“Until further notice, the Berlin Higher Regional Court can only be reached by telephone, fax and post.” With this news, the press office of the Berlin Chamber Court will address the public in early October 2019. Because 150 judges and 370 employees have been largely offline since that day.
The Emotet malware has paralyzed the computer systems of the highest court in Berlin. Emotet is a very flexible malware platform that mainly spreads via email. If the recipient opens a corresponding phishing email or the attachment contained therein, the malware gets to his system, can spread from there to the company network and, in the worst case, block the entire company. This is why the Federal Office for Information Security (BSI) warns of a new wave of attacks and classifies Emotet as the “most dangerous malware in the world”.
But this malware is only the most prominent example of what is currently the most important tactic for cybercriminals: Almost all successful cyberattacks start with an email and thus an attack aimed directly at the user.
Old systems, unsuspecting users: what makes attacks easier
In September 2019, the Trojan Emotet infected the Berlin Court of Justice network.
Of course, most victims of Emotet & Co. protect their system with spam filters and antivirus software. But these important technical countermeasures, which are supposed to keep the computer free of malware, are reaching their limits more and more: Spam filters still allow around ten percent of all fraudulent emails to be sent to the recipient. In addition, antivirus programs often cannot detect modern malware because their code is constantly changing – the malware uses a so-called polymorphic malware.
In addition, in a surprisingly large number of companies, numerous operating systems and software programs are still not up to date: the Berlin Higher Regional Court, for example, operated numerous computers with Windows 95. Under these conditions, only an inexperienced user is required who clicks on the wrong link or opens a wrong attachment. The consequences are dramatic: whether hospitals in Saarland and Rhineland-Palatinate, the fashion company Marc O’Polo or the Berlin Chamber Court – numerous examples of such attacks have come to light in the past few months alone. And the number of unreported cases is much larger.
The spectrum of these hacker attacks, which emanate from an e-mail, includes, on the one hand, very wide-ranging attempts at fraud, in which every inattentive recipient can become a victim: for example, fraud emails from seemingly reputable banks and online shops, or messages that announce an unexpected million-dollar inheritance . On the other hand, there are targeted attacks in which the attackers extensively spy on their victim in advance.
Recently, so-called dynamite phishing has also become increasingly common: the attackers are sending automated and targeted – and thus credible – messages to a broad range of recipients, which for example refer to a supposed email conversation with a real colleague. The combination of mass mailing and relevant hangers makes this type of attack particularly efficient and therefore particularly dangerous.
Cyber criminals as human connoisseurs: Why everyone can fall for it
Phishing emails should tempt you to open them immediately: cyber criminals often disguise them with an apparently trustworthy sender and an urgent message.
Over the years, hackers and fraudsters have become more and more professional and, for example, like in the case of the hacking group “Dark Overlord”, are also posting jobs on the Darknet. You have learned to be very efficient and try to make a profit like a company with as little effort as possible. The focus has shifted more and more from the security gaps of the operating systems and software solutions to user behavior and weaknesses – because this way is often much more efficient.
The typical phishers of today are very different from the stereotypical image of a lonely hacker in a hooded sweatshirt, highly social people who know how to effectively exploit the human weaknesses of others.
The cliché of the stupid user who clicks on every e-mail falls short here and is particularly wrong for people in larger companies. Because very few employees maliciously click on links in suspicious emails or download a virus. Rather, the psychologically savvy attackers take advantage of strongly anchored principles on which our thinking and acting has been based, in some cases for millennia. Many of these psychological principles, such as helpfulness or curiosity, are extremely useful under normal circumstances and especially in working life.
Is my PC hacked? How to identify attacks
Phishing emails work with these tricks
Cybercriminals use different approaches for phishing e-mails: Tests have shown that users especially fall for e-mails that generate a high degree of trust or curiosity.
In the case of willingness to help, for example, our ancestors have learned to support each other in the increasingly complex social groups and thus to strengthen the whole group. Whether from altruistic or selfish motives: willingness to help is a thoroughly advantageous ability, because it strengthens social ties and helps to work more efficiently in the group. However, it is precisely this property that phishing scammers often exploit, for example, when they send an email in which a supposed colleague asks whether the attached invoice could be checked quickly.
Curiosity is also a deep-seated trait that has a lot of positive effects both in our development history and today. Curious people are happier, have a higher level of knowledge and are healthier, as numerous psychological studies have shown.
