WHITE PAPER N Hw Cybercriminals Make Mney With Yur Email An Osterman Research White Paper Published July 2013 SPONSORED BY spnsred by SPON spnsred by Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn 98010-1058 USA Tel: +1 253 630 5839 Fax: +1 253 458 0934 inf@stermanresearch.cm www.stermanresearch.cm twitter.cm/msterman
Hw Cybercriminals Make Mney With Yur Email EXECUTIVE SUMMARY Cybercriminals make enrmus amunts f mney by expliting weak defenses in crprate and persnal email defenses, deficiencies in crprate plicies fcused n prtecting email users and user ignrance. Criminals are aided in their effrts by three key trends that are becming increasingly prevalent: Criminals are able t develp highly sphisticated malware because they are well funded, ften supprted directly by rganized criminal grups. Many users share large amunts f infrmatin thrugh scial media and ther venues that enable criminals t btain useful infrmatin abut their ptential victims that can be used t develp sphisticated spearphishing attacks. There are a grwing number f devices and access pints frm which users access email, making it mre difficult fr rganizatins t defend against emailbrne threats and that make it easier fr criminals t explit weak defenses n a number f levels. KEY TAKEAWAYS Email-delivered malware, as well as the ttal vlume f new malware, are increasing at a rapid pace. Cybercriminals use a variety f techniques, including spearphishing, shrtened URLs, advanced persistent threats, traditinal phishing, man-in-the-middle attacks, spam, btnets, ransmware, scareware and ther techniques t defeat crprate defenses. Scareware is ften delivered as a pp-up message, but smetimes is delivered via spam messages in email i. The financial and auxiliary cnsequences f cybercrime can be enrmus and can be multi-faceted: direct csts f remediating the cybercriminal activity, lst business pprtunities, a damaged crprate reputatin and the like. Cybercrime is a business albeit a nefarius ne that is driven by fairly traditinal business decisin-making. The gal f any email defense slutin, therefre, is t make cntinued attacks against an rganizatin unprfitable s that cybercrime activity is reduced. Cybercrime is a business albeit a nefarius ne that is driven by fairly traditinal business decisin-making. T minimize the impact and effectiveness f cybercriminal activity, an rganizatin shuld undertake an nging prgram f user educatin, as well as deply apprpriate technlgies designed t address new cybercriminal techniques. ABOUT THIS WHITE PAPER This white paper fcuses n key issues that rganizatins shuld address in the cntext f cybercrime delivered thrugh email, and it ffers sme practical advice n what rganizatins shuld d t prtect themselves. It als ffers a brief verview f McAfee, the spnsr f this white paper, and its relevant slutins. WHAT DO CYBERCRIMINALS DO? THE PROBLEM IS GETTING WORSE Cybercriminals use a number f methds t deliver email-based threats t their victims and they d s quite successfully, as evidenced by the fllwing figure that demnstrates the large prprtin f mid-sized and large rganizatins in Nrth America that have been the victims f email and Web-based threats during the previus 12 mnths. Illustrating the seriusness f the malware prblem itself, the next figure shws the rapid increase in new malware ver the past few years. 2013 Osterman Research, Inc. 1
Hw Cybercriminals Make Mney With Yur Email Percentage f Organizatins Infiltrated by Email-Based Malware 2007-2012 Surce: Osterman Research, Inc. surveys f mid-sized and large rganizatins New Malware Detected (millins f malware prgrams detected) 2005-2012 58% f rganizatins were infiltrated by email-based malware in 2012. Surce: AV Test (http://www.av-test.rg/en/statistics/malware/) It s imprtant t nte that while we saw smething f a hiatus in the infectin grwth rate frm email-based malware during 2011, as well as a flattening in the amunt f new malware detected, this may have been due t the March 2011 takedwn f the Rustck btnet a key delivery path fr spam and malware that had infected mre than 800,000 Windws-based cmputers ii. 2013 Osterman Research, Inc. 2
