Unfortunately, compromising business email accounts is much easier than you might imagine

The backpack I lug around on a day-to-day basis has a Surface Go inside and a "zombie outbreak response team" badge on the outside. I mention this because zombies and data cyber security go together like two things that are often seen going together.

Joking aside, there's nothing particularly funny about the kind of zombies I'm referring to: zombie phishing attacks. These are nothing new, but as is appropriate with zombies, they never seem to die. Which is worrying as they're making a comeback. "We know these are not new attacks, nor a new methodology for conducting them," Darian Lewis, staff threat intelligence analyst at data discovery specialists Relativity told me, "but they are being resurrected and are still highly effective."

That they remain so effective is the reason for the resurrection, of course, and you can see why they work so well. As Lewis says: "These attacks are particularly dangerous because they exploit the implicit trust users have for communications they've already had". The rise in business email compromise (BEC) attacks across the past 18 months has been the brains that feed these zombie campaigns.

So, how do they work? It's a simple strategy that revolves around two cores: first, the threat actor needs to hijack an email account, after which they then use existing, but old, conversation threads to jump in with a new response. Unfortunately, compromising business email accounts is much easier than you might imagine. I keep writing about the importance of never reusing passwords, but this essential piece of hygiene is ignored far too often by good people who are just ignorant of the dangers.

The trouble is that it only takes one breach of a service where this reused credential set is insecurely stored to kickstart a series of events that can culminate in a zombie phishing attack. That compromised database will almost certainly find its way online in one of the many "dark" forums that act as hacker hangouts for the criminally minded.

If the passwords are stored in plaintext, it's game over before it has started, and the would-be attacker can feed the login credentials (most of these databases will include an email address and password pairing) into a script that will automatically try them against a bunch of sites and services. Even encrypted passwords don't guarantee safety, as the use of rainbow tables (precomputed lists that can be used to reverse cryptographic hash functions) will quickly reveal commonly used passwords. If someone has shared credential usage with their Gmail account, for example, the attacker has the keys to your castle. Worse, they can often use the information found in your email conversations to also gain access to your work email account. And the zombie "fun" really begins.

It doesn't really matter how the attacker has managed to get access to your business email account: Once its been compromised, the whole organisation and its supply chain are in big trouble. A quick scan of conversations that have been inactive for a few months will reveal travel confirmations, technical support queries, job opportunity discussions or maybe just office gossip. All of these are perfect stages for the zombie phishers: real conversations that have a highly relevant hook, which is key to bypassing your mistrust trigger.

The email subject matter is instantly familiar to you, the sender is known to you and the communication has been perfectly ordinary. In other words, it's non-threatening, internal-to-internal communication of the most benign kind. Apart from the fact that you aren't now communicating with that trusted colleague and the message you receive will come with a malicious attachment or link. Which you will open or click because, well, why wouldn't you? "With content externally hosted in cloud space," Lewis warned, "it's easy to get around existing phishing detection and other integrated email detection and prevention solutions." And he's right. Hosting malicious content on, say, Dropbox or OneDrive means those inline security controls count for little.

So, what's the solution? Like so many threat vectors, the answer is user awareness. The message needs to be driven home be that with memos, regular security hygiene meetings, on-the-job training or phishing simulation exercises. And the message is to never trust an attachment or a link simply because it's in the form of a reply: always mouse-over links and check where they actually take you.

The nature of the phishing game is that it tends to be highly automated, working on a scattergun approach to get a return on investment. That means, more often than not, the reply you're reading is going to raise a few flags such as being quite generic or out of the original context. It may also not be written in the same style as you would expect from the colleague in question. These should all be red flags that give you pause for thought.

Yet zombie phishing attacks work because of that trust leverage, that familiarity factor, even the fact that you may be reading the email on an internal-to-internal system. It's easier to preach you should have zero trust in all email communication than it is to practise, but it's worth banging on about. As is protecting email accounts with two-factor authentication, if possible. This will prevent the original email compromise from being successful in the first place, even if the attacker has the login credentials...

Who is most at risk in your business?

