope and efficacy. By the same token, less customised attacks were easily caught in the net of security solutions, again rendering them largely inefficient.”
Unfortunately, today we are seeing some highly advanced phishing techniques that have overcome these problems, he says. “Cyber crooks have developed a technique called longline phishing, named after the industrial fishing technique called longlining. And they are succeeding with this new technique, as it has noticeably higher penetration rates.”
He says longline phishing attacks combine proven and successful spear-phishing tactics with mass customisation, making them specific yet far-reaching at the same time. “By using these methods, threat actors have the ability to rapidly deploy thousands of unique, malware-laden messages that are on the most part, wholly undetectable by traditional signature and reputation-based security tools.”
This results in the individual target messages being unique enough that they slip through the security net. “No business being targeted by a longline attack will receive more than a message or two with the same characteristics, making them extremely difficult to identify as phishing mails.”
Campbell-Young says most security gateway filters are on the lookout for identical or similar messages from a single source, which is a telltale sign of a phishing campaign. “In this way, a longline attack is incredibly hard to identify, as all the messages have totally different subject lines, body content, and most importantly originating IP addresses.”
Longline phishing mails will employ body content that contains many different variations of the malware target URL, which as with normal phishing, will lead to a genuine site that has been compromised or infected in some way. “In this way, repetitional filtering is rendered useless.”
What is particularly frightening, says Campbell-Young, is that any organised cyber crime group has the ability to issue hundreds of thousands of these longline phishing mails in a mere couple of hours, many of which will completely slip through any security measures, giving them the ability to exploit any zero-day vulnerabilities long before the technical guys have issued a patch, and possibly before they are aware a problem even exists.
In terms of preventing these attacks, he says, as always, the key is education and training. “Regular training can ensure your staff are vigilant and prevent these attacks. Security measures too, play a role, but ultimately, encourage people to think before merely clicking.”