Phishing: Email, an initial attack vector

Phishing: Email, an initial attack vector

As with every major event, the health crisis has seen a proliferation of email attacks (targeted or not) using the Coronavirus theme or more recently StopCovid. Let us return for a moment to this method of attack.

The email, the foot in the door of the IT system target

The email is regularly used as an initial vector to begin a cyberattack on a company or an individual.

The initial objective for an individual that sends you this email is making you click on a malicious link or making you execute a file. To achieve their goal, the technic consists in trapping the user thanks to an email often usurping a real organism to fool the recipient.

The final objective is:

To maximize the chances of an effective click, hackers will target their emails by using news or the interest centre of the user, whether they are professional or personal.

And after the click?

In the first case (information recovery), the victim will have to type information on a website that perfectly usurps a true website. (Even on a true website that have been compromised).
In the second case (installation of a malware) the email created by the hacker contains either a file with a code, either an internet link. This latter, with a click by the victim, will lead her on a fake website.
As soon as the victim browser accesses the usurped website, a malicious code is automatically downloaded in the background. This will allow the attacker to exploit any vulnerability in, for instance, the victim’s browser or a third party component (pdf reader, flash player…) permitting him to take control on the targeted engine.
This code, no matter the way it is executed, can do different actions depending on the aggressor’s choice: execution of a malware (often a ransomware), connection to a website named C&C (command and control)…
The code will be able to do the action it was created for, most of time without the knowledge of the user and the system administrator.

Why the antivirus didn’t stop the malicious code

One of the first security practice is having an updated antivirus. So why didn’t this latter one stop the virus?
The hacker often developed an on-measure code for the software environment and the victim’s equipment. This customisation helps to exploit vulnerabilities present on the system, which are not updated.
But that doesn’t stop with a customisation based on the vulnerabilities, the hacker will also employ code encryption and rewriting methods to modify the file print and some operations (like system calls). These technics will allow him to escape detection methods that are often used, like antivirus, filtering and monitoring systems…

Technique is not sufficient

As demonstrated by the news for years and more recently during the Covid-19 crisis, in case of a targeted attack (or spread phishing), the traditional technical means of protection like antivirus, antispam, email gateways… are not sufficient to protect yourself. It is absolutely necessary to work on the human dimension. Sensitization and teaching of users and administrators become indispensable, as the implementation of policies that will be useful in case of accident or attack suspicions.
For this, it is necessary to challenge our personal via campaigns of realistic tests and make a feedback based on concrete scenarios to make a continuous improvement on all points.
Article co-authored by: 
Jean-Marie Bourbon - Hacknowledge

Jean-Marie Bourbon


Mathieu Hernandez - Expert cybersécurité - Actis

Mathieu Hernandez