Security experts are advising political parties and businesses to pay more attention to email security after the latest revelations about a Russian cyber espionage group.
Email’s renewed popularity as a means of attack is driven by the fact that it does not rely on vulnerabilities and uses simple deception to lure victims into opening attachments, clicking links or disclosing credentials, according to Symantec’s latest threat report.
In particular, credential phishing has been a key part of many cyber attacks by Pawn Storm on armed forces, the defence industry, news media, politicians and dissidents, according to a report by security researchers at Trend Micro.
They have found that the group is creating phishing emails that are highly sophisticated, almost perfectly replicating legitimate URLs and using a technique called “tabnabbing” which swaps inactive open tabs with a phishing site.
Pawn Storm was widely linked to cyber attacks on the Democratic National Committee and Hillary Clinton’s campaign in the 2016 US presidential election, and more recently was found to be targeting French presidential candidate Emmanuel Macron, the report said.
Pawn Storm is also believed to have targeted the German political party Christian Democratic Union (CDU), the Turkish parliament, the parliament in Montenegro, and the World Doping Agency (WADA).
These activities have raised concerns about the cyber security of political parties, with several elections due across Europe in 2016, including the UK in June.
At a minimum, there is no excuse not to implement the Dmarc (domain-based message authentication, reporting and conformance) email authentication policy to help identify and block malicious emails impersonating trusted domains.
Implementation of Dmarc is mandatory for public sector bodies as part of the active cyber defence programme led by the National Cyber Security Centre (NCSC).
However, other advanced precautions also need to be taken, with an emphasis on verifying the identity of the sender.
Candidates for public office and political parties, like businesses, create and store a lot of data in vulnerable places, he said.
According to the 2017 Varonis Data Risk Report, on average organisations have 20% of folders open to every employee, and 47% have at least 1,000 or more files containing sensitive personal or financial data accessible to every user.
One compromised account or system can compromise a massive amount of data, and possibly an election.
If the highly targeted phishing attacks on French presidential candidate Emmanuel Macron’s campaign had been successful in stealing credentials, the attackers would have become virtual “insiders”, gaining access to files and emails that could influence the election.
The Trend Micro report on Pawn Storm recommends that organisations improve the security of their email and defend against credential theft by considering the following:
Even though two-factor authentication improves security, it does not make social engineering impossible because all temporary tokens can be phished by an attacker.
Even when two-factor authentication is used, an attacker only has to phish for the second authentication token once or twice to get semi-permanent access to a mailbox. They can set up a forwarding address or a token that allows third-party applications full access to the system.
Mandatory logging in to a company VPN network does raise the bar for an attacker. However, VPN credentials can also be phished, and targeted attackers may specifically go after VPN access credentials.
Authentication with a physical security key makes credential phishing virtually impossible unless the attacker has physical access to the target’s equipment. When a target uses a physical security key, the attacker either has to find an exploit to get unauthorised access, or has to get physical access to the security key and the target’s laptop.
To add to authentication methods that are based on what you know and what you have, authentication can be added is based on what you are: fingerprints or other biometric data. Biometrics have already been used by some laptops and phone suppliers, and have also been a common authentication method in datacentres for more than a decade.