Hijacked Email Reply Chains
Although phishing has been around in various forms since the 1980s, our research shows it continues to evolve—and remains a major threat. These days, phishing tactics have gotten so sophisticated, it can be difficult to spot a scam—particularly in the case of hijacked email reply chains. Let’s look at a concrete example.
Imagine you’re a purchaser for a concrete supplier, and you get an email from a regular client about an order. In that email, you can see this client, Michael, has been exchanging messages with your colleague, Jill. The email addresses, corporate logos, and everything about the email chain look 100% legitimate. You’ve even met Michael in person, so you know he’s trustworthy.
In this case, the conversation details are convincing to you—because they’re real. Someone gained access to your colleague’s email and took over a legitimate conversation about purchases, then forwarded it to you with a malicious payload attached.
A message like this is very likely to get through any email filtering, and you’d probably open it, since it looks like it’s from a trusted sender.
Had you opened the file in this hypothetical scenario, you might have gotten infected with Emotet or another banking Trojan, such as Ursnif / Gozi.
Ursnif / Gozi Campaigns
The difference between an ordinary phishing attack and a hijacked email chain really comes down to believability. The criminals behind these campaigns take their time breaking into email accounts, watching business conversations, negotiations, and transactions, then launching their attempts at plausible moments when the recipient’s guard is most likely to be down. Most commonly, these attacks have been attributed to Ursnif/Gozi campaigns. Webroot has seen quite a few cases of these hijacked emails with the same style of phishing text and nearly identical payloads. There are numerous reports online as well.
In a malware campaign like this one, it really doesn’t matter whose account the malicious actors have broken into. If you receive an email from your project manager, a sales colleague, the finance department, a particular client, or anyone else that bears the markers of a legitimate, ongoing email conversation, the attack is highly likely to succeed.
Seen since last November: all email bodies had a long list of replies, but all had the following message.
This would suggest they are all samples that can be attributed to the same gang. Each had .zip files attached with convincing names related to the business at hand, which contained Microsoft® Word documents with filenames that started with “request”.
What You Can Do
Faced with such plausible attacks, it might seem impossible to stay safe. But there are a few tips that can keep you protected. First, never turn macros on, and never trust a document that asks you to turn macros on, especially if it’s a Microsoft® Office file that wants you to show hidden content. Macros are a very common attack vector.
Second, always make sure to keep your operating system up to date, especially Microsoft Office programs.
Third, you likely already mistrust emails from people you don’t know. Now, it’s time to turn that suspicion onto trusted senders too. Attackers commonly try to spoof email addresses to look like those you’re familiar with, and may even gain control of an email account belonging to a person you know. Always err on the side of caution when it comes to emails asking you to download attachments.
Fourth, it’s important to protect your own email account from being hijacked. Attackers can use techniques like alternate inboxing to send messages from your account without your knowledge. Be sure to secure your account with strong passwords, 2-factor authentication, or use a secure password manager. Encourage friends and colleagues to do the same.Finally, if you’re suspicious of an email, the best way to check its legitimacy is to pick up the phone. If you know the sender personally, ask them about the message in person or via phone. Or, if you receive a message from a company, look up their publicly listed phone number (do not use the number provided in the email) and call them.
How Webroot Protection Can Keep You Safe
- Webroot security for computers, smartphones, and tablets blocks malicious scripts, downloads, and executables. (However, you should still exercise caution and common sense, regardless which internet security solutions you use.)
- For businesses and managed service providers, our portfolio of integrated, next-generation security includes Endpoint Protection, DNS Protection, and Security Awareness Training for end users.
Automated Malware Analysis and Reverse Engineering with SOAR
We all know that security operations (SecOps) teams are overwhelmed by the extreme number of alerts they receive on a daily basis. Organizations are being attacked from all fronts, whether they know it or not. These attacks vary from social engineering, malicious emails, vulnerable services and applications, misconfiguration (job fatigue), etc.
Traditionally in a security operations center (SOC), malware analysis—more specifically reverse engineering—is conducted by a highly trained member of the security team (depending on your size, this may be multiple individuals). A SOC may receive hundreds, even thousands, of alerts about potentially malicious files from users reporting malicious messages to EDR (endpoint detection and response) to workstation/server event logs.
With the overwhelming amount of incoming alerts, malware analysts (or reverse engineers) only receive a small percentage of an organization’s total potentially malicious binaries to review. As malware authors evolve and the use of more sophisticated techniques increases, security teams need to act upon every alert, not just the aforementioned small percentage, by automating and orchestrating their malware analysis.
