The death of the email attack 'campaign'

So long and (no) thanks for all the phish


Sponsored By the time we hit 50, most of us start slowing down. Not so for email. As the technology hits its half-century next year, it's speeding up. Malicious emails are more ubiquitous than ever, and experts are seeing a worrying trend: Phishing campaigns are becoming faster, and smarter.

Email remains a primary attack vector for a growing tide of online crime. When a cyber criminal tries to infiltrate your organization, steal your credentials, or part you from your money, the chances are that they'll come calling via email first. According to the Darktrace 2020 Email Security Threat report, 94 per cent of attacks on business networks begin via this attack vector.

And yet, the notion of the traditional email attack campaign is dying. Hackers are no longer using the same attack infrastructure to send thousands of emails across a period of several days. Such infrastructure – comprised of domains, IP addresses, and file hashes, are continuously being updated. According to Darktrace, the average lifecycle of an email attack has collapsed in the last two years from 2.1 days to 0.5 days. As this number tends towards zero, traditional security measures that rely on tracking ‘campaigns’ of similar attacks are falling increasingly redundant.

A rising tide of phish

Phishing is one of the most common email attack techniques. According to the APWG (Anti-Phishing Working Group) the number of phishing sites detected in the first quarter of 2020 was 165,772, up from the 162,155 observed in the fourth quarter of 2019.

Phishers use several measures to avoid detection by email security tools. These include cloaking, in which phishing websites watch for queries from anti-phishing systems and adjust their content to seem legitimate. They watch for parameters like IP address, geolocation, user agent, and browser fingerprints.

They also use redirection links to hide their ultimate destination URLs. This is an effective technique because URLS are still the primary indicator of compromise for conventional anti-phishing systems.

Even if an anti-phishing tool doesn't spot a malicious link, there's still an opportunity for detection. A user may report a suspicious email themselves by checking a box in their email client or forwarding it to the security team. That could trigger an analysis that enables the security team to update the anti-phishing system manually.

Racing to protect the victim

Ideally, this will all happen before the first user gets nobbled by a phishing email, but in practice, that rarely happens. There's typically some collateral damage and some severe ramifications.

The phishing email might direct the user to a fraudulent site that collects their personal or work account credentials. An attacker could use those credentials to access the user's account and could also use it for credential stuffing attacks on other systems. That means a successful phishing attack on a user's personal Gmail account could also yield access to enterprise resources.

Phishing attacks could also directly infect a user's system via an infected attachment or by directing them to a site containing an exploit kit that delivers a drive-by download.

A malicious mail these days might not involve any credential stealing or network infection at all. Instead, it focuses on manipulating the victim. In a business email compromise (BEC), an attacker fools a victim with access to company purse strings, persuading them to make an apparently legitimate payment by impersonating a senior executive or supplier.

These attackers use classic social engineering tricks such as creating a sense of urgency. BECs are on the rise, with the FBI reporting $1.7bn in losses during 2019 (up from $1.3bn during the prior year). It equates to around $71,500 per attack. That's a big penalty for missing a malicious email using your antiquated spam detection tool.

A big catch from a small phish

Highly targeted BEC attacks illustrate a new trend in malicious email campaigns: shorter campaign life cycles. Along with cloaking and redirection, an effective way to blind email detection systems is to shorten the active time period for a campaign. The probability of detection increases the longer an email campaign lasts, so cyber criminals are limiting the life span of malicious emails and making them more disposable.

A group of security researchers from Google, PayPal, Samsung, and Arizona State University quantified that trend in a study delivered at Usenix this year. They analysed phishing campaigns using data in the 12 months to September 30 2019, charting over 22.5 million visits to more than 404,000 phishing pages. One pattern was clear: phishing campaigns are fast and disposable.

The average time between the first victim visit to a phishing page and the last was 21 hours. The research also showed that detection mechanisms aren't keeping up with this compression in phishing campaign times. On average, anti-phishing organisations took nine hours after the first user visit to detect the attack.

The researchers called the period during which attackers can target their victims with impunity the 'golden hours', and this period was long enough for criminals to hurt a substantial proportion of victims. While updating browsers to detect the phishing sites and alert users disrupted the campaign within an hour, users kept getting pwned. Over a third of all visits (nearly 38 per cent) happened after attack detection. In fact, it took another seven hours to reach 'peak mitigation'. That creates 16 golden hours for phishers to do their worst.

Darktrace believes that the lifetime of an email attack is falling still further. In a random sample of 100,000 malicious emails, it found the mean lifetime of a fraudulent email dropped from 2.1 days in March 2018 to just 12 hours this year.

A shoal of different phish

Shortening the lifetime of an email means that criminals must figure out other ways to sustain their victim count. They still have to hit the same number of people to keep their yields up. Darktrace's analysis revealed their tactic: as they shorten the length of an email campaign, attackers are also switching their focus to breadth. Instead of relying on one email that floats around the internet for days, they're sending lots of email variants but using them for shorter periods.

Aside from changing the language, attackers increase the diversity of their emails by varying the domains they use to lure victims with their phishing campaigns. They know that domains will eventually make their way onto the naughty list, so they register them in bulk and discard them quickly after use. The anti-phishing groups that maintain databases of known malicious URLs can't keep up.

Increasing the diversity of malicious emails enables attackers to hit smaller numbers of users with the same email. That, combined with the shorter campaign life cycle, makes it harder still for companies to spot phishing attacks.

It isn't just the phishing emails themselves that are short-lived; the phishing kits that distribute them are also becoming more disposable. Akamai's 2019 State of the Internet report on phishing found that over 60% of the phishing kits it tracked were active for fewer than 20 days. Criminals kept changing them in a race against security teams.

Swim faster, swim different

How can security teams tackle a threat that is becoming more ephemeral each year? The answer lies in the email security gateways that they use to protect users against these attacks. The key to defeating the email threat is to drive detection times lower still, matching the shifting pattern of email attacks. To do that, security teams must rethink their entire approach to email security.

Legacy gateways aren't up to the job. They frequently rely on email and domain blacklists. As the life cycle of a malicious email campaign decreases, their success will continue to fall. Increasingly, companies will find that by the time email detection systems or browser-based blacklists are updated, the damage has already been done. Instead, IT teams are turning to a self-learning approach to email security that tackle threat detection differently.

AI systems like Darktrace's don't rely on blacklists at all. They examine the broader history of email and network activity within the organisation to determine what's normal in day-to-day operations. This includes everything from historical interaction with a domain at an individual and organisational level, along with the similarity between different domains.

The technology uses a combination of supervised and unsupervised machine learning to extract common patterns across hundreds of data points like these. These common patterns give the tool a sense of normality. It means that instead of trying to spot malicious indicators of compromises that no one has documented yet, it can spot things that look out of place.

This enables AI to detect threats before legacy tools pick them up, getting their users ahead of the game. It can spot not just short-lived malware and phishing domains but also gives them a better chance of sniffing out one-shot BEC attacks that don't have any telltale domains in the email body at all.

Email may be officially middle-aged, but it won't be retiring any time soon. Attackers know this, and they'll continue their assault on your inbox. As they get faster and more agile, will your email security gateway keep up?

Sponsored by Darktrace


Biting the hand that feeds IT © 1998–2020