Phishing attacks: Why is email still such an easy target for hackers?
The majority of cyber attacks begin with one simple phishing email. So will it ever be possible to close this door to hackers, once and for all?
Email is incredibly useful, which is why we all still use it. But chief among its downsides (along with getting caught in a group-cc’d message hell) is that email remains one of the most common routes for hackers to attack businesses.
Around one in every hundred messages sent is a malicious hacking attempt. That might not seem like a large figure, but when millions of messages are sent every day, it adds up — especially when it just takes one employee to fall victim to a phishing message and potentially lead to a whole organisation being compromised.
For example, the cyber attack against the Democratic National Committee that led to thousands of private emails being exposed in the run up to the US Presidential election started with just one successful phishing email, while countless espionage and malware campaigns have also gained entry to organisations via an email-based attack.
But if email leaves us so vulnerable to attempts at hacking, why do we stick with it?
“Email is still the main way that two entities who may not have a relationship get together and communicate. Whether it’s a law firm communicating with a business or a candidate applying for a job, email is still the bridge to getting these entities communicating. It’s not going away,” says Aaron Higbee, co-founder and CTO at anti-phishing company Cofense.
As long as email is here, phishing will also remain a problem — and while some phishing campaigns are really sophisticated and based around cyber criminals performing deep reconnaissance on targets, other email-based attacks aren’t so sophisticated — and yet are still worryingly successful.
Locky ransomware was often delivered to targets in blank phishing messages containing just an attachment. In the vast majority of cases, people didn’t open this, but given how Locky was successful, it’s evident that a number of people did. Why did they click the attachment in a blank message?
“At the end of the day, we’re people and sometimes we make mistakes. Even careful and aware people could and would click on malicious attachments. Why is that? Because education isn’t enough; people will continue to click on things that look suspicious,” said Liron Barak, CEO and co-founder at security company Bitdam.
“We can definitely see there’s been a rise in email attacks in the last year. And something that I believe is that attackers are becoming more and more sophisticated — attacks are bypassing Microsoft, Gmail and other channels,” she adds.
Many phishing and spam messages do get blocked by mail providers but there are those that continue to sneak through — especially into consumer mailboxes, despite the efforts of email providers.
While enterprises might not think too seriously about the actions their employees take using their personal inboxes, it could have serious consequences; not only is it likely that employees will examine their own emails at the office, many people use their personal email addresses to conduct business activity — and that’s a security risk.
“One of the lessons that comes up very regularly is that one thing people often do wrong is when they conduct official business out of a consumer mailbox as they often don’t understand there’s no defence there,” says Matthew Gardiner, director of product at email security company Mimecast.
“The lesson is to have good security defences on your business email and then use your business email for business, not your consumer email. Because once they’re into your personal account, they could be loading malware onto the machine you use for both,” he says.
So, when this provides a potential risk to businesses, why is the security of some consumer mailboxes still so relatively poor compared with their enterprise cousins?
“One of the sadder situations is here we are protecting the enterprise and they’re getting the full focus and top knowledge to protect them — but then when you go down to consumers and even small businesses, they’re not really looked after by the security industry,” says Ken Bagnall VP of email security at FireEye.
There’s also the fundamental problem around email that it’s relatively simple to spoof names and addresses, allowing attackers to claim to be anyone — perhaps celebrities offering prizes or your boss asking you to look at a document or to make a transfer.
“There’s really no embedded security in the basic internet for email. So you can claim to be anyone and send an email and the average person will probably trust that,” says Gardiner.
Add to that how the make-up of phishing messages is changing all the time and you have an evolving problem.
“While we continually evaluate and improve our automated screening protocols to help protect users, spam is an industry-wide ongoing challenge. Bad actors and opportunistic promoters quickly alter their approaches, which makes it difficult for any vendor to address 100 percent of spam,” says Jeff Jones, senior director at Microsoft.
There’s even whole underground marketplaces dedicated to conducting phishing attacks, with professional hackers offering their services to crack specific inboxes.
“Trying to guess what the next step of the attackers will be will always leave us behind, because there’s someone else controlling the landscape and trying to evade us and thinking strategically about bypassing security,” says Bitdam’s Barak.
Much of the issue lies with the fundamental way in which email works and how this method of communication has become so pervasive in our everyday lives.
“For email based phishing to really go away, we’re going to have to come together as a world and say this email protocol that was designed decades ago, it just isn’t working anymore,” says Higbee.
There is one system that could help and it’s called DMARC — short for “Domain-based Message Authentication, Reporting & Conformance. It’s an email authentication protocol that enables users to determine what a legitimate email is and what’s spam, complete with a reporting function for ongoing improvement and protection.
Many have argued that it would massively release spam, but it still isn’t widely used in industry as it can be tricky to implement, actually blocking all messages if set up incorrectly.
Another solution to this could be a reputation score system — something that Dr Ian Levy, technical director at the UK’s National Cyber Security Agency (NCSC) wants to encourage the industry to pick up. He argues that it could make differentiating between trusted sources and malicious sources much easier for users — therefore reducing the risk of phishing attacks.
“We’re trying to get the industry to do a reputation score,” he says. For example, if an email address has been in use for years, has never sent a bad message that’s one thing; an email address registered today via a Tor node sending its first email may be something that should be treated with a little more caution, he argues.
“We want to give people that reputation information about email accounts so they can make decisions.”
But for now, this is just an idea and phishing attacks against email users are as successful as they ever were — and some are resigned to this continuing to be a problem for a long time to come.
“I saw my first phishing email professionally in 1998 — and if I thought I’d still be working on this phishing problem in 2018, it would’ve seemed unimaginable,” says Cofense’s Higbee. “It’s such a huge challenge that in five or ten years from now, the email phishing problem will be the same as it is today.”