However, it is also curiosity that many phishing emails exploit when, for example, a supposed document from the scanner ends up in our mailbox on the boardroom. “Just have a look, maybe it is the new bonus table or some other exciting information that I shouldn’t be seeing,” some employees might think and are then too willing to click on the supposedly interesting email . So how exactly do the “phishers” manage to get so many users on their glue? What is the most effective manipulation tactic, for example to ensure that a supplier’s account details are changed contrary to internal regulations and that large amounts are transferred to fraudulent accounts? Which mechanisms do users start with particularly well – and how can you train them to be more careful and vigilant here in the future?
How companies can train their employees
First measures against phishing: If you enter the header of a suspicious email on the analysis website www.iptrackeronline.com, you will be shown the place of sending.
Here it makes sense to first analyze the various tactics that cybercriminals use to manipulate users. In companies, for example, employees can be sensitized with the help of simulated phishing emails and then trained to deal with such attacks. It also allows you to check the reactions of end users to email-based attacks completely anonymously.
Corresponding service providers, such as Sosafe, create test emails according to various criteria: Is the email easy, medium or difficult to identify as risky? Is the private or professional context taken up? Do you work with pressure and fear, with promises to win or rather with praise and flattery?
The emails are then sent to the employees to make them aware of such attacks. The messages are provided with anonymous codes that allow the security service provider to collect user interaction with the e-mail, i.e. to determine whether he has opened it, clicked on a link provided there, loaded an attachment or entered passwords. On the other hand, the anonymity of the employee is still protected with the code process.
Test: Most users click on these phishing emails
An example of a simulated phishing email that takes advantage of features such as helpfulness and trust so that the recipient opens it immediately. The click rate here is sometimes over 80 percent.
Cybercriminals usually use a speech in phishing emails that can be divided into six areas: pressure / fear, trust / intimacy, curiosity / interest, authority, helpfulness, praise / flattery. In the simulated emails, the service provider can use the corresponding psychological mechanisms and find out which approach turns out to be particularly successful in a particular company.
The evaluation of numerous such tests on behavior towards phishing emails shows a dramatic picture: Overall, 18 percent of recipients clicked on a fictitious phishing email, but the most effective emails have a click rate of over 80 percent. If users have fallen for an email, they then enter a password in 74 percent of all cases on a fake log-in page connected behind it.
This means that three out of four users who come to this page from the fake email enter their Windows password, for example. Based on these results, it becomes clear that there is an acute need for action to raise awareness of the topic of phishing.
This is how cybercriminals use the boss scam
The most successful email in these simulations is an email that looks like it has come from a real manager: it unequivocally asks the recipient to open an attached Word document that supposedly contains important information. It is interesting that by exactly one third fewer recipients click on the exact same email if it is not sent directly by the manager, but by their assistant. Here is another psychological principle: Obedience to authority increases the risk of falling victim to a phishing attack.
Across all emails, the tactic that works most effectively is not building authority or pressure, but exploiting curiosity. E-mails in which alleged photos of the Christmas party, an embarrassing video or salary data of the colleagues can be found are by far the most frequently clicked on. The fatal thing about it: For such emails, the attacker hardly needs to have any specific prior knowledge: Almost every company holds a Christmas party in November or December – and if an appropriate email with the “photos” follows at the beginning of January, the yield of the phishers is correspondingly high.
In the case of suspicious mails, it is often sufficient to have expanded information on the mail header displayed: This mail, for example, does not come from PayPal, but from another sender.
Second on the phishers’ success scale is pretending to be trust / intimacy, for example by the attacker pretending to be a colleague or business partner. Technically, this is very easy to do, since the ostensibly displayed e-mail address can be manipulated very easily.
Countermeasures: How to recognize phishing emails immediately
The results of these practical tests seem sobering at first. However, certain precautions can still significantly reduce the risk potential of phishing emails.
For example, companies should adapt processes and structures: Initially, this will not change the human behavior of employees in the face of a supposedly interesting phishing email. However, changed corporate processes can make the success of the attacks significantly more difficult: For example, the four-eyes principle should apply when paying out a certain amount or changing invoice data.
Secondly, companies can question their organizational culture based on the results: only very strong hierarchies make the authority approach of phishing emails so promising.
In addition, it is important to constantly provide information and to work on examples of corresponding phishing emails. It has been shown that attempts at manipulation are much less effective if the victim knows the mechanism behind it.
More on the subject:
Phishing know-how – How to expose malicious emails