Europol Report 2019: Ransomware and Business Email Compromise remain top threats
Europol, the EU’s law enforcement intelligence agency, has released its annual Internet Organised Crime Threat Assessment report, which details its analysis of the online threat landscape. The Europol report emphasises that vulnerabilities from future technologies (such as AI) should not distract from the importance of known threats which continue to plague businesses. For example, Ransomware and Business Email Compromise (sometimes known as CEO fraud) continue to feature on the top ten concerns to EU organisations.
While these aren’t new types of threats, the report highlights that criminals have adapted their tactics in the face of advances in cyber security. For example, there is more variation in the organisations being targeted, the volumes of threats, and their sophistication. It is perhaps no surprise therefore that Ransomware and Business Email Compromise remain in the top ten, as by tweaking the approach slightly they continue to provide an opportune way for criminals to make a living while risking little in the process.
Ransomware remains the greatest concern
“Ransomware maintains its reign as the most widespread and financially damaging form of cyber-attack,” says Catherine De Bolle, Executive Director of Europol. Attacks are becoming more targeted, more profitable and causing greater economic damage. This comes despite Europol and its partners distributing free decryptors via the No More Ransom portal.
With Ransomware, criminals encrypt an organisation’s data to stall its operations and often threaten to release the data publicly until payment is made. Criminals can work this tactic on many levels – targeting an individual, a whole organisation or even multiple companies at once for maximum impact.
Ransomware presents companies with a moral conundrum. Paying to recover their data inspires a new generation of even more sophisticated ransomware – feeding into the cybercrime economy. By not paying, organisations face major disruption to productivity and risks to their reputation, and data, which can lead to lost business, falling share prices and risk of fines from the ICO.
There are several ways in which a ransomware attack can hit an organisation – including phishing campaigns, exploit kits, zero-day exploits or malvertising. Often, the simplest methods – such as getting an employee to click on a dodgy link – are the most effective. The best option is prevention over cure, alongside business continuity solutions that allow organisations to restore backed up data and work from a save environment if needed. Organisations looking to mitigate the chance of a ransomware attack, therefore, need to make sure they are protecting their employees across all possible external entry points – email, web and cloud – as a priority.
Business Email Compromise catching people off guard
The term ‘Business Email Compromise’ relates to the method of communication used by fraudsters posing as a CEO or a senior employee and asking them to transfer a significant sum of money or carry out other fraudulent activity. It is also often known as CEO Fraud or even whaling, due to the way the attacker researches and uses sensitive information to control or ‘socially engineer’ an employee’s actions based on the authority of the supposed sender.
According to the report, attackers are taking advantage of the ever-greater opportunities that come with segregated corporate structures and increasingly flexible and mobile working practices – so employees can’t easily check if an email is legitimate – and gaps in payment verification processes – for example for payments on corporate cards.
Our observations have seen attackers step up their attempts at impersonation, with unique targeted campaigns that are very hard to distinguish from legitimate emails. For example, the email address used to send the request is usually only a character out (think CEO@censormet.com) and all too easy to mistake for genuine. As a result, traditional pattern matching techniques, which were used to block faked emails or emails sent from spammy domains, are rendered useless.
To combat this increased sophistication, our email security solution combines content analysis, threat intelligence, and executive name checking. Content analysis looks out for CEO fraud email containing phrases like ‘urgent wire transfer’ or similar, vastly increases the chance of stopping attacks. We use more than 1,000 algorithms examining over 130 elements of the message.
However, this brings a risk of false positives, meaning any genuine urgent wire transfer requests may well be quarantined. Tagging external emails, using executive tracking to look for senior leadership names in header and envelope fields, as well as keeping a list of nearby domains and checking emails against that can help reduce the risk of false positives. This “multi-layered” defence approach is the best way to protect employees while allowing business as usual email activity.
Fraudsters are also evading technological security measures such as email scanning, by using tactics that move the malicious element – such as moving links from the body of the email into attachments or putting them into cloud storage files to increase their likelihood of being clicked if the email is auto-previewed. This is one reason that Censornet not only has LinkScan™ for time-of-click protection from malicious URLs, but also integrated its cloud, email and web security products – so multi-channel tricks such as these don’t work
Evolving threats require evolving solutions
Cybercriminals are relying on attacks of the same nature but increasing their sophistication, exploiting humans as the weak link in the chain and using subtle but significant changes in approach to bypass legacy security technologies. This is why it is imperative that businesses look for security solutions that don’t stand still, and rather innovate as fast as attackers’ techniques.
By using integrated cloud, email and web security, two of the biggest security threats of today can be seriously mitigated by technology so security teams have more time to focus on other threats and organisations can get on with their day to day business with confidence.
Learn more about how Censornet’s single cloud security platform provides full spectrum threat protection for your organisation and users – no matter where they are