Have I Seen the End of E-Mail?

Not that I desire it, but my recent encounters of ransomware make me wonder.

Some people in say, accounting or HR departments are forced to use e-mail with utmost paranoia. Hackers send alarmingly professional e-mails that look like invoices, job applications, or notifications of postal services. Clicking a link starts the download of malware that will encrypt all your data and ask for ransom.

Theoretically you could still find out if an e-mail was legit by cross-checking with open invoices, job ads, and expected mail. But what if hackers learn about your typical vendors from your business website or if they read your job ads? Then they would send plausible e-mails and might refer to specific codes, like the number of your job ad.

Until recently I figured that only medium or larger companies would be subject to targeted attacks. One major Austrian telco was victim of a Denial of Service attacked and challenged to pay ransom. (They didn’t, and were able to deal with the attack successfully.)

But then I have encountered a new level of ransomware attacks – targeting very small Austrian businesses by sending ‘expected’ job applications via e-mail:

  • The subject line was Job application as [a job that had been advertised weeks ago at a major governmental job service platform]
  • It was written in flawless German, using typical job applicant’s lingo as you learn in trainings.
  • It was addressed to the personal e-mail of the employee dealing with applications, not the public ‘info@’ address of the business
  • There was no attachment – so malware filters could not have found anything suspicious – but only a link to a shared cloud folder (‘…as the attachments are too large…’) – run by a a legit European cloud company.
  • If you clicked the link (which you should not so unless you do this on a separate test-for-malware machine in a separate network) you saw a typical applicant’s photo and a second file – whose name translated to JobApplicationPDF.exe.

Suspicious features:

  • The EXE file should have triggered red lights. But it is not impossible that a job application creates a self-extracting archive, although I would compare that to wrapping your paper application in a box looking like a fake bomb.
  • Google’s Image Search showed that the photo has been stolen from a German photographer’s website – it was an example for a typical job applicant’s photo.
  • Both cloud and mail service used were less known ones. It has been reported that Dropbox had removed suspicious files so it seemed that attackers tuned to alternative services. (Both mail and cloud provider reacted quickly and sht down the suspicious accounts)
  • The e-mail did not contain a phone number or street address, just the pointer to the cloud store: Possible but weird as an applicant should be eager to encourage communications via all channels. There might be ‘normal’ issues with accessing a cloud store link (e.g. link falsely blocked by corporate firewall) – so the HR department should be able to call the applicant.
  • Googling the body text of the e-mail gave one result only – a new blog entry of an IT professional quoting it at full length. The subject line was personalized to industry sector and a specific job ad – but the bulk of the text was not.
  • The non-public e-mail address of the HR person was googleable as the job ad plus contact data appeared on a job platform in a different language and country, without the small company’s consent of course. So harvesting both e-mail address and job description automatically.

I also wonder if my Everything as a Service vision will provide a cure: More and more communication has been moved to messaging on social networks anyway – for convenience and avoiding false negative spam detection. E-Mail – powered by old SMTP protocol with tacked on security features, run on decentralized mail servers – is being replaced by messaging happening within a big monolithic block of a system like Facebook messaging. Some large employer already require their applications to submit their CVs using their web platforms, as well as large corporations demand that their suppliers use their billing platform instead of sending invoices per e-mail.

What needs to be avoided is downloading an executable file and executing it in an environment not controlled by security policies. A large cloud provider might have a better chance to enforce security, and viewing or processing an ‘attachment’ could happen in the provider’s environment. As an alternative all ‘our’ devices might be actually be part of a service and controlled more tightly by centrally set policies. Disclaimer: Not sure if I like that.

Iconic computer virus - from my very first small business website in 1997. Image credits mine.

(‘Computer virus’ – from my first website 1997. Credits mine)



15 thoughts on “Have I Seen the End of E-Mail?

  1. I’m seeing more and more of that here, too, of course. Besides the preventative stuff there’s always the very important need to maintain a solid plan B (B as in Backup) just in case you do fall victim. These days everything I have of value is saved automatically in at least three physically distinct places, and in three different forms (LAN server, cloud server and external drive) yet I still feel as if the axe (or maybe exe would be better LOL) could fall at any time.
    For me I see it as best when I know for sure that whatever machine I am on is just a throwaway, that is if at any time it can be flattened without a second thought. For now, at least, that’s where my stuff is.