By taking alerts you already receive, SOAR can automate the malware analysis process to determine if further action is required. A basic automated malware analysis workflow looks like:
Using SOAR for Automated Malware Analysis
This process seems simple at first, but if you take into account the huge number of distinct services that are alerting you of potential malicious behavior then you can quickly see why you need a security automation and orchestration platform.
Swimlane has taken this basic workflow and expanded it to provide a robust application that is truly drag and drop. Once integrated into your current services, you can use both internal (e.g. Cuckoo Sandbox, etc.) or external (e.g. Hybrid-Analysis, SNDBOX, Joe Sandbox, McAfee Advanced Threat Defense, etc.) sandbox/analysis processes to automate the triaging of alerts related to potentially malicious files and URLs.
Automating malware analysis of malicious files
Whether you are wanting to analyze potentially malicious files manually or unleash the full power of SOAR, we now offer an application on Apphub to automate your malware analysis process. When you upload a malicious file, this application can return basic file information (hashes, name, type, etc.) but we will also begin our analysis in the background. You can automate the submission of potentially malicious files to both internal and external sandbox services (e.g. Cuckoo Sandbox, Hybrid-Analysis, etc.). Additionally, you can scan the file using our VirusTotal bundle.
Once the analysis is complete, both the sandbox and VirusTotal integrations will return their respective results. Based on the returned values we will calculate both individual integration scores, but also an overall total threat score based on the analysis done.
Overall score calculated based on results from VirusTotal and Cuckoo Sandbox results
Behavioral analysis results from Cuckoo Sandbox
Automating the initial malware analysis of incoming alerts ensures that your SecOps team is not busy with VirusTotal lookups and manual analysis—they can focus on more proactive efforts instead of being reactive.
Lock Down Your Digital Identity
The last decade has been one of digital revolution, leading to the rapid adoption of new technology standards, often without the consideration of privacy ramifications. This has left many of us with a less-than-secure trail of digital breadcrumbs—something cybercriminals are more than aware of. Identity theft is by no means a new problem, but the technology revolution has created what some are calling a “global epidemic.”
Securing your digital identity is more important now than ever, and Webroot can help you start.
What is a Digital Identity?
The first step in locking down your digital identity is understanding what it is. A digital identity is the combination of any and all identifying information that can connect a digital persona to an actual person. Digital identities are largely comprised of information freely shared by the user, with social media accounts generally providing the largest amount of data. Other online services like Etsy and eBay, as well as your email and online banking accounts, also contribute to your digital identity. Realistically, any information that can be linked back to you, no matter how seemingly inconsequential, is part of your digital identity.
Digital Identity Theft
Digital identity theft occurs in several ways. A common tactic is social media fraud, where a hacker will impersonate a user by compromising an existing social media account, often messaging friends and family of the user requesting money or additional account information. If unable to gain full control of a genuine social media account, identity thieves will often set up a dummy social media account and impersonate the user using it.
A less widely-known form of digital identity fraud is internet-of-things (IoT) identity theft, where an attacker gains access to an IoT device with weak security protocols and exploits it to gain access to a higher priority device connected to the same network. Another growing threat is “SIM swapping”— an attack that involves tricking a mobile provider into swapping a legitimate phone number over to an illegitimate SIM card, granting the attacker access to SMS-enabled two-factor authentication (2FA) efforts.
Even those who don’t consider themselves targets should be aware of these tactics and take steps to lock down their digital identities.
Locking it Down
Reviewing your social media accounts’ privacy settings is one of the easiest things you can do to cut opportunistic identity thieves off from the start. Set your share settings to friends only, and scrub any identifying information that could be used for security clearance — things like your high school, hometown, or pets’ names. Only add people you personally know and if someone sends you a suspicious link, don’t click it! Phishing, through email or social media messages, remains one of the most prevalent causes of digital identity theft in the world. But your digital identity can be compromised in the physical world as well — old computers that haven’t been properly wiped provide an easy opportunity hackers won’t pass up. Always take your outdated devices to a local computer hardware store to have them wiped before recycling or donating them
The Right Tools for the Job
This is just the start of a proper digital identity lock-down. Given the sensitive nature of these hacks, we asked Webroot Security Analyst Tyler Moffitt his thoughts on how consumers can protect their digital identities.