Hw Cybercriminals Make Mney With Yur Email METHODS USED BY CYBERCRIMINALS Amng the many methds used by cybercriminals are: Spearphishing Spearphishing is a mre fcused variant f phishing in which a single individual r a small grup f individuals within a firm are targeted by cybercriminals. Quite ften, a cmpany s CFO r CEO will be targeted because they are likely t have access t a cmpany s financial accunts. A cmmn methd fr gaining access t this infrmatin is thrugh delivery f a highly targeted email that will cntain an attachment r a link, clicking n which will infect the victim s PC with a Trjan that can then be used t harvest lgin credentials t a bank accunt. Smaller cmpanies, churches, schl districts and similar types f small t midsized rganizatins are amng the mre cmmn targets f spearphishing attacks because they ften lack sphisticated defenses that can prtect against these types f attacks. Spearphishing has been aided t a great extent by scial media, since cybercriminals can use cntent psted t Facebk, Twitter r ther scial media sites t imprve the likelihd f delivering their cntent. Fr example, a CFO that psts t Facebk infrmatin abut their recent nline purchase f a new Lytr camera will be very likely t pen a malicius email with the subject line Prblem with yur Lytr camera rder and t click n any links cntained therein. One spearphishing attack may have derailed Cca Cla s $2.4 billin acquisitin f China Huiyuan Juice Grup. Cca Cla s Pacific Grup deputy president received an email frm what he thught was the cmpany s CEO, but in reality the email was frm a (prbably) Chinese firm knwn as the Cmment Grup. The email cntained malware that allwed the perpetratr t access sensitive cntent fr mre than 30 days. Shrtly thereafter, the Chinese gvernment blcked the acquisitin because f cncerns ver cmpetitin in the beverage industry. iii Shrt URLs Shrtened URLs that might appear in emails, Tweets, etc. are cmmnly used t bring unsuspecting victims t malicius sites with the hpe f infecting their device with malware. The attractin f a shrt URL fr ptential victims is that they fit nicely in character-limited tls like Twitter, and they can als cndense very lng links int a shrt URL when used in nn-html emails. Mre imprtantly fr cybercriminals, they mask the identity f the malicius site, hiding it frm bth individuals wh might be suspect when reviewing the URL, as well as autmated systems. Spearphishing has been aided t a great extent by scial media, since cybercriminals can use cntent psted t Facebk, Twitter r ther scial media sites t imprve the deliverability f their cntent. Advanced Persistent Threats Advanced Persistent Threats (APTs) are prtracted attacks against a gvernment, cmpany r sme ther entity by cybercriminals. Underscring the seriusness f APTs is the fact that these threats are generally directed by human agents (as ppsed t btnets) that are intent n penetrating crprate r ther defenses, nt simply randm r autmated threats that are lking fr targets f pprtunity. As a result, thse respnsible fr APTs will change tactics as they encunter resistance t their attacks by their targets, such as the deplyment f new defense mechanisms. Phishing A phishing attack is a campaign by a cybercriminal designed t penetrate antispam and/r anti-malware defenses. The gals f such an attack can include infectin f users PCs fr the purpse f stealing lgin credentials, t gain access t crprate financial accunts, t steal intellectual prperty, t search thrugh an rganizatin s cntent, r simply t gain access fr a purpse t be determined at a later date. Email is a useful threat vectr fr phishing attacks and can be quite successful fr cybercriminals. Fr example, a cmmn phishing 2013 Osterman Research, Inc. 3
Hw Cybercriminals Make Mney With Yur Email scheme is t send an email citing UPS inability t deliver a package and a request fr a user t click n a link t print an invice. THE EASE OF GATHERING INFORMATION THROUGH SOCIAL MEDIA T see hw much infrmatin we culd gather n a senir executive, in late February 2013 Osterman Research chse a cmpany at randm in Kent, Washingtn after ding a quick Ggle search fr cmpanies in the area. Our researcher then visited this cmpany s Web site, fund an wner listed, and then did a search fr his name n Facebk. Althugh Osterman Research has n relatinship with this individual, a quick lk at his wall revealed his frmer emplyers, where he went t high schl, the fact that he is als a realtr, where he had lunch last Friday, his phne number, infrmatin