    • I fully agree – I think the tricky part is to keep all those versions current and in sync, but at the same time disconnect them in a way that ransomware cannot find them so that production data and backups are all encrypted … for example by running your backup script in the context of a user other than the standard user the ransomware would also use. And none of the solutions is perfect, because ransomware might wait in the background until the external hard drive is connected for a few minutes.
      Cloud store with infinite storage of all older versions (the unencrypted files) would be a brute-force solution … but I noticed recently that e.g. Dropbox dropped their ‘keep everything forever’ plan for keeping only data from last year. So if you don’t detect an issue for some time it might be too late (… which is a common problem for all backup-related issues…l sometimes it takes months until you need one specific file again … to discover that it has been corrupted … but then all backups have already been overwritten by the newer version.)

  2. I get a lot of these messages lately … 1000% more than one year ago. it feels a lot safer using a Linux Desktop and seeing all these zip files containing anything executable. Somehow, we are being forced to use gmail or any other big provider, hoping they will scan more thoroughly than our eyes. But even then, if you click any link provided, if links pleading your empathy or compassion, that won’t help.

    • Yes – I am also using more Linux machines these days 😉 But I agree – attackers might always social engineer users to tweak security settings – like the Word document explaining that you need to click the button to activate macros if you “cannot read the text” (gibberish added deliberately so users think it is an issue with encoding). Reminds me of setup manual by hardware vendors that explain step-by-step how to confirm all the warnings about non-signed drivers.

  3. A while ago I had done some contract work for a small business in my area. A few days before you posted this, I received an email from the owner. It’s not unusual for me to still receive random things from him, so I took a quick look. You know how it goes, you’re in a hurry, and here is one more thing…. It was like you described, except I either managed to get suspicious fast enough, or my anti-virus software updates and scans were ineffective at finding anything amiss on my phone where I had opened the email and clicked the link, then closed the browser before landing where ever it was going (I did run all the scans on my computer as well, and it also seems to be fine). I did, however, experience a breach in my google account where I do not use any of the services except limited g+, and where I’ve been removing old docs shared on google drive. Google had done what was necessary to shut down the offender, and it was really interesting to be provided with the IP address and location of the Mac computer that had attempted to log into my account. I followed all the security protocol that was required by google after receiving their notification. I know that the business that was used to send the email uses subscribed google services, and I can only guess at a correlation.

    All of these sorts of issues for computing put me on edge. When I started an editing job for a publishing company some years ago, I was uncomfortable with its use of free (unregulated) cloud services and a very cheap email provider, so I bought a cheap laptop for the job so I could keep all components of my personal life and freelance business separate on the computer I already owned. Despite maybe being a bit paranoid about on-line security (mostly because I don’t understand the technical aspects of it), I’ve still not been cautious enough! The only thing I can say is that in the years of reading your blog, I no longer keep anything that is confidential or irreplaceable on a computer hard drive, in email, or a cloud service. 🙂

    • After I commented, I started to think of this beyond my own annoyance, and had to wonder about the business email that was used to distribute the link: it had a signature, with accurate business contact information. It did, however, lack a direct salutation (like ‘hello George), and that was why I closed my browser instead of pursuing the matter, as it wasn’t like the sender to leave off that kind of detail. Because I know the business owner just enough to have received documents via link before, I later checked the sharing platform that we had used in the past and could easily see that nothing recent had been shared to me.

      The company that was used to send the link is a small one, but it is a service provider to a lot of larger corporations and institutions. The email suggested something about a contract problem… I can see how malicious this process is, and can only begin to guess at how much damage it could possibly do to entire economic localities if circumstances are unlucky enough to permit it to happen. I also wonder how much damage it does to the relationships that sustain the smaller businesses that are used to distribute the link bait (assuming that some of them, at least, aren’t made-up, but rather real and possibly compromised).

      • Thanks for sharing these interesting anecdotes! Yes, I think it can happen to anybody – no matter how trained in ‘security awareness’ if the attack is targeted and sophisticated enough. There were lots of articles by IT professionals in recent years who had hired penetration testing specialists to hack them (hackers being spectaularly successful) or who were victims to a targeted attack.
        Now attacks on small businesses and private home owners got more targeted although there are still automated – this is what worries me. Shortly after I published this, alleged breaches on a major remote control software service had been published. It seems the service as such was not compromised but users might have used the same passwords as e.g. on LinkedIn – or some other platform that had been compromised (LinkedIn had to admit recently that much more accounts have been compromised in 2012 than originally estimated). Anyway, what happened was that attackers took over the users’ remote management account – and people watched in real-time, like in bad hacker movies, that suddenly browser windows opened on their machines and ‘somebody’ started searching for PayPal and amazon account details and the like … and succeeded to raid some of these accounts.
        Re small service providers for large companies – you totally nail it. Some security breaches reported by large, well-known companies (some European telcos come to mind) were actually due to careless handling of data by contractors of large corporations. One more consequence of outsourcing to contractors or turning departments and employees into thrid-parties. Recently a well-known and respected cloud provider (whose ‘for business’ services I use) sent me information about third-parties they use as subcontractors – of course located in countries were labor is cheap.

