Email is incredibly useful, which is why we all still use it.
But chief among its downsides (along with getting caught in a group-cc'd
message hell) is that email remains one of the most common routes for
hackers to attack businesses.
Around
one in every hundred messages sent is a malicious hacking attempt.
That might not seem like a large figure, but when millions of messages
are sent every day, it adds up -- especially when it just takes one
employee to fall victim to a phishing message and potentially lead to a
whole organisation being compromised.
For example,
the cyber attack against the Democratic National Committee
that led to thousands of private emails being exposed in the run up to
the US Presidential election started with just one successful phishing
email, while countless
espionage and malware campaigns have also gained entry to organisations via an email-based attack.
But if email leaves us so vulnerable to attempts at hacking, why do we stick with it?
"Email
is still the main way that two entities who may not have a relationship
get together and communicate. Whether it's a law firm communicating
with a business or a candidate applying for a job, email is still the
bridge to getting these entities communicating. It's not going away,"
says Aaron Higbee, co-founder and CTO at anti-phishing company Cofense.
As long as email is here, phishing will also remain a problem -- and
while some phishing campaigns are really sophisticated and based around
cyber criminals performing deep reconnaissance on targets, other
email-based attacks aren't so sophisticated -- and yet are still
worryingly successful.
Locky ransomware was often delivered to targets in blank phishing messages
containing just an attachment. In the vast majority of cases, people
didn't open this, but given how Locky was successful, it's evident that a
number of people did. Why did they click the attachment in a blank
message?
"At the end of the day, we're people and sometimes we
make mistakes. Even careful and aware people could and would click on
malicious attachments. Why is that? Because education isn't enough;
people will continue to click on things that look suspicious," said
Liron Barak, CEO and co-founder at security company Bitdam.
"We
can definitely see there's been a rise in email attacks in the last
year. And something that I believe is that attackers are becoming more
and more sophisticated -- attacks are bypassing Microsoft, Gmail and
other channels," she adds.
Many phishing and spam messages do get
blocked by mail providers but there are those that continue to sneak
through -- especially into consumer mailboxes, despite the efforts of
email providers.
SEE: What is phishing? Everything you need to know to protect yourself from scam emails and more
While
enterprises might not think too seriously about the actions their
employees take using their personal inboxes, it could have serious
consequences; not only is it likely that employees will examine their
own emails at the office, many people use their personal email addresses
to conduct business activity -- and that's a security risk.
"One
of the lessons that comes up very regularly is that one thing people
often do wrong is when they conduct official business out of a consumer
mailbox as they often don't understand there's no defence there," says
Matthew Gardiner, director of product at email security company
Mimecast.
"The lesson is to have good security defences on your
business email and then use your business email for business, not your
consumer email. Because once they're into your personal account, they
could be
loading malware onto the machine you use for both," he says.
So,
when this provides a potential risk to businesses, why is the security
of some consumer mailboxes still so relatively poor compared with their
enterprise cousins?
"One of the sadder situations is here we are
protecting the enterprise and they're getting the full focus and top
knowledge to protect them -- but then when you go down to consumers and
even small businesses, they're not really looked after by the security
industry," says Ken Bagnall VP of email security at FireEye.
There's
also the fundamental problem around email that it's relatively simple
to spoof names and addresses, allowing attackers to claim to be anyone
-- perhaps celebrities offering prizes or
your boss asking you to look at a document or to make a transfer.
"There's
really no embedded security in the basic internet for email. So you can
claim to be anyone and send an email and the average person will
probably trust that," says Gardiner.
Add to that how the make-up of phishing messages is changing all the time and you have an evolving problem.
"While we continually evaluate and improve our automated screening
protocols to help protect users, spam is an industry-wide ongoing
challenge. Bad actors and opportunistic promoters quickly alter their
approaches, which makes it difficult for any vendor to address 100
percent of spam," says Jeff Jones, senior director at Microsoft.
SEE: How to spot a phishing email [CNET]
There's even
whole underground marketplaces dedicated to conducting phishing attacks, with professional hackers offering their services to crack specific inboxes.
"Trying to guess what the next step of the attackers will be will
always leave us behind, because there's someone else controlling the
landscape and trying to evade us and thinking strategically about
bypassing security," says Bitdam's Barak.
#ref-menu
Much of the issue lies
with the fundamental way in which email works and how this method of
communication has become so pervasive in our everyday lives.
"For
email based phishing to really go away, we're going to have to come
together as a world and say this email protocol that was designed
decades ago, it just isn't working anymore," says Higbee.
There is
one system that could help and it's called DMARC -- short for
"Domain-based Message Authentication, Reporting & Conformance.
It's an email authentication protocol that
enables users to determine what a legitimate email is and what's spam,
complete with a reporting function for ongoing improvement and
protection.
Many have argued that it would massively release spam, but
it still isn't widely used in industry as it can be tricky to implement, actually blocking all messages if set up incorrectly.
Another
solution to this could be a reputation score system -- something that
Dr Ian Levy, technical director at the UK's National Cyber Security
Agency (NCSC) wants to encourage the industry to pick up. He argues that
it could make differentiating between trusted sources and malicious
sources much easier for users -- therefore reducing the risk of phishing
attacks.
"We're trying to get the industry to do a reputation
score," he says. For example, if an email address has been in use for
years, has never sent a bad message that's one thing; an email address
registered today via a Tor node sending its first email may be something
that should be treated with a little more caution, he argues.
"We want to give people that reputation information about email accounts so they can make decisions."
But for now, this is just an idea and phishing attacks against email
users are as successful as they ever were -- and some are resigned to
this continuing to be a problem for a long time to come.
"I saw
my first phishing email professionally in 1998 -- and if I thought I'd
still be working on this phishing problem in 2018, it would've seemed
unimaginable," says Cofense's Higbee. "It's such a huge challenge that
in five or ten years from now, the email phishing problem will be the
same as it is today."
READ MORE ON CYBER CRIME
#ref-menu
#ref-menu
#ref-menu