Invalid email or password – Forgotten credentials or potentially compromised?

• 84% of Singaporean businesses are experiencing a spike in email-based attacks
• The email threat vector that probably does the most damage is CEO fraud or conversation hijacking

The most effective method of business communication for firms is email. The main challenge, though, is that it is one of the most popular ways for hackers to target businesses. After successfully logging in once, the following day, a notification popped up saying: “invalid email or password”. In that instance, either the email address or password is forgotten, or possibly the account has been compromised.

Email security threats are once again increasing in numbers. For instance, according to HRD Asia, 84% of Singaporean businesses are experiencing a spike in email-based attacks. Additionally, it was stated that phishing emails had been used to target 97% of businesses.

This issue has been raised a lot, but why does email continue to be a major contributing factor in cyberattacks after all these years? There are, unfortunately, several causes. Tech Wire Asia had the opportunity to catch up with Mark Lukie, Director of Solution Architects – APAC at Barracuda, to talk about the state of the Asian cybersecurity landscape and the reasons why email threats are on the rise.

​

Could you share any insights on the ASEAN/APAC region’s cyber-attack landscape? Where do you see the trend is going?

The ASEAN market is fairly comparable to the rest of what we observe in APAC. So, e-mail threats are constantly the number one attack threat vector.

Organizations worldwide are transitioning to a hybrid work environment where some work from home, some return to the office, and some people are completely remote. In the end, all of these different types of attacks make our users the weakest link.

Email threats will continue to be the main attack vector until we have a strategy for the future that addresses whether or not everyone is returning or whether we have become accustomed to this type of hybrid workforce.

There is some data that suggests that a number of ASEAN nations are still highly susceptible to online apps being compromised. Massive volumes of ransomware are still present, and unpatched machines are still vulnerable. As a region centered on APAC, as opposed to the ASEAN market, there may be more subtle differences between nations that are reluctant to adopt cloud infrastructure, a more modern development, and possibly more on-premise technology.

There are a few pretty strong regulations governing data sovereignty. As a result, there may be a reluctance to migrate into those nations if there isn’t a significant cloud presence there, such as moving into Microsoft, Amazon, or Google’s public cloud.

Would you consider email threats to be the standard method of attack initiation given that over 90% of cyberattacks begin with an email threat? Are they becoming more advanced?

There are a lot more attacks today that are more difficult to distinguish between. In the past, it was more of a traditional attack approach, making it simple to identify and stop illicit activities like spam or the Viagra email.

Now, everything can look legitimate, including staff employees and CEO impersonations in addition to huge brands. Attachments and connections to malicious websites are no longer present.

Email is available to everyone, and we use it to do work-related tasks 90% of the time. For an attacker, it will always be the point of entrance or the foothold since that is what they seek. Credentials are required by them. They can then launch their attacks, cipher, conduct their research, and ensure that when they release their attacks, it has a greater impact on a business if they are able to obtain credentials into the target organization.

I’ve heard of business users who have multi-factor authentication set up on their phones, and they’ll receive a notification that they didn’t create, yet, they’ll go through and they’ll approve that multi-factor authentication because they’re so used to doing it now because it’s a human reaction to think, “Oh it’s multifactor authentication [so it is safe], I’ll approve that.”

As a result, attackers can take advantage of that human behavior to trick those users. There have also been more sophisticated attacks in which perpetrators call the victim pretending to be from a large organization and attempt to steer them in a specific direction or feed them sensitive information.

Additionally, individuals will need to be on the lookout for these distinct forms of attacks and ensure that they are trained to recognize them and understand how the attacks can affect both their personal and professional lives.

Does a lack of cyber awareness among employees in an organization contribute to the surge in email threats?

I believe that email security is comprised of cybersecurity awareness and training that goes along with it. Users should be educated about the different types of things to look for in addition to putting defensive layers in front of them to protect them. This is because, although users may be protected when they are inside walled gardens or castles inside of their corporate infrastructure, they also have access to their personal emails.

Users may be protected by security at work, but when they leave the office, they may use a personal email account. Attackers can pose as their corporate entities to deceive victims into disclosing corporate information and hack accounts using Gmail, Yahoo, or another type of personal email.

In addition to being educated, organizations need to make sure that they are resilient and have the ability to fix issues if they arise. For example, what procedures and technology would help the IT team go and remove a threat from their infrastructure if an account was compromised or if they launched a spear phishing attack from one of their internal accounts?

That is the direction that everything is sort of headed in: towards prevention, remediation, and education awareness to also train users against these multi-vector attacks.

