Social Engineering: The Email Attack Vector
It’s no news that people are sending and receiving emails all around the world, all day, every day. With the popularity of emails and the numbers that emails are making, it is no surprise that when it comes to cyber attacks, emails are the most used attack vectors in compromising individuals and organizations.
An attack vector is a path or means by which an attacker can gain access to a computer or network, in order to deliver a payload or malicious outcome or the path he uses to compromise an individual or enterprise.
According to a study done by Radicati Group in 2018, there will be more than 3.8billion email users by the start of 2019. Bringing it closer, it means that about half the entire planet uses email right now.
Since some users hold multiple email accounts(about 1.75users), there are obviously more email accounts than email users in the world.
From analysis of half a billion emails in the first half of 2018, FireEye revealed that an alarming one in every 101 emails are malicious, the number of non-malware scams have increased by 65%, while 90% of emails are based on Social engineering scams, such as spear phishing, credential harvesting, impersonation and other campaigns.
These numbers and shift in attack strategy are largely driven by the adoption of mobile phones. A lot of users check their mails on their phones especially outside office hours and this is the perfect vulnerability needed to perform social engineering campaigns.
It is easier for attacker to trick victims into thinking they are a legitimate entity and build a rapport with them than it is to simply ask them to download a malicious attachment. This is because most mobile email clients display the name of the sender and unconscious users are less concerned or can easily be fooled about the sender’s email, but they remember not to download unexpected attachments. Nonetheless, the latter approach still works.
Phishing, which is the most common type of attack leveraging social engineering techniques, is a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication. It is so easy to create with so much exposed data out there in the dark web and so much to gather from social media and passive reconnaissance.
Phishing attacks work because, as established, the target scope is really large that even a single number percentage success rate will be a very large number.
Other email attacks could just be to build a rapport with the victim and from there, subsequent plans to attack is put in place. It is called active email reconnaissance. To put it in simple terms, active email reconnaissance is when emails are sent to target (organizations) and responses are used as a basis of further attack.
This is most definitely a more intrusive, riskier method of gathering information, and as we know, the greater the risk, the greater the reward. Little nuggets of information can be discovered that can be incredibly useful in any attack or engagement in general.
Information such as Non-delivery reports of emails could be useful, as sometimes they contain little information about an organization especially if they host their own email server. It just involves sending an email to an address in an organizations domain that you know very well doesn’t exist. Information gotten here could be useful to an attacker at the right place and time.
Out of office responses are worse, a great deal of businesses encourage their personnel to use them but the information disclosed there could be to their detriment. Out-of-office responses are an absolute goldmine of intelligence during an attack/engagement, even when not performing a direct email attack. First of all, it confirms the availability of the email address but the unavailability of the user. Such mails usually have an “who to contact in place”. An attacker who knows his onions could use these responses to attack an organization by creating non-existent meetings, impersonating a client or even an absent staff member to gain access into an organization. He could go on to get access to their network by way of an active patch port. It’s not hard to guess what could happen next.
Attackers could also create plausible email scenarios to get the attention of their target, then weaponize their emails afterwards. Amongst them is emails about work experience placements, school projects, awards, recruitment or sales amongst others.
Email attack is very common but, all hope is not lost, it is possible to protect yourself and reduce the risk of compromise by way of email.
Stay tuned to this page as we will go through ways of defense against email attacks in a follow up article.