How To Prevent Executive Email Spear Phishing

by | Jun 27, 2019 | Uncategorized

Scoff and Ye Shall Receive Hackers

Malicious infosec actors usually have one of four goals: intelligence, control, profit, or destruction.For an extended amount of time email has not received appropriate security because executive users are confident they can recognize and handle email threats. By executives essentially scoffing at the email attack vector, hackers have recently recognized email as a now ideal method of executive compromise. The FBI has been stepping up their warnings informing the community of the threat of business email compromise and encouraging serious measures. The most cumulatively dangerous method of email attack is spear phishing. The popularization of social media and interconnectedness has made personal information on individuals trivial to obtain (known as open source intelligence). This personal information is exactly what is used to create effective hyper-targeted phishing attacks. The attack is initiated when a bad actor communicates with a target attempting to garner intelligence and assets–usually by pretending to be someone else. For example an attacker may email an executive pretending to be a co-worker friend asking to expense a bill. The email will begin by discussing previous shared events such as a ski trip. This detailed information leads the target to believe they are communicating with their friend, and use their enormous impromptu spending budget to pay the attackers unwittingly. However, spear phishing is a vector used for many goals as detailed below. The purpose of this article is to convince readers to take email attack seriously and adopt defenses against, in particular, spear phishing.


When attackers look for executive information in your databases, it is usually to aid another organization, or for leverage. A great example of this is the Ashley Madison hack. Adultery is typically an embarrassment, particularly for leaders like executives. The hackers discovered the identities of executive users and then used that information to embarrass and blackmail victims. This information is not always gathered for mass use. Sometimes it is used to aid ongoing negotiations or conflicts of another organization. For example, using the embarrassing knowledge to encourage executive cooperation in a deal or for a victim to give up information or access under duress. A prelude to larger attacks is to steal information on the system to aid development of effective malware. This is popular where many systems are similarly set up such as in enterprises or government. A weak server is breached to learn how it operates and is set up. That information is then used to develop malware to crack other more valuable servers that have a similar configuration.


The leading big picture goal of controlling a server is to add it to a collection of slaved devices called a botnet. Botnets are used for any number of purposes, the most dangerous of which is to act as a decentralized computing cluster for brute force attacks. These brute force attacks include DDOS attacks where a network is flooded with traffic and brute force password cracking where many attempts are made at guessing a password. Botnets have also frequently been used to send spam email.The other big picture goal of controlling a server is to use it as a forward operating base of sorts for further attacks into a system or its executive users. Depending on the security of the server, attackers can install services that monitor traffic coming through the server. If the server is a communications server such as for email, this can be devastating akin to the cracking of Enigma. Alternatively, a breached server inside a larger system can be used to move horizontally within the system. Starting with a lower value server, and ending on a high value server containing executive data.


The goal of profit is when the attackers want money directly from the target as their exit. This strategy is usually either an outright attempt to rob accounts, process transactions, or ransom. This where executives really come into the picture. The goal for most attacks is to take a reasonable amount of money quickly, then do it again to someone else. It is key to keep the threshold of the robbery below the level that serious repercussions would be incurred. Executives generally have the highest discretionary spending limit of any employees. What amounts to expensing a formal dinner for an executive done one thousand times ends up being a small fortune. The other way straight profit is garnered from victims is by ransom— although an honorable mention is given out to malware that uses victims systems to mine cryptocurrency. The primary ransom strategy is to compromise a system and then encrypt everything with a key only the attacker knows. Once complete a ransom note is delivered promising that if the ransom is paid in a certain amount of time then the decryption key is sent over, the files are decrypted and all is well again with a little lighter bank account. This ransomware method is so simple in one instance a student trying to pay for college did it, and when the decryption key failed, spent 24 hours fixing the victim’s computer.


A result usually only desirable for corporate espionage or nation state warfare, there are cases where hackers have breached a system only to obliterate everything. The most well known cases have utilized worm viruses that replicate everywhere possible and then try to purge all the hard drives, especially high value executive servers. This threat is absolutely a minor possibility for all imaginable executive parties, but it exists. You never know when your company is on a target because of abstract relations or supporting some other entity. There a lot of powerful groups with a lot of reach and a lot of interests. Take the recent EternalBlue incidents as an example of just being in the wrong place at the wrong time.


At this point it is assumed that the gravity of business email compromise is known. So… what to do about it? A number of solutions address the problem of business email compromise. They range from endpoint security, to server security, to hardware security. However, no new executive email architecture solutions have been offered, until now. Enveloperty internalizes patent pending technology as its architecture which addresses executive spear phishing among other threats. Enveloperty achieves this by having executive users give each entity they communicate with a unique email address. These unique email addresses are then sorted into folders by the executive executive user based on priority or an X factor. Furthermore, next to each message is a color indicator that alerts the executive user if DMARC fails. DMARC cryptographically checks if the sender sent from where they said they did, and if the contents of the email were altered. Minor modifications can wildly dangerous to executives.

So in order for spear phishing to occur, the attacker must find a valid email address that goes to the victim. Then it must be a address that goes to a folder the victim checks. It must also be a address that can plausibly ask for what the attackers are asking. As in a executive banking request from a blog newsletter address will be immediately identified. Finally, the attacker must make sure that they pass the DMARC check to fool the executive recipient. Nothing in infosec is impossible. Threats are simply measured in probability of occuring. Particularly when high level targets like executives are involved. The odds that a attacker figures out a way around all of those defensive measures is quite low. Furthermore, a attacker sophisticated enough to navigate those measures, would likely find an easier way to attack their victim.

The historic decision has always been security/use/cost. Enveloperty has been built to juggle these three concerns for maximum viability. Enveloperty relies primarily on its core architecture and free methodologies to provide security. Fortunes can be made small with countless other security offerings that executive users can integrate into the system. Enveloperty addresses ease of use by providing functionality to import existing email services into its client for seamless tandem use. As well not just offering a full stack solution, but also a toolchain implementation. executive users can choose to have the backend remain one of the largest service providers who have vastly more security resources, with Enveloperty as the client continuing to provide patent pending dynamic email address features. This optional deployment also affects the price of Enveloperty. If Enveloperty is not required to store and process email, prices are proportionally lowered. Furthermore, Enveloperty exists to help the customer, not gouge the customer. Base prices are set to encourage adoption, not for maximum market bearence. So Enveloperty can be a affordable solution for large ranges of organizations.