        • Ah yes, we’ve talked about the pressures of small businesses and how the contracted relationships are becoming necessary these days to keep a business going. Here is just another pressure point, and quite an important one. Recently, I’ve heard a story about a business switching from in-house IT support to contractors, and discovering that all its security and privacy of its data had been stripped, so that anyone could access files without even needing to hack or steal passwords. It is these sorts of stories that leave me with significant doubt about the viability of starting a business and seeing it grow beyond a certain point (i.e. the one-person or partnered contractors).

    • Yes, in this case we have to worry, unfortunately, as with the rise of ransomware also private users and small businesses have become targets of cyber criminals.
      But the good thing in this case was that the browser did already detect the malicious EXE and displayed a warning. Only if you insisted to download and run it it would have done harm.
      But there are many situations when you have to override security to get something done (and even manuals for software that advise to ‘click-away’ warnings) so users might be sort of trained to do so.
      Just focusing on this specific case, the solution is: Don’t use Windows (the EXE don’t run on other platforms).

  4. Ouch… I once (around 08) discussed similar matters w/ a UK security specialist having strong ties to (also) London Metropolitan Police whom he served as an adviser). Back then he told me that some of the biggest financial corporations from the City discussed new IT architectures to secure their businesses and finally came to the conclusion that already Von Neumanns architecture was a principal culprit concerning security problems of all kinds (BTW the discussion’s result, of course, led to exactly – nothing). Considering that the technical base for EaaS seems pretty crappy (technical concepts from the 50’s & 60’s – but – yeah, the Stones also still rock).
    But if we can’t change it system-wise, we will have to tackle it user-wise (the above example points out a lot of ignorance). Unfortunately education systems tend to worsen the problems rather than to improve the situation. Buzzword: competences. Nice, as long as you don’t abolish (true) knowledge (as is being largely done) or at least consider it some add-on, not necessarily useful. This leads to the strange situation that everyone owning a drivers license considers himself the perfect mechanic, everyone ever going to school is an expert in educational science, nowadays (presidential elections Austria) we have around 6.1 million constitutional lax experts (were allowed to vote) and – we live in a world of IT experts. I’m pretty sure those executing the .EXE attachment were trained to the utmost level of IT competence (ECDL – ready to use the one eMail software w/o any regular manual readings). But, if – even on Master’s Degree level – the ‘competence’ to use some software seems sufficient to pass (I know what I’m talking about!) it won’t make any difference which system(s) you use for whatever purpose, as long as such ‘competent’ people run them. So, ‘eMail or not’ is probably not the question. And – geeze – I’m frightened…

    • An admin of a large company told me that he thinks this problem cannot be solved by increasing user awareness only. Somebody working in the accounting department receives so many legit invoices, many of them also formatted in a weird way (Look at invoices from small, but otherwise professional shops…). It’s worse with job applications as you expect, from experience, awkward private addresses as a sender and lack of professionalism (contact data omitted, spelling errors….)
      I second Peter Gutmann (researcher at University of Auckland and developer of security software) who thinks that too much security-relevant decisions are outsourced to the user, based on psychological research. He claims that there are about 7% geeks that can be trained and meet accepted standards for awareness.
      I blogged about his book draft Engineering Security here: https://elkement.wordpress.com/2014/02/13/what-i-never-wanted-to-know-about-security-but-found-extremely-entertaining-to-read/
      Peter criticizes that many systems users have to use today actually train them to fall for phishing mails and the like as you have to click away lots of warnings ‘normally’ to get your job done – for example banking websites for a new product like http://www.coolfinanceproduct.com that forward to another site and then to another and/or use inline frames, widgets in dashboards and the like (creating lots of browser errors) until you finally end up at the online banking website.
      Or consider SSL-related warnings: As if padlocks and address bars in different positions and colors had not been enough to confuse users, now browser vendors have different road maps for phasing out SHA1 and different visual cues. Or count the errors when using our Austrian digital signature to log on to a gov website (Java plug-in error, Java certificate error, another certificate error…).
      The admin of the large company told me they are testing a system (don’t know the vendor / brand name) that would basically open and test e-mail links and attachments in a secure environment before it is delivered to the user – as if you try to open the attachment on a machine in a different network segment.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s