Phishing Email is Security professional’s biggest challenge always. “Phishing” and “Spear Phishing” Emails, that takes different forms, sometimes annoy you with its nuisance element, and at the same time, it can turn dangerous too.
Most of the times, payloads – malwares and other attack tools being delivered using Phishing Email, exploiting the most popular communication medium of the era.
Although technological advancement and awareness programs are adopted to mitigate the associated risks, Phishing Email is always a hard reality, which still many of the internet users are vulnerable.
Various security solutions and services are available to filter and prevent phishing emails and associated malwares. However, the criminals find ways to bypass, customize the approach and the content. This type of targeted attacks help them to disguise the communication and trap even the smartest among the end users.
Sometimes, these phishing emails are very dynamic, to bypass the cutting-edge security solutions also.
What is the danger of Internal Phishing?
One of the dangerous modes of phishing is when the email originates or carry an internal employee address, which could include your boss or executive management. Although there are many instances of spoofing the original address. The situation becomes dangerous if the address is indeed the actual email of the user belonging to the firm.
The attack could be by compromising user credentials, or by utilizing an already infected user machine, that has the malware installed, which can send and receive emails on behalf of him. The intention may be to collect and compile other email addresses of the organization, for targeting more users or for stealing money.
Business Email Compromise (BEC), is primarily targeted with the aim of stealing money and forcing the recipient to believe that the instruction is genuine for fund transfers and other financial transactions. Historically, security awareness messages focus on enabling the user to identify how to find the sender’s actual address, then the display name.
Further enhancement of the attack mode by the criminals are either through an internal user credential compromise or by infecting a device in the network with malware, which can trigger an email from an internal employee to others for malicious activities. This sophisticated attack will be more than enough to fool any internal user and force him to action, even if it is just clicking an attachment!
The dangers associated with this kind of phishing is beyond one’s imagination, as it could widely spread to more areas in the network without being detected by the perimeter controls.
Some Examples of Internal Phishing
In the case of “Eye Pyramid” Targeted Attack Campaign attacker’s objective was to steal as much as information as possible that includes a list of email addresses. Initially thought as acts of a nation-state but later found that Iranian Nuclear Engineer and his sister behind it, who sought to profit from the information.
Their mode of operation was to leapfrog from one user to the next user using phishing emails with malicious attachment. The malware embedded attachment harvested and ex-filtrated information, including email addresses and used for the subsequent targeted attacks. The Iranian siblings were able to compromise 100 email domains and 18000 email accounts.
Syrian Electronic Army also attacked financial Times, that used a compromised email account to send internal phishing emails to steal additional user credentials. The scary fact about this attack was even further damage to the organization. When IT communicated to the users about the phishing attacks and user credential compromises, the hackers were able to get hold of the communication, which they forged to redirect the employees to their phishing web site. This breach was due to an absolute failure in the overall security process in the organization and demonstrate lack of planning and due diligence in the response actions.
How to protect the organization from Internal Phishing Attacks?
Internal Phishing attacks emphasize the importance of a comprehensive and holistic approach to security. Read about it here – How to Achieve Effective Information Security?
On a technical level, following are the key recommendations to protect or detect your organization from an Internal Phishing Attack.
1. Dual Factor authentication system to make sure that any user credential compromise won’t have a severe impact on the organizational security. These controls are complicated to implement, and inconvenience for many users. Also at the same, if the user mobile too is infected with any related malware, then SMS interception is a realistic possibility.
2. Mail Filtering and Anti Malware solution for the Email Servers. These shall be built-in for the particular emailing system you have implemented in your environment and scan for spams, phishing email, and malwares. Service Integrated Solution for the organization that can directly work with the mail system using API. These can work with on-premise email system and cloud-based services.
3. Journaling function of the email system, through which a copy of all emails will be sent to a dedicated security service or solution for offline analysis. Sandbox technology can be well integrated with this if it can work with the email server. But in this case, the security approach is after the fact mode, where the malware might get executed by the time the security solution detects any malicious content or objectives. In the case of a specific malware, like TeslaCrypt, that encrypts 10,000 files in 40 seconds, the 5-minute delay in the offline analysis may be costly for the organization.
On a Process Level, the organization should establish comprehensive processes in the business transaction, incident responses, crisis management, communication, etc. Even if the technology controls cannot detect, the right methods can handle the situation in a better way and reduce the damages to the organization.
Staff awareness is another important factor, as generic awareness messages focus on phishing emails from outside world, but we need to communicate internal threat scenarios and train the employees on the secure execution of the business and related security process controls. Employees must not act upon sensitive transactions or data sharing through the single channel only, but instead, it should be validated through another offline mode, wherever possible.
You may be interested in reading: CEO Fraud is Now More than a Billion Dollar Scam