Anti-Phishing, DMARC , Email Threat Protection , Next-Generation Technologies & Secure Development

Phisher Refrain: We Will Crypto-Lock You

Ransomware Gangs Have Embraced Spear-Phishing Attacks
Phisher Refrain: We Will Crypto-Lock You
Phishing attacks often trick victims into entering their credentials into real-looking but fake login pages.

Cybercrime gangs are doubling down on their use of spear-phishing emails to fling ransomware at potential victims, new research confirms.

See Also: Safeguarding Election Integrity in the Digital Age

That revelation means that beyond working to block ransomware and related malware droppers from being able to infect endpoints and servers, IT security teams must continue to combat the use of fake emails as a malware distribution mechanism.

"Phishing was and continues to be, by a wide margin, the most prolific method used to distribute ransomware," according to a new report from cybersecurity firm PhishLabs. "Fighting back against ransomware requires fighting back against phishing."

The phenomenon of phishing emails carrying ransomware isn't new. Last year, researchers at the user-awareness firm PhishMe reported that the vast majority of phishing emails their systems cataloged during March 2016 led to ransomware attacks.

Unfortunately, the volume of phishing - and thus ransomware - attacks continues to dramatically escalate. PhishLabs says that more than 91 percent of all phishing attacks last year targeted these five industries and their customers: financial institutions, cloud storage services, webmail or other online service providers, payment services and e-commerce companies. And the total number of phishing attacks targeting those five industries increased, on average, by 33 percent throughout the year.

Joseph Opacki, who's responsible for threat research, analysis and intelligence at PhishLabs, tells Information Security Media Group that the increase ties, in part, to "account reuse" attacks, in which attackers attempt to reuse email address and passwords across sites.

The increased use of email addresses as usernames by online services has also led more cybercrime gangs to attempt to "mass harvest" these username and password pairs, either by reviewing public data dumps or else tricking victims into divulging them via real-looking but fake log-in pages for cloud services, says Crane Hassold, a senior security threat researcher at PhishLabs. "Phishers are able to ... use these sites as a choke point to collect credentials for any email address, instead of targeting individual accounts," he says.

Fake Emails Remain Cheap and Effective

Phishing attacks remain a low-cost, highly effective and versatile attack technique.

In December 2016, for example, Los Angeles County warned 756,000 individuals that their bank account and personal information had potentially been compromised after 108 county employees fell for a May 13, 2016, phishing attack that tricked them "into providing their usernames and passwords through an email designed to look legitimate."

Likewise, the Russian cyber-espionage hackers known as Fancy Bear - aka APT28 - who allegedly hacked the Democratic National Committee, among others, reportedly also used spear-phishing emails - as well as malware and zero-day flaw targeting - to steal online credentials or otherwise compromise systems.

From Cybercrime to Cyber Espionage

Many phishing attacks target cloud-based service users, sometimes using shortened Bitly links to lure victims into visiting fake - but real-looking - log-in pages for such services.

For example, a report from Dell's SecureWorks threat research team describes an attack campaign that appears to be operating from Russia, which targeted "staff working for or associated with Hillary Clinton's presidential campaign and the Democratic National Committee, including individuals managing Clinton's communications, travel, campaign finances and advising her on policy." Its victims apparently included her campaign chairman, John Podesta, whose stolen emails were later published by WikiLeaks.

Podesta appears to have had his Google account compromised via Fancy Bear phishing attacks, according to PhishLabs.

The phishing attack against John Podesta used an email with a "Change Password" link, on left, that led to a link that resolved to a fake Google Account log-in screen, on right. (Source: Pwn All The Things, via WikiLeaks dump of Podesta's emails.)

Exploit Kit Prevalence Declines

But phishing attacks are becoming more blended. "In general, threat actors tend to specialize, with spammers distributing spam, phishing actors focusing on credentials and personal information and malware actors achieving their goals with malicious software," according to a new report from cybersecurity firm Proofpoint. "In 2016, however, we began to see additional cross-pollination among email-based threats."

The changing behavior coincided with a marked decrease in attacks perpetrated via exploit kits. Also known as crimeware toolkits, these enable attackers to automatically generate large quantities of malware, often repackaged to help fool anti-virus scanners.

Top 2016 exploit kits included Angler - aka Axpergle, Neutrino or Sundown, and RIG - aka Meadgive, according to security researchers at Microsoft. Angler, however, disappeared in June, which may be tied to Russia arresting 50 suspected hackers the same month. Security researchers say at least some attackers that formerly relied on Angler then switched to the RIG and Neutrino exploit kits.

Exploit kit infection attempts in 2016. Source: Microsoft

But the overall volume of exploit kit attacks declined from the first to last quarter of 2016 by 93 percent, Proofpoint says. The firm sees this as evidence of exploit kits' "waning effectiveness," driving bigger cybercrime players to embrace phishing as a means of distributing their attack code.

In July 2016, for example, CryptXXX ransomware was seen for the first time being distributed via phishing attacks, as both Cerber and Locky - the world's most prevalent ransomware - had already been.

Exploit kit use is now largely relegated to "mid-level operators of malvertising," Proofpoint claims, referring to the practice of injecting malicious code into online advertisements, often designed to exploit known vulnerabilities in web browsers.

Ransomware Epidemic Continues

The majority of phishing emails carry JavaScript attachments - rather than malicious documents - to attempt to install malware on endpoints, according to Proofpoint. "Actors also used a variety of other script types like .vbs and .wsf, all in an effort to evade detection," the security firm says.

Source: Proofpoint

And the vast majority of those malicious attachments are now ransomware.

The ransomware epidemic remains unchecked, with many poorly prepared victims being forced into choosing to not pay a ransom - and lose crypto-locked data - or else pay the ransom and thus directly fund criminals. Last month, for example, a suburban Dallas police department reported that it had lost eight years' worth of digital evidence, including material for at least one active criminal case, after suffering a ransomware attack and not having a complete set of backups.

RSA Conference Offers Phishing Defense Insights

Expect discussion of the latest trends, technologies and awareness-building techniques relating to phishing attacks to dominate many discussions at the upcoming RSA conference in San Francisco Feb. 13 to 17. The anti-phishing firms PhishLabs, PhishMe and Proofpoint, among others, will be exhibiting at the conference. And many speakers are scheduled to address phishing, including Emily Heath, global CISO of consultancy AECOM, who on Feb. 14 will discuss how the company educated 100,000 employees in 150 countries around the world about phishing and reduced related "fail rates" by 300 percent over an 18-month period.

Elie Bursztein, Google's head anti-fraud and anti-abuse researcher, will be discussing targeted attacks against corporate inboxes on Feb. 16. And security consultant Ira Winkler is scheduled to speak on both Feb. 14 and Feb. 15 about optimal technology, processes and awareness strategies for combating social engineering and other phishing techniques.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.