For years, security vendors have warned users to be careful about unsolicited emails. Clicking on embedded links in these emails, they say, could be dangerous, as could opening attachments that come with them.
That includes emails purporting to be from couriers such as DHL and UPS, which could in fact come from malicious hackers and have attachments that are actually malware. In June, malware found in some of these attachments was a variant of the Kryptik Trojan, AppRiver warned.
No one’s safe — hackers used spearphishing, or highly targeted emails, to break into the systems of security software heavyweight RSA back in April.
“Opening external references from within an email is a really bad idea,” said George Waller, executive vice president of StrikeForce Technologies.
Often, however, people seem to be unaware of the danger of clicking on embedded links and attachments in emails. Even security vendors such as McAfee, Symantec and AppRiver, who you’d think would know better, regularly send out such emails.
Why is that? Are security vendors not practicing what they preach? Or would excessive caution, almost to the point of paranoia, cripple business as we know it?
There are two problems here. One is that it’s impossible to distinguish benign emails from malign ones, and the other is that email has become an essential business tool.
Sorting the Wheat From the Chaff
You can never really tell who’s sending you an email unless you’re technically savvy and have the time to track down and identify the sender as well as the location the link or attachment wants to take you to.
“An email may seem to come from someone you know, but it isn’t easy to validate that fact,” said Paul Wood, MessageLabs Intelligence senior analyst at Symantec.
In 2010, MessageLabs tracked phishing attacks impersonating or relating to 1,530 different organizations, Woods told TechNewsWorld. Impersonation of five organizations accounted for 50 percent of all the phishing attacks last year, he said.
“Links in email can never be fully trusted,” Michael Sutton, vice president of security research at Zscaler Labs, pointed out.
This is compounded with HTML-formatted messages, which can “easily obfuscate” the true destination of a link, Sutton told TechNewsWorld.
In other words, it’s difficult to tell where the link you’re clicking on in an email will take you. It could go to a legit page, or to a compromised page riddled with malware.
The Rise of Spearphishing
Companies producing email clients and Web browsers do provide a certain measure of protection against poisoned emails.
“Almost any email client and Web browser now marks [suspect] emails as being potential spam or phishing [emails], blocks executable attachments, and categorizes URLs as dangerous, all at no cost to the end user,” Sorin Mustaca, a data security expert at Avira, told TechNewsWorld.
Webmail-based clients now also have implemented these security features, Mustaca added.
In response, hackers are turning to spearphishing, or emails targeted directly to a recipient or a small group of recipients. That’s how RSA’s systems were breached.
“Spearphishing increases the attackers’ return on investment, meaning they can send fewer emails and expect a higher degree of results,” Cisco Senior Security Researcher Mary Landesman said.
“If you combine known true details such as a company name and a valid account number in the body of an email, this moves it from the non-relevant category to the probably relevant, and increases the odds the links it contains or the attachments it has will be clicked upon or opened,” Landesman told TechNewsWorld.
So you can’t even fully trust an email from your company’s human resources department, or a manager, or a friend.
Email Is the Opium of the Enterprise
If you can’t tell whether incoming emails are dangerous or not, and if targeted emails are such a threat, why not cut out emails altogether?
“Nearly every organization today relies on email to conduct business and counts on the Internet’s speed and connectivity,” suggested Fred Touchette, senior security analyst at AppRiver.
Indeed, many staff at media organizations also make heavy use of embedded links in their emails.
“As the embedded links in your own email demonstrate, the use of links to direct the reader to additional information have become a part of business and personal communication today,” Tom O’Rourke, vice president of global data center strategy at iTRACS, pointed out.
The security threat from clicking on email links is “no different” than clicking on a link at a compromised website, O’Rourke told TechNewsWorld.
“Security should not drive user behavior,” Zscaler’s Sutton said. “Security should adapt to user behavior.”
Restricting links or attachments from email messages would reduce the value of email, Sutton pointed out. Instead, enterprises should implement layered security controls that appropriately inspect content to ensure that it is not malicious, he stated.
Of Email, Babies and Bath Water
Or perhaps we should get rid of existing email systems and develop something that’s more in line with the future. Existing email systems were developed before the advent of the Web and always-on anywhere connectivity.
“We are ready for newmail,” StrikeForce’s Waller said.
“With 24/7 anywhere connectivity, the email should stay on the sender’s server,” Waller suggested. “When I send you an email I would actually send you a link to a message on my server. You would know where it’s coming from before you even pull the content across the Internet.”
The advantage to this is, if the recipient doesn’t trust or like the sender he or she won’t visit the sender’s email server, Waller said.
That sounds suspiciously as if Waller’s talking about an FTP server-type setup. FTP servers are vulnerable to various types of attacks, including bounce, spoof and brute force attacks.
Further, using FTP sites is time-consuming and difficult.
“The Internet is all about ease and efficiency,” AppRiver’s Touchette told TechNewsWorld. “It would be a difficult task for people to take a step backwards, and require everyone to set up something such as FTP access to company servers.”
“There’s an old saying about not throwing the baby out with the bath water that probably applies here,” Cisco’s Landesman said.
“The overwhelming majority of email that users receive is safe and benign; if it weren’t, users would have long ago abandoned the medium,” Landesman added.