by Kim Crawley
In late 2019, the European Central Bank (ECB) announced that they had to shut down one of their websites due to a significant breach. As per their press release:
“Unauthorized parties had breached the security measures protecting its Banks’ Integrated Reporting Dictionary (BIRD) website, which is hosted by an external provider. As a result, it was possible that the contact data (but not the passwords) of 481 subscribers to the BIRD newsletter may have been captured.
The affected information consists of the email addresses, names and position titles of the subscribers. The ECB is contacting people whose data may have been affected.”
ECB’s Banks’ Integrated Reporting Dictionary is a crucial resource for Europe’s financial services industry. The personal information that was breached exposed many prominent European bankers. It appears that the cyber attackers intended to leverage BIRD in order to subject their subscribers to further phishing attack campaigns.
Their targets control a lot of Europe’s wealth, and successful phishing attacks on them could expose Europe’s banking systems to an awful lot of risk. Money makes the world go around, and sophisticated cyber attackers will plan lengthy campaigns in order to access it.
Detection and Attack Vectors
The malware breach lingered in BIRD’s networks since at least December 2018, but it went undetected until very recently. According to the ECB, the breach came to light during regular maintenance work. There has been no confirmation as to how the malware was injected into BIRD’s servers. But as it was for the purpose of launching phishing campaigns, it’s possible that phishing was also the initial attack vector. That’s a useful hypothesis until more details emerge about how the cyberattack was actually deployed.
The nature of the ECB data breach reflects the insights in BlackBerry Cylance’s most recent Threat Report about how advanced cyber criminals are targeting the financial sector. According to the report:
“BlackBerry Cylance observed the continued adoption of commercial off-the-shelf (COTS) tools, living off the land (LOTL) tactics, and open-source tools by organized and nation-state-backed threat groups. Implementing a variety of threat tools can serve as a distraction technique while also helping attackers successfully execute a malware campaign.”
During their finance-focused campaigns, BlackBerry Cylance observed that:
The ECB breach involved malware that was injected into BIRD’s servers. ‘Living off the land’ cyberattack techniques involve using a target’s own software and hardware tools against them. ECB’s cyber attackers planned to use both the sensitive data in BIRD’s web platform and the platform itself in order to execute further phishing campaigns.
I suspect that phishing was used as the attack vector for additional and ongoing phishing. This breach fits multiple characteristics of financial cyberattack trends that BlackBerry Cylance has observed occurring lately.
Can Security Training Prevent Phishing Attacks?
If public and private sector financial services organizations want to prevent the sort of attacks that the ECB faced, would employee and stakeholder security awareness training make a huge impact? That’s the common wisdom. People are most commonly taught to spot phishing emails and websites with some common indicators. They include looking for incorrect spelling, punctuation, and grammar in English. If the cyber attackers speak English as a second language, they’re more likely to make those sorts of mistakes.
But what if the cyber attackers are native English speakers, or if they hire native English speakers to make sure their English usage is perfect? A lot of phishing is also done in other commonly used languages, such as Chinese or Spanish. A lot of cyber attackers are fluent in those languages, so training employees to spot imperfect Chinese or Spanish or other language use doesn’t always work very effectively.
Employees are also often trained to “mouse over” a hyperlink in an email to see if the URL looks suspicious. But we check our email on our phones a lot of the time, and mousing over doesn’t usually work on mobile devices. Plus punycode exploits are a thing. How is a user supposed to tell the difference between “amazon.com” and “åmαzon.com” if the cyber attacker decides to use substitute Unicode characters to imitate the ASCII characters in the domain name they’re spoofing?
Vanderbilt University’s Eric Johnson spoke about the difficulties with employee anti-phishing training. His research indicated that it isn’t always effective:
“We did a large study inside of a company involving 1,500 users over a period of time, with multiple campaigns running. We were thinking when we started out that we were going to find that embedded training worked, but sadly it doesn't seem to be all that effective.”
So why is that?
“There are many reasons that we've been hypothesizing. It seems like in groups of people, particularly inside a corporate firewall, who just click on everything, training doesn't seem to slow them down one iota. We certainly saw that in the research. We called them the ‘Clickers’ and it didn't matter how much training you did, these people just kept clicking. It's very hard to get folks, particularly when the deception is pretty good, to really step back for thirty seconds and look at it and say, ‘Is this something I should be clicking on?’"
And the opposite to Clickers?
“There were other folks who were naturally, or maybe through their own learning, much more cautious and they weren't clicking. That group really doesn't benefit so much from the training because they are already not clicking.”
