IBM X-Force Incident Response and Intelligence Services (IRIS) recently shared details about a phishing campaign that cost a series of Fortune 500 companies millions of dollars.
Described as being “incredibly sophisticated,” the campaign is actually quite ordinary. What made it so devious and hard to detect is that the phishing emails contained no malware, no brute-force password attempts, and no network incursions. Instead, the attackers relied on old-fashioned social engineering and simple email spoofing.
It’s a perfect illustration of why cybercriminals love email spoofing: It’s easy to pull off and it’s very hard for most companies to detect.
According to IBM, the attacks began with phishing emails sent from people known to the targets. The emails were either sent directly from a compromised account or were spoofed.
Attackers also did their research: They inserted themselves into existing conversations or mimicked earlier conversations.
Posing as a trusted partner of the targeted company, the attackers would then request wire transfers to pay for previously sent invoices.
Most security systems were powerless to stop these attacks. As IBM wrote:
“Without the use of any malware, and with legitimate stakeholders performing the actual transactions, traditional detection tools and spam filters failed to identify evidence of a compromise.”
Sadly, this kind of attack is all too common. Known as a business email compromise (BEC) attack, it has cost companies worldwide billions of dollars in just the past few years.
Worse, spoofed emails are a primary vector for cyberattacks of all kinds, not just BEC. Some research has estimated that 91 percent of all cyberattacks begin with spear phishing. And two thirds of the time spear phishing attacks rely on spoofing the sender to make a message appear as if it comes from someone you trust. Put those two data points together, and that means ⅔ of 91 percent of attacks, or about 60 percent of all cyberattacks, rely on spoofed spear-phishing emails.
Yet spoofing is preventable. With email authentication in place and set to an enforcement policy, attackers cannot spoof protected domains. If they try, receiving mail gateways will simply reject the faked messages (or quarantine them in spam folders, depending on the policy specified by the domain owner).
To stop these attacks, Fortune 500 companies and the companies they do business with must implement email authentication. To find out how your company can stop email spoofing and prevent millions of dollars in BEC losses, check out our 4-page white paper, “What Is Email Authentication?”
Top photo: An "incredibly sophisticated" disguise? Photo credit: Mark Bonica/Flickr CC.