Thank you for participating in this beta program for our new security newsletter initiative at Fortra. I am Rohit Dhamankar, VP of Threat Intelligence, AlertLogic by Fortra, and I am leading this effort.
The very first question you may ask is – why a new publication? Doesn't the cybersecurity industry already have enough newsletters, reports, alerts, etc.? We asked ourselves the exact same question and in doing so, developed some key elements we feel will make this more valuable to our customers:
-
Collectively Fortra has deep threat context from data across tens of thousands of customers. Our security portfolio is rich and diverse, spanning much of the attack surface both inside and outside corporate IT environments.
-
Lack of data is not an issue for our industry. Lack of actionable insight is. We plan to go beyond statistics and use the trends we observe to surface actions you can take to improve your security posture.
-
We will strive to hit a technical depth that is useful to both security leaders and operational staff. This is a very ambitious goal, but we believe we can strike the right balance with your feedback.
-
It will also include educational content on new techniques and technologies used for both defensive and offensive security efforts.
How can you help?
We are big believers in BUG philosophy – Bad, Ugly and Good. We want your suggestions, criticisms, praise – all of it. When we start rolling these newsletters out periodically, we want to ensure it contains information you would like to read, digest, and act on.
We have set up a very brief survey with a few questions and an open comment field. All feedback is welcome.
If you prefer, you can also send feedback directly to me at [email protected].
This newsletter contains the following:
Common Subject Lines Used in BEC (Business Email Compromise) Related Scamming Activity
Confronted with an overflowing email inbox, most people decide which messages to open based on the sender and the subject line. Scammers who conduct Business Email Compromise, are only successful when they convince their victim to open the scammer’s email message. Fortra recently analyzed 1,221 unique subject lines of the four most common scam types associated with BEC threat activity (gift card scams, wire transfer fraud, payroll diversion scams, and advance fee fraud).
Of the 1,221 unique subject lines, 53.39% belonged to gift card related fraud. There were numerous subject lines to analyze for gift card scams, however, we observed subjects that were used repeatedly. Of the 652 variations, 372 included some variation of ‘Checking In’. This includes capitalization differences (Checking In vs. checking in), punctuation differences, and even the addition of a victim’s name at the end of the subject line.
Figure 1: Top Subject Lines from Gift Card Email Scams
Advance Fee Fraud, aka 419 scams, had the second-most unique subject line variations with a total count of 227 (18.59%). 419 scams had a vast amount of different subject lines, however the most common phrases that appeared were generalized greetings, such as ‘hello’, ‘attention’, and ‘hi’. Punctuation and capitalization played a part in the differences of each subject line, but ‘Attention’ was also used alongside phrases such as ‘Attention Beneficiary’, ‘Urgent Attention’, and ‘Your Urgent Attention is NEEDED IMMEDIATELY’.
Figure 2: Top Subject Lines from Advance Fee Fraud/419 Email Scams
Payroll diversion scams were the third most popular with a total of 189 subject lines (15.48%). ‘Direct Deposit’ proved, almost immediately, to be the most common subject line when a payroll scam was apparent, and its variations totaled to 40 subject lines. Again, variations in capitalization and punctuation were present, with the addition of words or phrases added to it (‘Direct Deposit Update’, ‘Direct Deposit Change’, ‘Change of Direct Deposit’, etc.).
Figure 3: Word cloud of Subject Lines from Payroll Diversion Email Scams
Finally, wire transfer fraud had a total count of 153 subject lines (12.53%). Of the 153 subject lines belonging to wire transfer fraud, 9 were oddly enough empty (‘ ‘) subject lines. The next most popular subject line included the phrase ‘Payment’ and its variations. This included everything from ‘Payment’ to ‘Status of Payment’, ‘Oversea Payment’, and ‘Outstanding Payment’.
Figure 4: Word cloud of Subject Lines from Wire Transfer Email Scams
One method scammers will use, regardless of the type of scam being performed, is inserting the victim’s name in the subject line. Utilizing a victim’s name in the subject line gives the scammer the ability to gain the trust of the victim in question. From our data pool, a total of 332 (20.25%) subject lines referred to a victim’s name in the subject line. Often the victim’s first, last, or full name comprised the entire subject line, though we also saw many variations where the victim’s name was appended to a common subject line such as ‘GOT A MOMENT <Victim Name>?’, ‘Urgent Message for <Victim Name>’, and Good Morning <Victim Name>.
After reading this article, you may be tempted to write a filter to block messages containing the recipient’s name in the subject line, or to quarantine messages with “checking” or “direct deposit” as part of the subject. Unfortunately, our team found that most of these popular scamming subject lines were also frequently found in legitimate sales and marketing messages.
Rather than toss the baby out with the bathwater, here are a few things you can do to mitigate the threat.
-
First, ensure you are using a modern email security stack that includes an anti-impersonation module.
-
Next, it is important that all employees receive adequate security awareness training that incorporates phishing simulations. Where possible, these simulations should have subject lines that are commonly used by threat actors.
-
Finally, companies need to ensure that policies and procedures are in place to ensure no money or information will be sent based solely on an email request. All such solicitations should be verified through an independent channel such as a phone call.