abut his Washingtn State Ferry ride n the previus Tuesday, infrmatin abut an upcming cmpany event in early March 2013, the names f tw peple wh gave him gifts in late January 2013, and what he had fr dessert n January 13, 2013. A cybercriminal culd have used any f this infrmatin t craft a spearphishing email with a subject line that wuld likely have attracted his attentin and made it mre likely fr him t click n a link t a malware site that might have infected his PC. Man-in-the-Middle Attacks A man-in-the-middle attack is ne in which a third party intercepts messages between tw parties when bth parties are attempting t exchange public keys. In essence, the third party impersnates itself as bth recipient and sender, s that the tw legitimate recipients and senders think they are cmmunicating with each ther, when in fact each is cmmunicating directly with the unauthrized third party. The result f a man-in-the-middle attack can be relatively inncuus, with the third party simply listening in n a cnversatin; r it can be mre malicius and result in the lss f netwrk credentials r sensitive infrmatin. Spam While in sme ways spam is less f a prblem tday than it was befre the successful takedwn f varius btnets at the end f 2010 and early 2011, it remains a serius and vexing prblem fr rganizatins f all sizes. Spam cnsumes strage and bandwidth n crprate servers, users must scan spam quarantines t ensure that valid messages have nt been misidentified and placed int the quarantine, and malicius cntent can mistakenly be withdrawn frm a spam quarantine, thereby increasing the ptential fr infecting ne r mre PCs n the crprate netwrk. While nt as cmmn tday, spam with malicius attachments still finds its way int many rganizatins. Spam filters can ften be defeated by simple text bfuscatin like the misspelling f particular wrds, Bayesian pisning, the intrductin f valid text int spam messages t make them lk legitimate, use f varius HTML techniques t trick spam filters, use f varius languages, etc. Spam filters that use less sphisticated filtering techniques and Bayesian appraches t filtering can be fled by these tactics. Spam that cntains attachments used t be quite cmmn as means f delivering malware. While nt as cmmn tday, spam with malicius attachments still finds its way int many rganizatins. PDF files, images, calendar invitatins, spreadsheets and zip files are all used as paylads t carry malicius cntent. 2013 Osterman Research, Inc. 4
Hw Cybercriminals Make Mney With Yur Email Btnets Cybercriminals ften use btnets that cnsist f tens f thusands f zmbie devices persnal and wrkplace devices that are infected with a virus, wrm r Trjan that permit them t be cntrlled by a remte entity. Spammers can rent btnets fr distributin f their cntent, typically at relatively mdest rates. By using btnets, cybercriminals can send a small number f messages frm each f thusands f cmputers, effectively hiding each sending surce frm detectin by ISPs r netwrk administratrs using traditinal detectin tls. Btnets are a serius prblem nt nly because they are respnsible fr a large prprtin f spam sent tday, but als because they are used fr a range f purpses beynd simple spam delivery: perpetrating distributed denial-f-service attacks, click fraud and credit card fraud. Btnets are successful because they can be difficult t detect and t take dwn. Ransmware Ransmware is a type f cybercriminal attack, mst ften intrduced t a PC by an email-delivered r ther wrm, in which a user s PC is lcked r its files encrypted until a ransm is paid t a cybercriminal. Fr example, ne variant f ransmware, Revetn, is a drive-by virus that displays a message infrming victims that they have dwnladed child prngraphy r pirated material, demanding payment f a fine t restre access t their PC. During tw days in May 2012, victims paid a ttal f mre than $88,000 t cybercriminals t restre access t their PC. Scareware Scareware is a less invasive frm f ransmware in that it warns users that their PC is infected with malware, ften reprting the discvery f thusands f different instances f malware. It then ffers t disinfect the cmputer by ffering anti-virus sftware fr a nminal fee. While the fee is typically n the rder f $40 albeit fr sftware that des nthing the real damage ften results frm prviding cybercriminals with a valid