Is Someone Masquerading As Your CEO?

When I say the word ‘bat’, what image comes to mind?

A flying mammal? A cricket bat?

In English, they call this a ‘homograph’: when two or more words are spelt the same but don’t have the same meanings or origins.

In cybersecurity, a homograph is a lot more sinister. It’s a term given to a type of impersonation attack where an email address or website URL looks legitimate but actually isn’t. It’s designed to trick people into clicking on malicious links or to fool them into transferring money or sharing sensitive information.

Recent research by Vanson Bourne and Mimecast found that more than 85% of respondents had seen impersonation fraud in the past 12 months, and 40% had seen an increase in this type of attack in the same period. In South Africa, 36% of respondents had seen an increase in impersonation fraud asking to make wire transactions, and 37% had seen an increase in impersonation fraud asking for confidential data.

Despite this growth, many organisations do not have a cyber resilience strategy in place to help them detect, prevent and recover from these types of attacks.

Easy to execute, hard to detect

Homograph attacks are difficult to detect – by both the user and regular email security systems.

To create these lookalike domains, attackers use non-Western character sets or special characters found in Greek, Cyrillic and Chinese, to display letters which, to the naked eye, look identical to the western alphabet. Mimecast.com, for example, looks like мімесаѕт.com in Cyrillic. According to one domain name checker, there are 117 possible Mimecast domains that can be misrepresented with just one character from a non-English alphabet.

These subtle changes are likely to go unnoticed by users. In South Africa, 31% of respondents were not confident that employees could spot and defend against impersonation attacks, which easily and often slip through an organisation’s security systems.

Some 21% of South African respondents were not confident that their organisation’s security defences could defend against impersonation fraud asking for confidential information, rising to 25% for fraud asking to make wire transactions – in line with global trends.

This is because the emails themselves don’t contain malware and the URLs often have legitimate (read: stolen) security certificates.

Is it me you’re looking for?

Website URLs aren’t the only avenues for impersonation attacks; email address impersonation is also on the rise.

These types of attacks are designed to trick users such as finance managers, executive assistants and HR representatives into transferring money or disclosing information that can be monetised by cybercriminals. The email appears to come from someone they trust – a C-suite executive or a third-party supplier that they regularly do business with – and therefore wouldn’t think twice about responding to.

South Africans reported that, in the past 12 months, cybercriminals have attempted to impersonate finance teams (24%), third-party vendors (20%), a member of the C-suite (7%), as well as HR, sales, operations, legal and marketing team members (between 5% and 8%).

Again, these emails do not contain malware, which means they can go undetected by most email security systems. Social engineering attacks such as these rely on our inability to spot anomalies in URLs and email addresses – and the fact that we believe we’re communicating with someone we know.

Know what to do

Cybercriminals have figured out that they can bypass security systems by switching from malware-laden attacks to malware-less impersonation attacks. Now, social engineering meets technical means to put us in the middle of the next evolution of cyber-attacks.

Here are some measures organisations can implement to guard against these types of attacks.

• Education. When users know how social engineering and spoofing attacks work and then understand they shouldn’t click on links in emails, breach incidents can be drastically reduced. Users should be encouraged to physically type an address into a browser rather than click on a link in an email, even if it was supposedly sent by someone they know and trust. Education and awareness will always be the most important defence mechanisms.
• Protection. Email security systems are getting better at stopping malware which enter the network through dodgy files and attachments, but few are effective against impersonation attacks. Organisations need a solution that can deep-scan all inbound emails and inspect for header anomalies, domain similarity, sender spoofing and the existence of keywords and suspicious impersonation emails. These can then be blocked, quarantined, or delivered as flagged to alert the receiver of potential risk.
• Resilience. Having the right threat protection in place is just one part of a robust cyber resilience strategy. Organisations also need to be able to adapt their strategies to stay ahead of attacks, while having the durability to continue with business as usual in the event of an attack, and the recoverability to ensure data and emails are always accessible.
• Oversight. Often, lax security on a third-party supplier’s side provides an entry point into an organisation’s network. Enterprises should continuously evaluate and manage the security and privacy policies of their suppliers and include security in their service level agreements. They should also perform on-site security assessments with new suppliers before sharing sensitive information.
• Visibility. Organisations need to know who their vendors are and who has access to company information, and for what reasons. This is even more important now that the EU’s General Data Protection Regulation has come into force and will affect all South African organisations when the Protection of Personal Information Act is finalised.

Thirty-seven percent of South African organisations have suffered data loss because of email-based impersonation attacks in past 12 months. These organisations also reported reputational damage (34%), loss of customers (29%), direct financial loss (17%) and lost market position (19%).

Email continues to be the number one threat to organisations globally and accounts for 96% of all incidents that organisations face.

Clearly, there is an urgent need to work towards a higher standard of email security. Cybercriminals have evolved their attack methods. It’s time the security strategies organisations use to protect their users and their businesses evolve as well.