When Legitamate Company Emails Look Like Phishing
A lot of business activities are conducted via email. Lysa Myers is concerned that the entities that send legitimate business emails to employees may actually be a part of the phishing problem. She’s concerned that legitimate business entities often craft emails that look like the phishing emails employees are trained to avoid. She said,
“I recently received an email from an address I didn’t recognize, that purported to be from a trusted authority, using urgent language to insist that I open an unexpected attachment. Clearly, this message must be a phishing attack that I deleted immediately, right?
As you may have guessed, after careful research I found that it was a legitimate message that did include important information, even if it was significantly less urgent than the message’s wording implied. I also found that people who should absolutely ‘know better’ are sending messages that actively groom recipients to fall victim to ‘phishy’ messages. The only way that ‘avoid phishing’ tips work is if actual trusted authorities don’t use the same techniques as criminals.”
So how can legitimate email senders avoid grooming employees into trusting phishing emails? Here’s what Myers recommends.
1) Notify employees in advance of important upcoming messages. First of all, senders should let employees know about the email through other mediums if at all possible.
“If you’re going to send an email about shipping, event planning or other things requiring employee action, let them know ahead of time. The more info you can give them about what to expect – such as the sender’s email address, a brief summary of the content, etc. – the better able they will be to verify that the email is genuine.”
2) Don’t create a sense of false urgency. Phishing cyber attackers often use wordings that makes their emails seem super urgent. They need to scare their targets into clicking on their links. Legitimate senders should avoid making their emails sound more urgent than they actually are.
“There’s no good reason to employ social engineering tactics to create fear in your employees. Presumably the people you hire are all responsible adults, and you can motivate them to action by accurately describing the level of urgency in a way that does not require panic. As much as possible, make sure the email sender matches the message and uses an appropriate level of authority.”
3) Use plain text in your emails rather than HTML format. Phishing cyber attackers have to go to great lengths to make their emails look interesting and important. So they’ll make HTML emails with a lot of embedded graphics and the like. Making HTML emails that spoof legitimate entities is easier than ever with the media kits that are sold on the Dark Web. How should business leaders respond to that in their day-to-day communications with their staff?
“Default to using text formatting; use HTML content only if absolutely necessary. If at all possible, recipients should not have to clink on a link or attachment to read the substance of the message. Make it as quick and easy as possible for your employees to get at least a basic summary of the information, and have them go to a standard location (such as an internal company site) to get more detailed information, rather than a link embedded in the message.”
How to Defeat Web Malware
Getting smarter about phishing is crucial to preventing attacks like the one the ECB just faced. But the other major issue is web malware. In ECB’s case, I was curious: how did the malware lurk on ECB’s BIRD website for so long while evading detection?
For insight, I looked at the Analyzing and Defending Against Web-based Malware report by the University of Pennsylvania’s Jian Chang, Krishna Venkatasubramanian, Andrew West, and Insup Lee. They identified areas of research to pursue to improve our ability to detect and prevent web malware. They include:
Building benchmark platforms:
“Almost all the approaches suffer from either false positives or false negatives; however, there is no commonly accepted data set or testing framework to comparatively evaluate their effectiveness. Therefore, a well-designed benchmark framework is clearly needed to scientifically study and compare different proposed approaches.”
Securing code mashups:
“The client-side code of web applications can be reused and dynamically loaded from external sources. This code mashup requires a different security model than any traditional programming paradigms. Given the prevalence of client-side code mashups, it is imperative to design a sound approach to enhance the flexibility of the current mashup programming practice with guaranteed security.”
Studying social engineering techniques:
“Current detection approaches mainly focus on the web-based malware delivered through drive-by download attacks. The studies on malware delivered through social engineering tricks is very limited. However, as the technologies for mitigating drive-by download attacks become more mature and more broadly deployed, it is reasonable to assume that the attackers will focus more on using social engineering tricks to improve their chance of success.”
Studying the epidemiology of web malware:
“Existing detection mechanisms can be used to build the topology of the malware distribution infrastructure. However, there is no study on the liveness property of this topology: understanding how the connections between landing sites and distribution sites evolve over time. An accurate epidemic model is useful to evaluate how fast and prevalent a defense mechanism needs to be deployed to effectively fight against a web-based malware outbreak.”
Phishing and web malware exposed a huge crack in a web resources from one of the most important financial institutions in the world. We must learn from this incident to help protect financial data from future catastrophic breaches.