Natalia Merzlyakova - Fotolia
Barracuda Networks has raised the alarm on blackmail email scams as a fast-growing form of spear-phishing attack.
Typically low-tech in nature, blackmail emails target recipients with threats of releasing compromising content, such as personal photos or webcam footage. According to Barracuda's inaugural quarterly report on spear-phishing trends, 10% of all spear-phishing attacks are blackmail scams -- a high number considering previous data showed blackmail emails were rare, the company said. The report analyzed data collected from more than 360,000 spear-phishing emails over a three-month period.
"Probably the thing that surprised us the most [about our report] is the rapid rise of blackmail emails," said Asaf Cidon, senior vice president of content security at Barracuda. "This is a relatively new attack, and it is gaining popularity quickly."
Cidon said blackmail emails aim to frighten victims into doing what the attacker wants. Attackers usually demand a few hundred dollars in Bitcoins. Emails try to spook recipients by including personal information, such as an email address or password stolen from a data breach, within the subject line or body of the email, he said. Sextortion scams, a form of blackmail email attack, are increasing in frequency, accounting for one in 10 spear-phishing emails, the report noted.
A couple factors may be influencing cybercriminals to use blackmail emails as opposed to other phishing attack types. For one, blackmail emails are significantly cheaper and easier to execute than ransomware. "[They are] almost like ransomware without the malware," Cidon said. You are basically causing the recipient to send you Bitcoins due to a threat without the attacker actually having to send the malicious payload or do much."
Additionally, blackmail emails can be more effective at sidestepping email security defenses because they may not contain malicious links and other red flags.
Covering the bases to protect customers
Keep I.T. Simple, a solution provider and Barracuda partner based in Fremont, Calif., has helped its customer base deal with a range of spear-phishing attacks, including blackmail emails.
"Spear-phishers are constantly evolving their approach and ... their tactics to get around whatever the latest security updates are. Certainly, the blackmail emails, which are comparatively crude at this point, are a whole new generation of spear-phishing," said Allan Hurst, partner and director of the project management office at Keep I.T. Simple.
Allan HurstPartner and director of the project management office, Keep I.T. Simple
Hurst noted that blackmail emails have caused his customers "enormous amounts of grief." Small business customers, a segment that tends to lack IT sophistication, can be particularly frightened by these emails' threats.
Keep I.T. Simple deploys Barracuda's email security products as part of its multipronged approach to preventing email-based attacks. Products include Barracuda Essentials, a traditional email security system; Sentinel, an AI-based email protection product; and PhishLine, a security awareness training platform. The company also uses Barracuda Backup as an additional layer of protection.
Hurst said Keep I.T. Simple was currently amid its first PhishLine implementation and was so far impressed with the product's capabilities. PhishLine simulates various styles of spear-phishing attacks to teach customers to identify suspicious emails.
Since blackmail emails can skirt email secure technology, education may be the most effective means of protecting customers. Hurst is keen on using PhishLine to train end users to second-guess what lands in their inboxes.
"If you can at least educate the end user about what a phishing attack looks like, if you can make them just the least bit suspicious every day ... you just probably saved their company," he said.
However, he noted that he didn't see a need to simulate blackmail emails as part of the company's PhishLine security awareness efforts, finding their content and aim "extremely cruel."
BEC attacks exploit free email services
While just 6% of spear-phishing attacks, business email compromise (BEC) can have financially devastating consequences for victims, Barracuda said. Since 2013, BEC has accounted for more than $12.5 billion in losses, according to the FBI.
BEC attacks typically impersonate a known business associate of the recipient. The aim is to compel recipients to provide a wire transfer or access to sensitive information, Barracuda said.
Cidon said Barracuda's research uncovered that the majority of BEC attacks originate from free personal email services. The report states almost one in three BEC attacks originate from Gmail.
What's next in spear-phishing tactics
Barracuda's future reports will examine additional types of spear-phishing attacks, Cidon said. He said one of those types will be account takeover attacks. In account takeover attacks, cybercriminals steal an employee's credentials, then use them to either steal internal information or launch phishing campaigns, he said.
"This is a really lethal attack that we are seeing more and more of across our customer base," Cidon noted.
Brand impersonation tops spear-phishing techniques
Barracuda found that 83% of spear-phishing attacks used brand impersonation. This type of attack imitates a familiar entity, such as a well-known company or business application, in an attempt to trick recipients into giving their personal information or click on malicious links.
Microsoft and Apple are the most commonly impersonated companies, Barracuda said. Additionally, the report found that almost one in five attacks impersonate a financial institution.
Hurst said he anticipates cellphone email to emerge a significant spear-phishing attack vector. "Cellphone email is typically not as well secured as something like Outlook on a desktop, and people don't usually run antivirus or antimalware on their phones," he said. He added that he is waiting to see how Barracuda and other security-focused vendors will address this threat.
"It is a lot harder because [cellphones are] not a unified ecosystem. ... It is extremely challenging to figure out a protection platform that will cover all cellphones," Hurst said.