credit card number and CVV cde. Scareware is ften delivered as a pp-up message, but smetimes is delivered via spam messages in email iv. State-spnsred malware One example f state-spnsred malware is Stuxnet. This malware was designed t target a particular type f Siemens cntrller used in Iran s uranium enrichment plant at Natanz, Iran and was set t expire in June 2012 (althugh the malware prpagated glbally befre its expiratin date). While the malware was nt designed t attack cmpanies r cnsumers, it was a gd example f hw malware can be designed t g after a specific type f target and remain undetected by its victim. BENEFITS REALIZED BY CYBERCRIMINALS First and fremst, it is essential t understand that cybercrime is a business an illegitimate ne t be sure but ne that is guided by fundamental business principles fcused n the benefits t be gained frm a particular activity, return-ninvestment cnsideratins, investments in research and develpment, and the like. Ransmware is a type f cybercriminal attack, mst ften intrduced t a PC by an emaildelivered r ther wrm, in which a user s PC is lcked r its files encrypted until a ransm is paid t a cybercriminal. The benefits t cybercriminals frm their activities are substantial. Fr example, cybercriminals that use phishing, spearphishing r ther techniques can steal enrmus amunts f mney in a shrt perid f time, as discussed belw. Cybercriminals can als gain access t cnfidential infrmatin, intellectual prperty, Prtected Health Infrmatin, r ther infrmatin that might prve valuable at present r at a future date. THE CONSEQUENCES TO BUSINESS AND GOVERNMENT 2013 Osterman Research, Inc. 5
Hw Cybercriminals Make Mney With Yur Email The flip side f the benefit t cybercriminals is the pain experienced by their victims. Aside frm the direct financial lsses that can result, an rganizatin that falls victim t email-based r ther types f cybercrime can suffer a lss f reputatin as news f the prblem is reprted in the press r amng their custmer base. Sme custmers may cancel rders r switch t a different supplier if they determine they can n lnger trust the victims f cybercrime t safeguard their wn data and, by extensin, the data prvided t them by their custmers r business partners. The negative publicity alne can actually be wrse than the lss f funds. DATA BREACHES Amng the mre serius and expensive cnsequences f email-based r ther cybercrime is the breach f custmer data. Because 46 f the 50 US states, ne Canadian prvince and many cuntries arund the wrld have data breach ntificatin laws in place, rganizatins that are victims f cybercrime and a resulting data breach are liable fr ntifying the affected parties abut the breach. Aside frm the direct cst f ntifying custmers abut the breach is the ptentially much higher cst f lsing custmers wh are upset abut the lss f their data, paying fr credit reprting services fr custmers as a means f amelirating their cncerns, and the negative publicity that can result. Underscring the seriusness f data breaches is the sheer magnitude f the prblem. Fr example, the Privacy Rights Clearinghuse maintains a database f data breaches dating back t 2005. Since they have been keeping recrds, there have been 3,680 data breaches made public as f mid-april 2013 resulting in the breach f 607.5 millin recrds. Amng the data breaches published are the fllwing tw examples that illustrate just hw serius the prblem has becme. Reprted in March 2013, Unintwn Hspital (Unintwn, PA) was the victim f ne r mre hackers wh accessed patient infrmatin, including encrypted passwrds, cntact names, email addresses and usernames. Between May and Nvember 2012, a cmputer used by an emplyee f St. Mark s Medical Center (La Grange, TX) was infected by malware, resulting in ptential expsure f sensitive cntent, including patient billing infrmatin that was stred n the device. DRAINING OF FINANCIAL ACCOUNTS A variety f rganizatins have been targeted with keystrke lggers like Zeus that allw criminals t transfer funds ut f crprate financial accunts. There have been a number f cases f this type f theft many targeted t small and mid-sized rganizatins as nted earlier resulting in majr financial lsses, as in the examples belw: Amng the mre serius and expensive cnsequences f email-based r ther cybercrime is the breach f custmer data. Hillary Machinery: $800,000 v (its bank was able t recver nly $600,000) The Cathlic Dicese f Des Mines: $600,000 vi Patc: $588,000 vii Western Beaver Cunty Schl District: $700,000 viii Experi-Metal, Inc. : $560,000 ix Village View Escrw: $465,000 x An unidentified cnstructin cmpany in Califrnia: $447,000 xi Chice Escrw: $440,000 xii The Gvernment f Bullitt Cunty, Kentucky: $415,000 xiii The Twn f Pughkeepsie, New Yrk: $378,000 xiv An unidentified slid waste management cmpany in New Yrk: $150,000 xv An unidentified law firm in Suth Carlina: $78,421 xvi Slack Aut Parts: $75,000 xvii 2013 Osterman Research, Inc. 6
