decrypting myths
I recently wrote a blog post on the
idea of ‘fearware’ and why it’s so
successful. Right now, people are
desperate for information and attackers
know this. Cybercriminals play into fear,
uncertainty and doubt (FUD) through
a number of mechanisms and we have
since seen a variety of imaginative
attempts to engage recipients.
These emails range from fake ‘virus
trackers’, to sending emails purporting
to be from Amazon, claiming an
unmanageable rise in newly registered
accounts and demanding ‘re-registration’
of the recipient’s credit card details
should they wish to keep their account.
Domain name purchasing:
A vicious cycle
Purchasing thousands of new domains
and sending malicious emails en masse
is a tried and tested technique that
cybercriminals have been leveraging for
decades. Now with automation, they’re
doing it faster than ever before.
Here’s why it works.
Traditional security tools work by
analysing emails in isolation, measuring
them against static blacklists of ‘known
bads’. By way of analogy, the gateway
tool here is acting like a security
guard standing at the perimeter of
an organisation’s physical premises,
asking every individual who enters: ‘are
you malicious?’
The binary answer to this sole question
is extracted by looking at some metadata
around the email, including the sender’s
IP, their email address domain and any
embedded links or attachments. They
analyse this data in a vacuum, and
at face value, with no consideration
towards the relationship between that
data, the recipient and the rest of the
business. They run reputation checks,
asking ‘have I seen this IP or domain
before?’. Crucially, if the answer is no,
they let them straight through.
To spell that out, if the domain is brand
new, it won’t have a reputation and as
these traditional tools have a limited
ability to identify potential harmful
elements via any other means, they have
no choice but to let them in by default.
These methods barely scratch the
surface of a much wider range of
characteristics that a malicious email
might contain. And as email threats
get ever more sophisticated, the
‘innocent until proven guilty approach’
is not enough.
For a comprehensive check, we would
want to ask: does the domain have any
previous relationship with the recipient?
The organisation as a whole? Does it
look suspiciously visually similar to other
domains? Is this the first time we’ve seen
an inbound email from this user? Has
anybody in the organisation ever shared
a link with this domain? Has any user
ever visited this link?
Legacy tools are blatantly asking the
wrong questions, to which attackers
know the answers. And usually, they
can skirt by these inattentive security
guards by paying just a few pennies for
new domains.
Dan Fein, Director of Email Security
Products, Americas, Darktrace
How to buy your way in
Let’s look at the situation from an
attacker’s perspective. They just need
one email to land and it could be keys
to the kingdom, so an upfront purchase
of a few thousand new domains will
almost inevitably pay off. And they’d pay
the price as long as it’s working and
they’re profiting.
This is exactly what attackers are
doing. Newly-registered domains
consistently get through gateways until
these traditional tools are armed with
enough information to determine that
the domains are bad, by which point
68 Issue 26 | www.intelligentciso.com