“Two-factor authentication in combination with a trusted virtual private network, or VPN, is the crown jewel of privacy lock-down,” Tyler said. “Especially if you use an authenticator app for codes instead of SMS authentication. A VPN is definitely a must… but you can still fall for phishing attempts using a VPN. Using two-factor authentication on all your accounts while using VPN is about as secure as you can get.”
2FA provides an additional level of security to your accounts, proactively verifying that you are actually the one attempting to access the account. 2FA often uses predetermined, secure codes and geolocation data to determine a user’s identity.
Because 2FA acts as a trusted gatekeeper, do your research before you commit to a solution. You’ll find some offerings that bundle 2FA with a secure password manager, making the commitment to cybersecurity a little bit easier. When making your choice, remember that using SMS-enabled 2FA could leave you vulnerable to SIM swapping, so though it is more secure than not using 2FA at all, it is among the least secure of 2FA strategies.
VPNs wrap your data in a cocoon of encryption, keeping it out of sight of prying eyes. This is particularly important when using public WiFi networks, since that’s when your data is at its most vulnerable. Many VPNs are available online, including some free options, but this is yet another instance of getting what you pay for. Many free VPNs are not truly private, with some selling your data to the highest bidder. Keeping your family secure behind a VPN means finding a solution that provides you with the type of comfort that only comes with trust.
The two things that only you can do to keep your identity secure? Constant vigilance and continuous education. Visit the Home+Mobile page on the Webroot blog for a host of resources to help keep you and your family safe online—at home and on the go.
Learn How You Can Get a Running Start with DevSecOps
DevOps is an evolving philosophy, and now is the time–just as you start embracing DevOps in your organization–to start building security into both your DevOps philosophy and processes. DevOps philosophy started with the core principles of W. Edwards Deming’s points on Quality Management, binding the development of services and their delivery to IT Operations. As we apply Deming’s principles to software development and IT organizations, we’re working to improve the overall quality of software systems. Read on to learn how to get a running start with DevSecOps.
Automation is Essential for DevSecOps
We think that automating the process, particularly using Continuous Integration (CI) and Continuous Delivery (CD) tools, is essential for successful adoption of DevSecOps.
- Continuous integration. Allows a developer to integrate changes into the source code mainline as they finish writing a piece of code.
- Continuous delivery. Allows system components to be updated as needed, rather than waiting to deliver component updates in the next full release.
- Continuous deployment (also known as CD). Allows applications to be continuously deployed, often to just part of the user base at first, then later to the entire user base if the deployment is successful.
“While enabling organizations to develop software with more efficiency and speed, the DevOps process also dramatically expands risk through software exposure,” said Emmanuel Benzaquen, CEO, Checkmarx.
Beyond the Acronyms Lies a Secure SDLC
For many organizations, DevOps, CI, CD (and CD again) just amount to a lot of acronyms and words that are difficult to turn into their ultimate goal—a secure software development lifecycle (aka an SSDLC). As is so often the case, the Open Web Application Security Project (OWASP) provides a model for integrating security into any existing SDLC, which they call the Software Assurance Maturity Model. Applying this model in an organization is comprised of six basic steps, as follows:
- Assess: Ensure a proper start of the project by defining scope, identifying stakeholders, and spreading the word so people understand what you’re doing and why.
- Assess: Identify and understand the maturity of your scope in each of the 12 software security practices.
- Set the target: Develop a target score to use to measure against, to guide you to act on the most important activities for your situation.
- Define the plan: Determine a change schedule and develop or update your roadmap plan. It’s important to have a realistic change strategy in terms of number and duration of phases. Identify quick wins you can make early on.
- Implement: Work the plan by implementing all activities in this period, considering their impact on processes, people, knowledge, and tools.
- Roll out: Make sure that improvements are available and visible for everyone involved. Organize training and communicate the improvements to the team, then measure the adoption and effectiveness of the improvements implemented.
Successful Implementation of an SSDLC
It’s easy to say you’re going to implement a secure SDLC, using automation and integration. However, each of those six steps above takes time, energy, evangelizing, training, and much more. CIOs and CISOs seek ways to accelerate the maturity of their DevOps programs, but need help to get started. One way to accelerate that process is with expert services for software security deployment and automation.
Implementing automation into DevSecOps processes is a critical challenge for most organizations. An outside expert can work closely with organizations help advance the automation capabilities in their organizations and throughout their SDLC. Successful automation is just one part of implementing a secure SDLC. As outlined by OWASP in the steps above, it’s an ongoing process. Checkmarx provides customers with professional services, who share the essential guidance to develop and deploy software security programs with automation. Let’s get your organization off to a running start with DevSecOps.