Last month, the US Department of Justice (DOJ) announced the arrest of a Lithuanian man for allegedly stealing US $100 million from two U.S.-based tech companies. While the names of the compromised organizations remain concealed, the DOJ did reference an elaborate business email compromise (BEC) scheme as the trigger for the heist. According to the FBI, Evaldas Rimasauskas allegedly targeted two very specific companies and successfully induced their employees into wiring the money to overseas bank accounts under his control.
In response to the attack, U.S. Attorney Joon H. Kim said, “This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.” With more than 95 percent of cyberattacks, including the impersonation revealed in this hack, originating as a result of spear phishing, it’s time for security pros to develop defensive strategies that truly interrupt cyber attackers from doing what they do best.
The Dangerous Effectiveness of Email Spoofing
From what we know about these attacks so far, the attacker used a fake email account to impersonate a third-party vendor to gain network access. According to court documents obtained by The Verge, the attacker was successful “by masquerading as a prominent Asian hardware manufacturer.” Such attacks that target specific personnel for comprehensive exploration purposes can be highly evasive.
Sophisticated hackers, cyber criminals and nation states are increasingly utilizing email spoofing because many cybersecurity solutions are not designed to identify non-context based attacks or filter malicious emails at the gateway level. This deficiency marginalizes many security teams; confining them to a reactive security posture that prioritizes minimizing damages over proactive attack identification and remediation. For the two U.S. tech companies, the spear-phishing attack that “tricked employees into depositing tens of millions of dollars into bank accounts in Latvia, Cyprus, and numerous other countries” was met with zero initial resistance.
Mitigating Email Spoofing Risk with Machine Learning
One way to tackle such attacks is to profile individual email correspondents and look for impersonation attacks using machine learning (ML). With ML, algorithms continuously improve in detection of both anomalies and irregular communications patterns based on learned experiences, negating false positives and bolstering proactive defenses. Using a “bottom-up approach,” machines can observe every employee mailbox individually, collecting statistics about the sender, not just based on the volume of emails going through, but also on the actual correspondent and attachment/link interaction. This approach is proven more thorough than gateway/ISP solutions that rely on volume only. With local reputation analysis, users can better spot spear-phishing and email spoofing attempts, which ultimately enables the ML algorithm to get smarter in real-time.
In addition, ML can make sure that every email landing in an employee mailbox is evaluated, visualizing the results for non-tech savvy employees. That consistency is important to counter the proliferation of BEC spoofing and impersonations, since those attacks always appear as coming from executives within an organization. Most importantly, whenever ML identifies a malicious email, communications between the machine and people or technology solutions can occur in real-time, triggering automatic responses and/or SOC team notification.
Email spoofing is not going to disappear any time soon. In fact, successful attacks, such as the one against two U.S. tech companies, will only increase the frequency of impersonation attacks. Overall, a combination of a vigilant workforce and ML is needed to reduce the risk of increasingly sophisticated and frequent attacks before it’s too late.
To learn more about the power of incorporating ML into a phishing mitigation /remediation approach, download the IRONSCALES whitepaper.