While we're on the subject of people and cybersecurity, some new research recently floated onto my desk that's both relevant and revealing. The Protecting People threat report from Proofpoint looks at which individuals within an organisation are targeted the most by cyber criminals, as well as the attack methodologies used. This found that people working in research and development, as well as engineering roles were most likely to be targeted. They were followed by sales, operations, marketing and internal support, with management bringing up the rear.

That last one threw me as I'd have expected management roles to be of high value, but the research is clear that the higher up the corporate food chain you are, the less likely you are to be targeted. This doesn't mean that the CEO is never going to be on the receiving end of a phishing email, but rather that the attackers have found more success further down the ladder. Indeed, this appears to be the case even with the management hierarchy itself, with executives being less targeted than upper management who are in turn below middle managers.

One reason for this could be that the research also found that some 30% of targeted phishing attacks used generic corporate email aliases that are shared by numerous employees: the scattergun approach, rather than aiming at particular staff member.

When it comes to attack methodologies, the report is somewhat less surprising. Email spoofing is on the up, with attacks per company increasing by 944% on average over the same time last year. And there was no direct correlation between company size and the likelihood of being on the receiving end of a spoofing attack, so it seems that, when it comes to email, at least the cyber criminals are equal-opportunity scumbags.

Three types of email spoof methods ruled the roost: domain spoofing (stopped by using authentication controls such as DMARC), lookalike domain spoofing (the use of registered domains that look a lot like yours but get around the DMARC protection) and display name spoofing (what's in the "From" field and bearing no relation to who actually sent it).

Also on the up were the number of attacks using fraudulent social media support phishing tactics. These increased by 442% and involve criminals setting up convincing customer support accounts on social media. They use highly automated listening tools to detect when anyone is asking for help from your brand and then jump in to reply, often long before the real customer support team (or, more likely, person) can do so.

The problem with apps

I thought I'd finish off this month with a bit of a rant about apps. Like almost everyone these days, I couldn't survive a working day without some app interaction: email, browser, schedules, social media, news, weather, the list goes on. And because it's such a long list, and a huge market, apps are attracting increasingly more attention from those who want to do your data harm.

In the couple of weeks leading up to tapping out this article, I have written news stories covering a rogue Android "Wi-Fi finder" app that leaked more than two million Wi-Fi network passwords stored in plaintext, a supposedly secure messaging app to replace WhatsApp

for use by French government officials being hacked in less than 90 minutes after release, government-sponsored iOS surveillance malware bypassing Apple's App Store security controls by abusing the Developer Enterprise Program, and the world's fourth biggest smartphone manufacturer preinstalling a security app that came complete with a vulnerability enabling man-in-the-middle attacks.

I'd say that apps are the new Internet of Things, at least in terms of security being relegated in terms of priority when it comes to getting stuff to market, but it's always been this way. Cast your minds back to 2008 and iOS 1, which was pre-App Store, and a whole bunch of unauthorised apps with malicious intent hit the distribution channels. That prompted Apple to bring encryption and certificate signing to the platform. Or how about Android, which had to wait until 2012 and Jelly Bean (Android 4.2) to get the kernel module of Security-Enhanced Linux (SELinux) to provide access controls?

I could go on, but I won't for once. You get the picture it's one of forever playing catch-up with the threat actors. Nothing has really changed. Sure, the platform vendors are more dynamic in their security postures, but now developers need to catch up.

There is an argument that the emergence of DevOps as a thing was pretty much driven by the success of the App Store and Google Play coming into existence at much the same time in order to satisfy the demand for agility and mobility from consumers and corporates alike. Yet we are only now really talking seriously about integrating security into the mix with DevSecOps.

"Apps are fundamental to digital transformation. Manifested as mobile apps, customer portals, websites and even as APIs, they are now the de facto way enterprises interact with other businesses and consumers," said Terry Ray, senior vice president at Imperva. "This exploding app universe serves as a direct gateway to enterprise data and exponentially expands the potential attack vectors available to the cybercrime industry presenting criminals with more opportunity," Ray continued. I agree 101%, which is why I urge all mobile developers to think more about security, server-side controls, data storage, authentication, session handling and so on.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.