Are there particular email threat types causing havoc to individuals/organizations as they evolve and multiply?

Either CEO fraud or conversation hijacking is probably the one that does the most harm. In the event of conversation hijacking, supposing there is a business owner who has a variety of partners with whom they would conduct business, it is actually that outside party who is compromised, which makes it extremely unique.

The outside party might not have the best email security, so the hacker who has gained access to their account is likely receiving a copy of it and is watching for a good opportunity to launch an email attack that contains the complete email history of the conversation.

They accomplish this by registering a domain name that is very similar to the one used by the third party. This domain will copy the message in its entirety, including all signatures and replies to make it appear as though the conversation has continued in its entirety. They will then send the message from the domain they control, essentially hijacking the conversation and persuading the recipient to send funds.

Do you see a distinctive pattern in how an attack is launched in Asia as opposed to other regions of the world?

I think that they are all being launched in largely similar ways. They will often use a sender that has a solid reputation, such as a Hotmail or a service similar to Gmail, that is simple to use – allowing accounts to be created quickly and has a good reputation due to its high volume.

They will employ this if the spear phishing attack is only generic. Usually, they can accomplish that with ease. It becomes more tailored in what they do when it comes to social engineering attacks.

Those attackers have undoubtedly put more effort and money into those kinds of attacks. It is very individualized for the company. In order to access the target and, therefore, receive higher compensation, they will develop those services and register those domains as needed. If they are successful, it cost them more money but will ultimately generate a higher profit for them.

AI and automation have proved essential in enhancing core business processes and assisting firms in making better decisions. How crucial are they in preventing cyberattacks in the field of cybersecurity?

AI and machine learning are only as good as the data you can feed them. So, learning and algorithmic evolution and adaptation are necessary for that technology to be useful and effective. So, since attackers are also using the same technologies, cybersecurity defense is of utmost importance.

Attackers are going to use similar types of technology to be more successful in their attack because they have access to large known breaches and information that is available on the dark web.

As a cybersecurity vendor, we have a first-mover advantage since we have been utilizing that technology for many years, especially from Barracuda, that it will become something that will get more mature. It will adapt, enabling us to put in more data and train it based on newer, more modern types of attacks that we’re likely to see in the future.

We’ve seen a lot of attacks where people have used various website redirections. When visiting a website, it may be redirected elsewhere and pass through a number of different portals. In such cases, some technologies may become essentially unresponsive and unable to follow those multiple links.

So, attackers are looking for ways to evade this security. And, again, we’ve put measures in place to be able to look for these types of hosted services where these attacks have commonly come from, to adapt our own technology to prevent those malicious emails to come through.

Do employees have a right to believe that cybersecurity solutions will keep them safe? Or are employees still essential in ensuring their own safety?

It ultimately boils down to the organization. What is the maturity level of security inside a business? If consumers click something or do something that would cause a problem, are they using some kind of punishment approach?

Or are they attempting to employ an awareness program that teaches their customers that they can quickly report anything suspicious to their corporate IT team and that doing so would almost certainly result in a reward? Therefore, rather than creating a negative reinforcement model, this is essentially creating a positive reinforcement model.

In doing so, more people will be more receptive, on the lookout for suspicious activity, and users will have more and more eyes for the security team to possibly pick up on things or modern types of attacks. They will then feed this information back to the IT security team, who may go and analyze it to determine whether those threats are more widespread.

Can you share Barracuda’s approach for helping organizations in raising their cyber awareness maturity level in order to reduce cyberattacks?

Making sure we have excellent ways to protect consumers from a common threat vector via email and remediate it by utilizing AI and machine learning is a critical component of the Barracuda platform. In addition, assist with threat hunting and vulnerability remediation, as well as building cybersecurity awareness training and making sure M365 users have a backup plan in place to safeguard themselves from vulnerabilities.

Barracuda also provides data protection, network, and application security services (DNA). There are two other significant threat vectors besides email protection, one of which is a vulnerability in web applications. Everyone has been driven by the digital transformation to shift into a kind of online platform and have put their information into web applications. Companies must consider how to secure and safeguard that as they gradually transition into the new digital age.

The second one is around connectivity. I believe that the ASEAN market is probably highly developed in terms of network security. We are now entering the realm of operational technology, the Internet of Things (IoT), and potential vulnerabilities in the tens of thousands of devices that may be found in manufacturing, agriculture, or fisheries environments.

Therefore, we are really working to ensure that we have a diverse portfolio to support our customers as they migrate to the public cloud while also being able to safeguard their on-premises infrastructure.

---

---

---

---