With an estimated 80 to 90 percent of all corporate files passing via email, today's cyberthieves sit back and wait for an opportunity to grab the content for their malicious purposes. The only full-proof solution is to eliminate email, but that's just not an option. Still, there are many ways to protect your company's network.
John Dasher, director of product management for Palo Alto, Calif.-based PGP, says email is a prime target because it's so open. “People think an email message comes to you directly, but it may touch five servers, maybe 15.”
The most common email danger seems to be social engineering attacks – where people pretend to be someone other than who they are, Dasher says. “You need to teach users to have a healthy skepticism.”
David Kelleher, communications and research analyst for San Gwann, Malta-based GFi Software, says higher-ups are falling for these sort of scams as much as anyone else.
“There was a case in April that had 2,000 executives opening an email, which said: ‘You have been sued in federal court,'” Kelleher says. “They clicked on this link for documents and were instead taken to an external site and asked to download contacts. This download was malicious when it came down to their computer and this gave the thieves control of their machine.
They are also sending spam with what looks like a link to a genuine website, notes Dmitry Samosseiko, head of anti-spam operations at SophosCanada.
“The message says this transaction requires a money transfer,” Samosseiko says. “But what you don't know is that it is, in fact, a money laundering scheme. The thieves are already guilty of credit card fraud and are now attempting to get you to transfer money for them,” he explains.
The email (above) is an example of a popular phishing scam in which a counterfeit email is sent in order to acquire an individual's personal information, such as credit card numbers and bank account information.Another tactic being used these days is spear phishing attacks going after major universities and corporations in the United States, Samosseiko adds.
“An email will pretend to come from your IT administrator telling you that the company's servers have an upgrade, but need a password and date of birth from you to confirm,” he says. “Users fall for this because they don't think theft will come from a recognized IT address. But, once the thieves receive the information, they can send spam messages from your email account. In other words, they're sending phishing attacks from you.”
One of the best ways to overcome email vulnerabilities in the corporate environment is to limit downloading access, says Jeff Epstein, product marketing manager at Sophos.
“The message to administrators is to not give administrative privileges to end-users on computers at all,” he says.
It also comes down to questioning content. In the case of the legal email scam, if the executives had consulted their legal department prior to opening the email, they would have found the litigation didn't exist.
PGP's Dasher adds that email users also need to be skeptical of the venue they are emailing from as much as the content of the email itself.
“Business travelers in airport lounges use a computer kiosk for email having no idea it's an unprotected machine,” he says. “Users go up and type in their passwords not realizing there could be a keylogger installed. Criminals will cache your information and you not only lose your email password protection, but protection for your bank accounts.”
For login protection in general, he suggests that passwords for any email be unique, never allowing them to be used for anything else.
“There's a reason why phone numbers have seven digits – because that's all people can remember,” he jokes. “I recommend a password that combines a place that has meaning and a symbol of some kind. Being lazy with passwords can cost you or your company.”
And it's not just intentional email scams coming in, but accidental emails going out causing so many headaches for IT staff.
“Everyone sends emails so fast that this is an easy thing to do,” Dasher admits. The way to combat this is to manually add email addresses on sensitive documents, as opposed to just clicking on a group. Also, force yourself to read each name at the conclusion of an email before ever hitting the “send” button, he advises.
Of course, email encryption can eliminate many problems, but even this route should come with clear rules. Dasher recommends identifying business partners to whom you usually send secure information and programming these emails to automatically be encrypted. In fact, he's a strong believer in programming any words which would have a reasonable chance to go along with sensitive material.
“For encryption, have a dictionary of corporate code names on the management server and any words which go with those kinds of documents,” he says. “Particular legal disclaimer language could also fit the bill.”
Finally, set algorithms on secure numbers for encryption. As an example, nine numbers with dashes between them will most likely be a Social Security number, he notes.
In the future, most of the email trends that we'll see in social engineering will be more personal and more targeted, says SophosCanada's Samosseiko.
“It will go after CEOs of companies or employees of particular places as opposed to the general attacks done now,” he says. “They'll pretend to be family members claiming they need assistance. If someone says your brother's in trouble, you're going to help them.”
Additionally, companies, such as Facebook and MySpace will have a greater role in these scam emails because victims are making public so much information, adds Sophos' Epstein.
“Members' job titles are on their profiles and more. Users have this carefree attitude that nothing will hurt them. It's just not the way it is these days,” he says.
Samosseiko agrees, pointing out that malicious email is transitioning from a nuisance to the work of criminals who are capable of anything.
“We see that it's no longer going to be individuals doing this for entertainment or to impress their friends,” he says. “It will be people in organized crime acting in one centralized effort.”
Tips for users
- Identify business partners where you need secure information. Make sure any emails involving them are encrypted.
- Have a dictionary of corporate code names on the management server and make sure it automatically encrypts that email.
- Set algorithms on secure numbers for encryption (i.e., nine numbers with dashes between them will most likely be a Social Security number).
Eric Butterman is a freelance writer who's written for FedTech and Inc.