Malicious URLs: How Protected Are You?

Malicious URLs: How Protected Are You?

Few angles make for a better email-borne attack than the impersonation of a trusted service. Organizations such as Microsoft, Google, Bank of America, Citigroup, DocuSign, Dropbox, FedEx, UPS, and countless others are brands recognized throughout the world that host or access trusted financial data, personally identifiable information, confidential data, and other exploitable content desired by criminals.

Better yet for attackers, these organizations frequently send a variety of notifications: updated terms of service, account changes and alerts, new documents being shared, etc. Recipients don’t just trust these brands, they’ve been conditioned to expect email notifications from these companies. As a result, they often interact with emails from trusted brands without giving as much thought to it as they might take with an email from a stranger. This provides a ripe environment for attackers to exploit.

These types of emails are often attempting to gain any number of different pieces of information: names, addresses, social security numbers, account numbers, routing numbers, but what is commonplace at nearly every organization are credential theft attempts by way of a fake notification email like one of the aforementioned. Attackers have realized the value of these credentials; with password reuse as rampant as it is, one password could be the key to everything from a corporate account to a personal email account to a bank account, and even without widespread reuse of the password, email addresses are the most common means of resetting passwords for every other account a person utilizes.

There are a number of ways to detect and prevent these types of attacks, but detection and prevention specifically based upon analysis of URLs (and to a lesser extent attachments) has been viewed as a central component to email security technologies for some time now. This is not nearly as infallible as many would be led to believe and when the system gets it right, everyone sleeps soundly, but there are a number of these payloads still reaching end users precisely because of the shortcomings of the specific analytical approach taken and end users are then left to their own devices to figure out which URLs are safe and which are not.

Over time, attackers have become craftier and craftier in their approach to these emails meaning the payloads getting through are more and more pernicious. Regardless of who or what business service might be spoofed by an attacker, destination URLs are often “hidden” behind hyperlinked text (e.g. “Click here”), made to look like a common file share URL, or are even legitimate file sharing URLs. Because of this, they can be difficult to spot and identify as unsafe. Coupled with users’ inherent level of trust with these respected brands (or members of their organization) and the sense of urgency an attacker creates (Data will be deleted in the next 24 hours if you do not take action!), users often feel compelled to do exactly as the URL advises: they click.

Many existing email security solutions are heavily reliant on threat intelligence feeds to identify these URLs as malicious at the time of delivery. While undeniably useful, threat intelligence has its shortcomings. It goes without saying, but someone need be the first (or possibly second, third, fourth, fifth…) victim before the URL can be classified as malicious and that intelligence can be disseminated. Other solutions stop short in performing their analysis on the full URL but instead focus only on the root domain. The idea is that, given their available dataset coupled with their threat intelligence and other data feeds, malicious URLs are bound to be spotted based solely on being anomalous. This, of course, ignores the fact that web certificates do expire or that attackers can hijack otherwise innocuous websites through other means, they can utilize URL shorteners, redirects, and a host of other means that ultimately obfuscate the true intent of the destination page of the attacker’s URL.

GreatHorn recently identified a fairly compelling example of a business services impersonation email in one of our client environments that would have almost certainly bypassed many of these existing methods of detection. The message appeared to be from business service provider LogMeIn, which makes a suite of popular access and communications products, including GoToMeeting and LastPass among others. As anyone familiar with LogMeIn can see here – save for the font – the notification was exceptionally close in appearance to a real LogMeIn notification email. There was a link in the message purportedly leading the user to a LogMeIn account login page where “6 months of free subscription” awaited him.

In this instance, the attacker utilized a domain for the URL (logme-in.com) similar enough to LogMeIn’s actual domain (logmein.com) that it would likely pass as legitimate to an end user’s eye test. At the time of attack, the URL in this email was not showing up on dozens of threat intelligence feeds and the root domain of the URL redirected to a Google search page showing results for a LogMeIn-related search. With threat intelligence coming up blank, if a solution were to check the root domain, it would ultimately find a legitimate Google webpage.

