Deep Sea Phishing: A Taxonomy For Email Cyber Threats

Email threats have become a persistent source of cyber security practitioner anguish.  However, a lack of understanding of the varieties of phishing, email attacks, and phishing using a variety of mediums can result in companies and their leaders thinking they are “covered” when they are not.

This article is intended to be a taxonomy of email and phishing related cyber threats and will be kept updated as threats evolve.  See something missing, send your suggestion to info@revealrisk.com

  • Account Takeover – Account takeover is where an attacker obtains access to your mail and slowly but surely studies what type of business you are in and how the money flows. In an Inc. article covering The 3 Biggest Phishing Scams of 2018, “Since last year, hackers have been targeting real estate agents and stealing wire transfers for house sales.”
  • Business Email Compromise (BEC) – Attacker gains access to corporate email and/or spoofs the owner’s identity. The attacker then focuses on manipulate or defraud employees, customers, or 3rd parties out of money or information (emergency payments via wired funds and employee W-2 files are some of the more common.  Even savvy tech companies like Facebook and Google have been scammed out of $100 million via BEC.
  • Email Interception – By exploiting network or host vulnerabilities, the attacker is able to intercept emails in transit and access their contents without alerting either party and in some cases is able to modify the message.
  • Phishing – An attack based on deceiving employees/end-users or administrators via company or personal accounts (email, SMS, social media, etc). Email phishing tactics typically try to create fear and/or urgency to get you to inadvertently take one of the following actions:
    • Install Malware – Malware is software that is intended to damage or disable computers, systems or networks. This is often deployed via a phishing email using a pretext, or a reason for the recipient to open the file, such as access to free movies online or animated greeting cards.
    • Open Malicious Attachments – While many email systems prevent executable attachments, the rise of social messaging platforms has given new life to these techniques. An extremely common variant is a malicious resume sent to HR or hiring managers via job board chat systems.
    • Click Malicious Links – Links are often used in contrast to an attachment when the attacker is wanting to avoid attachment scanners. Malicious links can install malware on the device that will allow the attacker to complete their next move.
    • Install Malicious Apps (in “an” App Store) – Malicious apps (in the form of games or other seemingly value added service) are increasingly concerning as apps gain heavy access to users phones and tablets. While less frequent in the Apple store and on iOS, there have been more examples recently within both Google and Apple stores of apps that were conducting inappropriate scanning and data collection. Attackers will directly message users to get their malicious copy of popular apps installed instead of the official versions.
    • Visit and Interact with Spoofed Brands/Websites – This attack is similar to social media account cloning only that the attacker clones the brand of a legitimate company (via fake coupon codes or discount pages, passwords resets, or updating banking details) and direct traffic to phishing pages. An Apple iTunes “emergency password reset” or a compromised Netflix account password reset are some of the most commonly successful scams.
    • Respond with sensitive information – Sometimes the direct approach is most effective. An adversary may simply ask for the information they seek. In one study on a college campus, over 30% of students gave up their passwords responding to a simple text email with the university logo.
  • Ransomware – a form of malware designed to encrypt or lock an individual out of their computer, system, or network until a ransom is paid (usually in hard-to-trace crypto currency like BitCoin)
  • Social Media Account Cloning – Scammers copy publicly available information and images and used them to create a new “cloned” social media profile that looks almost identical to the real account. The scammer then connects with their friends and tries to manipulate them into a scam (often sending money to receive a reward or larger sum of money)
  • Spear Phishing – Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to closely-held information. Spear-phishing attempts target significant financial gain, trade secrets or military information.