Hackers have the going good of late. They launch sophisticated attacks and get away with it more often than not.
A big reason for their success is their ability to adopt the latest technologies and refine tactics. They sustain their high success rate in social engineering attacks by using innovative methods. They prey on human psychology, manipulate emotions, and exploit the trust of unsuspecting victims. Often, they use urgency to trick victims into divulging sensitive information.
Phishing-centered innovations
Hackers carry out social engineering attacks mostly through phishing. The hacker may impersonate the victim’s bank, colleague, or someone from the enterprise IT department. Today’s sophisticated phishing emails fool even the most cautious users.
Hackers have, over time, toyed with various variants of phishing. One popular threat of late is creating false trust-gaining scenarios. Hackers posing as customer support may seek remote access to the system to help with technical issues. Or they may impersonate law officers and demand passwords or other sensitive information. At other times, they may offer exclusive content or some “too-good-to-be-true” offers.
Whaling attacks take phishing to the next level. Thousands of users may get the same phishing email. But whaling attacks target a specific person, typically a high-level executive. The hackers research the targeted victims and target them through personalised emails. The personalised nature of the email entices them to click on a malicious link or download a malware-infected attachment.
Hackers get away with phishing attacks through spoofing or disguising themselves as a known or trusted source. In IP spoofing, hackers alter the source address in IP packet headers to a fake IP address. In typosquatting, hackers register domains with misspelt names of well-known websites. Such manipulation makes the network traffic appear to be from a trusted source.
How hackers bypass email security through DMARC abuse
One method that has become popular with hackers of late to launch email-spoofing attacks is DMARC abuse.
The DMARC (Domain-based Message Authentication, Reporting and Conformance) protocol verifies the legitimacy of emails claiming to be from a specific source. It flags emails that appear from a source different from the address, thereby preempting phishing attacks.
DMARC protocols instruct servers on how to handle emails that fail authentication checks. The sender’s email protocol may set the action to “reject,” “quarantine,” or “none.”
DMARC relies on the existing DKIM and SPF authentication methods. Sender Policy Framework (SPF) verifies if the email sender’s IP address is authorised to send the emails on the sender’s behalf. Domain Keys Identified Mail (DKIM) checks if the digital sign of the email content is with a key associated with the claimed domain.
But DMARC is not foolproof. Hackers exploit weak DMARC configurations. They target email domains with lax policies and deliver malicious emails to the targeted victim’s inbox. If the domain’s DMARC protocol’s action-to-be-taken is “none” instead of “reject” or “quarantine,” the email gets delivered to the user’s inbox. Usually, free email providers have lax DMARC protocols, and hackers use these services to send spoofed emails. They spoof email headers and forge sender addresses to bypass the DMARC authentication checks.
Hackers can also thwart DMARC checks by hijacking domains. They gain control of legitimate domains through phishing, brute force, or other attacks. Then, they use their unauthorised access to send fraudulent emails.
One recent example of a DMARC exploit is the TA427 exploit. Since 2023, TA427, a North Korean hacking group, has launched a large-scale phishing attack worldwide. The victims include individuals associated with think-thanks, media, academia, NGOs, and governments. TA427 used DMARC abuse to impersonate researchers and other experts, for credibility, and to gain the victim’s trust. The emails sought the target’s opinion on sensitive foreign policy information. TA427’s modus operandi is to engage with its targets with benign conversations for weeks or months to build rapport with them. They rotate the aliases and engage with the targets on similar subject matter for sustained periods to pry out the information they need. These attacks are part of North Korea’s strategic intelligence collection efforts.
How to mitigate DMARC abuse
Mitigating DMARC abuse requires enforcing a strong DMARC policy. The email domain has to mark “reject” or “quarantine” for emails that fail authentication. The onus is on the enterprise cyber security team to monitor DMARC reports and identify potential spoofing attempts. Setting up automated alerts should do the trick.
Side-by-side, the cyber security teams need to implement robust monitoring and logging mechanisms. They must always be on the lookout to detect unauthorised access attempts and email anomalies in real-time. Deploying security information and event management (SIEM) tools and threat intelligence feeds helps.
Get the basics right.
This apart, the basic security precautions still hold good to thwart most social engineering attacks. The measures include:
- Enabling multi-factor authentication (MFA) to add extra security layers. MFA thwarts hackers even if they steal the password.
- Regular patch updates for operating systems, applications, and firmware. All software contains vulnerabilities. Cybersecurity is often a race between hackers and security to discover vulnerabilities. Security teams try to patch vulnerabilities before the hackers discover and use them to drive exploits.
- Devising incident response plans. Incident response plans ensure a coordinated and effective response to security incidents. A good plan involves training personnel to handle various scenarios with simulations.
- Using antimalware software to detect and prevent threats. Continuously monitor the network environment, seeking malicious activity and indicators of attack (IOA). The latest AI-powered suites look for attack indicators and stop malware before it inflicts damage.
Cyber security is constantly changing. Combating social engineering threats requires awareness on the state of email security in the external ecosystem, and keeping up with the latest measures that work. Comprehensive security platforms such as Proofpoint offer robust protection against the latest attacks.
ProofPoint’s built-in intelligence protects the workforce from the most sophisticated threats. Proofpoint email protection offers multiple layers of protection. It includes advanced email filtering to detect and block the most sophisticated phishing attacks. Email warning tags improve user awareness. Targeted Attack Protection (TAP) identifies the employees most at risk of personalised attacks. Proofpoint Threat Response Auto-Pull (TRAP) automates incident response. It quarantines malicious, time-delayed messages post-delivery and even retracts messages that get forwarded. The platform leverages threat intelligence to guard against all threats and also educate users. With Proofpoint, end users become active defenders.