As is shown in this example, the term “detecting malicious URLs” can be misleading. This particular email, at least in regard to the URL, could easily have bypassed any number of security solutions if they used one of the above approaches. With attackers getting more savvy, it’s important for security teams to ensure that their link protection options are robust enough to protect them from attacks.

We recently announced GreatHorn Link Protection – a new turnkey module that’s available as a core component of our email security platform. In addition to all the proprietary threat detection techniques we use that would flag a message such as this as a concern, GreatHorn Link Protection provides multiple levels of protection regardless of the URL’s presence on our threat intelligence feeds.

Stay tuned for more blogs on GreatHorn Link Protection, but in the meantime, you can learn more about GreatHorn’s Malicious URL capabilities here. Also consider checking out our recent blog on the recent rise in business service impersonations to learn more about real-world credential theft attempts.

How Confident Should You Be About Google Confidential Mode?

Google recently released a variety of security features to enhance, among other things, the user experience within Gmail (note that I use Gmail and not G Suite; this will become an important distinction). While many of these features were good steps for Google, one particular “security” feature has been met with heightened scrutiny from the security community. This feature is the ability to send “confidential” messages. Beyond the limitations and shortcomings of the confidential messaging features being discussed amongst concerned users, the feature has now caught the attention of the Department of Homeland Security.

Conceptually, the confidential messaging feature provides a method to send certain messages more securely within Gmail. End users can set expiration dates on messages, require SMS authentication before messages can be read, and messages are sent with the knowledge that the message cannot be printed or forwarded. Aside from the debate around how novel the methodology is, the means by which these messages are sent raises questions about how secure they truly are. Namely, how ripe are confidential messages for spoofing attempts?

Two scenarios come to mind. When a G Suite user sends a confidential message to another G Suite user, the recipient views the content directly in Gmail without needing to go to a secondary webpage. Under this scenario, the message never truly leaves the Google ecosystem (confidential messages always reside on Google servers). That said, nothing is preventing a confidential message from including malicious content such as a nefarious URL or attachment.

The second scenario deals with non-Gmail recipients, or Gmail users accessing mail in a client other than the Gmail client. Upon receiving a confidential message under one of these scenarios, the user is brought to a webpage where they are prompted to enter their Google credentials. The same condition holds true of the above regarding malicious content, but attackers can also seamlessly impersonate this workflow to steal credentials.

Under both scenarios, an attacker is exploiting user trust: not only is the user receiving a message in his or her inbox, but it is being sent “confidentially.” These types of tactics have been used for years as a way to engender trust between sender and recipient, but now Google has programmatically introduced a heightened level of trust seemingly without the means to prevent the feature from being exploited for nefarious purposes.

And as previously mentioned, the G Suite versus Gmail distinction is key: the confidential messaging feature is available and functions in the same fashion in both the free version as well as the paid G Suite platform. In other words, attackers can register Gmail accounts for free, set their display name to that of a business contact known to the recipient, and send these confidential messages as if they are the stated sender.

So how concerned should you be? From a professional perspective, the answer is, “it depends.” As a natural part of security awareness training, you are likely already emphasizing to your users that clicking on unexpected links is a bad practice. Unfortunately, training and real-world habits are often worlds apart.

If the notification of a confidential message is itself being spoofed, then your email security solution will treat it the same way that it treats other business service impersonation and credential theft attempts. When it comes to legitimate confidential messages being sent for potentially nefarious means, however, we open up a whole other can of worms. We recommend checking with your email security provider about this scenario in particular to understand how it addresses this scenario.

For our customers, they can rest assured knowing that GreatHorn is able to address both of the above scenarios. GreatHorn’s email security platform relies on anomaly detection based on deep relationship analytics and adaptive user / organizational profiling. Regardless of the intent, GreatHorn is still able to, among other things:

  • Gauge the relationship or lack thereof between senders and recipients;
  • Whether or not the specific address being used has been seen before; and
  • Scrutinize other key information about the sender

All of this is possible even when confidential messaging is being used.

In situations where Google’s confidential messaging is being impersonated, GreatHorn will analyze all of the above characteristics to gauge whether or not it is a legitimate confidential message as well as determine if the URL in the message is unusual or malicious.

Are you excited or concerned about Google’s new feature? Give us your view by commenting on the blog below.