Machine Learning Highlights: Kerberoasting in Windows Domains
In this section, we will highlight how machine learning algorithms are being used across a hard class of cybersecurity problems on an everyday basis.
Kerberoasting is a standard recipe in the cookbooks of ransomware threat actors. Executing this recipe successfully allows the ransomware actors to move laterally in a Windows Domain environment after getting an initial foothold on any system. The attack typically involves requesting access to Windows services via Kerberos, reading the resulting ‘Ticket Granting Service’ tickets from memory, and cracking these tickets via tools like hashcat to obtain domain credentials. Windows ‘Service’ accounts are often targeted as passwords for these accounts are not changed frequently and manually set in most environments. This is a difficult attack to detect because every request looks legitimate by itself!
This attack is a great use-case for applying machine learning techniques to detect threat actors in an environment. By analyzing certain Windows logs and keeping a baseline of which services are accessed by every user in the environment, an outlier pattern of service access is often an indicator of Kerberoasting. The challenge in creating a machine learning model with high fidelity (low false positives) comes from auto modeling variances in the customer environments like periodic task runs etc.
Tips for increasing your security posture:
-
Ensure that Windows Security Logs from any Domain Controllers are analyzed.
-
Ensure that password policies for Windows service accounts include complex passwords and periodic changes.
-
Ensure that any penetration testing in your environment includes simulation of Kerberoasting attack.
Correlation of Malware Detections to Email Payloads Observed
The Fortra cybersecurity portfolio has solutions at multiple defensive layers (brand, email, endpoint, network, etc.), providing visibility into the malware landscape at various stages of the cyber kill chain. This article correlates malware threats that have been observed in user email inboxes to threats detected via active monitoring of endpoint, network, and server activity. Doing so helps compare the effectiveness of malware operators at the delivery, exploitation, installation, and C2 stages of the cyber kill chain.
Qakbot
QakBot is a banking trojan/information stealer malware active since 2007. QakBot represented nearly 24% of share of all email payload reports, falling to second place among the top malware families. QakBot has been observed using constantly evolving delivery methods, including Microsoft Word documents with VBA macros to execute code.
We have a range of detection techniques for QakBot including 200 unique detections of known infrastructure extracted from analyzed malware samples. We observed over 267,000 hits in our customer data for the month period. This covers both inbound scanning and outbound activity including suspicious DNS traffic.
218 Unique Signatures, 267,770 hits
Emotet
Emotet payloads represented 73.03% of all malware reported in corporate inboxes.
We continue to observe large amounts of Emotet activity post-delivery, with the group being responsible for several ongoing malspam campaigns. 327,374 hits were observed in our customer base in a month period. Our detections include over 150 techniques covering inbound scan activity and other indicators extracted from malware and maldoc samples. Our tracking also includes known malicious C2 infrastructure.
155 unique signatures: 327,374 hits in customer data
More Information
Fortra tracks many different tactic and techniques not only limited to phishing. For more information see our Top 5 Malware Trends.
Both Emotet and Qakbot are usually delivered via infected Microsoft Office files. These infected files abuse the overly powerful nature of Office macros and other scripting functionality provided by these tools. Thankfully, Microsoft has put in some mitigating functionality to avoid running macros by default, but it can be easy to allow them when prompted. We recommend that macros in documents should never be enabled unless they are explicitly expected, and user should carefully consider if each document actually needs permissions to run. When in doubt, contact the sender directly to confirm the legitimacy of the document.
Top malware defense recommendations
-
Scan all attachments and verify email senders are from legitimate sources before opening
-
Be wary of suspicious subject lines commonly containing references to invoice attachments or urgent requests. As pointed out in the “Common Subject Lines” in the BEC phishing, users should be further careful in opening attachments with those subject lines.
-
Ensure devices have the latest updates and security patches installed with macros and other code execution functionality disabled from Microsoft Word/Excel
Security Awareness Tip of the Month
A controlled phishing simulation exercise that included nearly 1 million end users worldwide found that 14% failed to identify the simulation and more than 70% of those that clicked also downloaded the “malicious” file.
Patching Statistics for Two Critical Ransomware Related Vulnerabilities
No one in the security industry wants to continuously hear about the importance of patching their systems. It is well understood that patches need to be applied. The challenge for security teams generally lies in the visibility and the business-critical nature of the systems that need patching. After the initial spate of patching activities for a critical vulnerability, we have seen a long tail of some small percentage of unpatched systems continuing to exist in many environments. Let’s look at 2 of these critical CVEs that have resulted in many Ransomware installations.
CVE 2017-0144 - Microsoft Security Bulletin MS17-010 – EternalBlue Vulnerability
CVE 2019-0708 – Microsoft RDP BlueKeep Vulnerability
Our statistics across the customer base indicate that these two vulnerabilities account for 15% of the critical unpatched vulnerabilities. We are not dealing only with the latest attack surface for the newest technology that was added to the IT stack - these vulnerabilities still pose a high risk for an attacker to get a foothold in.
Pay specific attention to these vulnerabilities showing up in your vulnerability management reports. Please ensure that there is a workaround or mitigation in place such as a network or endpoint control that will protect the affected systems.
Stay tuned as we bring more statistics in the future newsletters on prevalence of vulnerabilities exploited by Ransomware threat actors.