Hw Cybercriminals Make Mney With Yur Email BEST PRACTICES TO ADDRESS THE PROBLEM T prtect against email-brne threats, rganizatins shuld undertake a twprnged curse f actin: Train users Mst will agree that despite the enrmus amunts spent n email security slutins, users are still the weak link in the security chain. The primary reasn fr this is that increasingly they are the targets, ften supplying cybercriminals with the infrmatin they need by psting detailed persnal infrmatin n scial netwrks and ther sites. Mrever, criminals can ften harvest many crprate email addresses and use them t launch a phishing r spearphishing attack against a cmpany s emplyees. Smaller rganizatins are typically mst vulnerable t attack because they ften lack the budget r expertise t thwart sphisticated attacks. While users cannt prevent all attacks, they shuld be cnsidered the first line f defense in any email-based defense system. Cnsequently, users shuld be trained t take a cmmn-sense apprach t managing email. Althugh the fllwing recmmendatins seem bvius, many users are guilty f vilating these basic prvisins, ften because they are rushed in their wrk r simply are nt sufficiently cautius when dealing with email: D nt click n links in email frm unknwn surces. D nt re-use passwrds and change them frequently. D nt cnnect t unsecured Wi-Fi htspts, such as might be fund in a cffee shp, at an airprt, etc. Duble-check the URL f links that seem legitimate befre clicking n them. Althugh the URL displayed may nt match the URL behind the link, many email clients will display the actual URL upn musever. If an email is trapped in spam quarantine, assume that the spam-filtering system accurately trapped the email d nt assume it is a false psitive unless being abslutely certain that it is. D nt send sensitive cntent via email withut encrypting either the cntent r the message. Be careful t ensure that sensitive cntent is nt penly psted n scial media sites, particularly thse that are used fr crprate purpses. The next and mre imprtant step is t implement the apprpriate technlgies that will thwart cybercriminal activity. While initial training is imprtant, nging training that is designed t remind emplyees f new cyberthreats, new spam and malware techniques, etc. is essential as a means f maintaining a rbust defense psture. This might include sending simulated phishing emails t emplyees t determine the effectiveness f emplyee training, just hw careful emplyees pay attentin t their training, etc. The gal is t prvide a feedback lp that cnsists f testing, training, testing and remediatin. Emplyees wh fall prey t simulated phishing attempts r ther cyberthreats can receive additinal training r ther remediatin educatin designed t help them becme mre careful when inspecting their email. Implement the apprpriate technlgies The next and mre imprtant step is t implement the apprpriate technlgies that will thwart cybercriminal activity. This shuld include a layered defense system designed t: Filter spam with a high degree f accuracy and a minimum f false psitives. 2013 Osterman Research, Inc. 7
Hw Cybercriminals Make Mney With Yur Email Detect incming malware, denial-f-service attacks, zer-day threats, phishing and spearphishing attempts, blended threats, bunceback attacks and ther threats. Detect threats that are presented in shrt URLs. Evaluate slutins that ffer nt just prtectin at the time the message is scanned, but at the time the message is clicked in ther wrds, prtect the user frm the click. Criminals ften get past defenses with unknwn r gd reputatin URLs and switch the URL intent nce it has gne thrugh the initial defenses. Integrate with ther systems, including DLP, encryptin and ther capabilities in rder t prvide an integrated slutin that can be managed frm a single pane f glass. Mrever, the slutin shuld be deplyable via a variety f delivery mdes, including n-premise servers, virtualized servers and in the clud. Abut McAfee McAfee Email Prtectin delivers integrated inbund prtectin, utbund data prtectin, and flexibility f deplyment mdels in an integrated, easy-t-use slutin. Fueled by McAfee s Glbal Threat Intelligence, Email Prtectin defends rganizatins against inbund threats such as malware, shrtened URLs, phishing, graymail and spam. McAfee ClickPrtect, a cre feature f McAfee Email Prtectin, keeps users frm falling victim t embedded malicius links within emails. ClickPrtect checks fr changes in URL intent ccurring between the time the message is scanned (scantime), regardless f hw harmless it may have appeared, and when the URL is clicked by a user (click-time). At click-time, a safe-preview may be displayed t the end user t apply their wn discretin. Shuld the URL prceed t be laded, a full practive emulatin f the URL cntent is cnducted t prvide industry-leading zer hur malware detectin rates, leveraging the same technlgy in McAfee Web Prtectin. Administratrs have flexibility t cnfigure scan-time and click-time plicies, create custm warning ntificatins, and enable URL emulatin t prtect users frm the click. Frensic reprting f every URL-related event prvides administratrs unprecedented cntrl and decisin supprt. Rbust utbund capabilities include encryptin and cntent plicy enfrcement t keep utging data in emails safe frm inncent mistakes and bad actrs. Additinal capabilities include 114+ pre-built cmpliance templates, deep cntent scanning f 300+ file types, and data lss preventin technlgies. Custmers have the flexibility t deply n-site (virtual appliances, hardware appliances, blade servers), in-theclud (SaaS), r as an integrated hybrid cmbinatin f the tw. Fr mre infrmatin, please visit www.mcafee.cm/emailsecurity. 2013 Osterman Research, Inc. 8
Hw Cybercriminals Make Mney With Yur Email 2013 Osterman Research, Inc. All rights reserved. N part f this dcument may be reprduced in any frm by any means, nr may it be distributed withut the permissin f Osterman Research, Inc., nr may it be resld r distributed by any entity ther than Osterman Research, Inc., withut prir written authrizatin f Osterman Research, Inc. Osterman Research, Inc. des nt prvide legal advice. Nthing in this dcument cnstitutes legal advice, nr shall this dcument r any sftware prduct r ther ffering referenced herein serve as a substitute fr the reader s cmpliance with any laws (including but nt limited t any act, statue, regulatin, rule, directive, administrative rder, executive rder, etc. (cllectively, Laws )) referenced in this dcument. If necessary, the reader shuld cnsult with cmpetent legal cunsel regarding any Laws referenced herein. Osterman Research, Inc. makes n representatin r warranty regarding the cmpleteness r accuracy f the infrmatin cntained in this dcument. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i http://www.net-security.rg/malware_news.php?id=1772 ii http://krebsnsecurity.cm/2011/03/rustck-btnet-flatlined-spam-vlumes-plummet/ iii http://www.bbc.c.uk/news/business-21371608 iv http://www.net-security.rg/malware_news.php?id=1772 v http://rixstep.cm/1/1/20100126,00.shtml vi http://krebsnsecurity.cm/tag/cathlic-dicese-f-des-mines/ vii http://www.netwrkwrld.cm/news/2009/092409-cnstructin-firm-sues-after-588000.html viii http://www.pst-gazette.cm/pg/09195/983738-57.stm ix http://www.cmputerwrld.cm/s/article/9156558/michigan_firm_sues_bank_ver_theft_ f_560_000_ x http://krebsnsecurity.cm/2010/06/e-banking-bandits-stle-465000-frm-calif-escrw-firm/ xi http://www.technlgyreview.cm/cmputing/23488/?a=f xii http://www.bankinfsecurity.cm/articles.php?art_id=3159&pg=1 xiii http://vices.washingtnpst.cm/securityfix/2009/07/an_dyssey_f_fraud_part_ii.html xiv http://www.cmputerwrld.cm/s/article/9153598/pughkeepsie_n.y._slams_bank_fr_ 378_000_nline_theft xv http://www.suite101.cm/cntent/prtect-yurself-against-banking-crimeware-a156086 xvi http://www.abajurnal.cm/news/article/dj_says_massive_decade-ld_btnet_ helped_web_thieves_steal_millins/ xvii http://vices.washingtnpst.cm/securityfix/2009/07/the_pitfalls_f_business_ banki.html 2013 Osterman Research, Inc. 9