• Greg Sim, CEO at Glasswall Solutions


• 08.01.2018 09:00 am
cybersecurity

Banks and law firms have one thing in common these days – cyber fraudsters see their emails as the perfect way to get at clients and supply chain partners.  

Take, for example, the attack on a London law firm before Christmas in which criminals sent out 1,600 highly convincing decoy emails to the company’s clients, asking them to click on an “urgent” attachment. The hackers were intent on fraud and had gained access to the server of the London firm Anthony Gold Solicitors so they could send out malicious email attachments in an attempt to uncover clients’ log-in details.

It seems that nobody lost out, but while the company apologised and launched an investigation, clients were left feeling uneasy because the emails were so realistic. In the comments section of the Law Society Gazette following this attack, one of the Anthony Gold clients said he or she had been expecting an email about money the firm was due to pay and so clicked on the attachment. This client also complained that their conventional anti-virus software had detected nothing in the course of scan. Hardly surprising, since this is precisely the type of technology that criminals know is incapable of spotting new malware variants or the minute alterations to file-structures that are now employed to trigger malware attacks.

Another recipient, who had worked at Anthony Gold, pointed out how realistic the forged emails were, while other clients went online to declare their unhappiness with the firm’s response. It was not a great day for the business and sadly, is a classic example of how cyber criminals view legal and financial institutions as hubs from which to defraud clients. Creating highly convincing emails, the hackers include attachments that have malicious code hidden either in the active elements of the file or, as is increasingly the case, in its structure.  

The key question for any financial organisation is how can it avoid a similar fate? There was nothing unique to the legal world about this attack and it could just as easily have been perpetrated on a bank or insurer where email attachments flow in and out all day long.

All client lists and supply chains are being put at risk by old-fashioned anti-virus technology

It is important to recognise that cyber risk is moving much more heavily into the supply chain now. Criminals are fully aware that organisations are only as safe as their least-secure partners and that clients and their employees implicitly trust professional businesses.

If financial organisations continue to rely on traditional anti-virus technology, however, they run the risk of either being victims of cyber fraud or extortion, or of unknowingly dispersing malicious code to the thousands of client or supplier addresses the hackers want to target. Newly-written code can now sneak through anti-virus systems and trick their way through sandboxing applications by switching themselves off and on. No longer can traditional solutions detect these malicious pieces of code, since they have not been assigned the “signatures” on which the anti-virus industry depends.

If the financial sector continues to rely on a combination of anti-virus solutions and encryption to maintain security, it will have little or no defence against the millions of new malware variants being launched every year. The threats within JavaScript, Flash, encrypted and embedded files may be well-known, but the biggest sources of danger are the zero-day attack triggers inside the structures of common files such as PDFs, Excel and Word. These are threats that traditional anti-virus technology cannot detect.

The upshot of all this is that the financial sector must wake up to the dangers and become more innovative about cyber security technology. The focus has to be on solutions that tackle the menace of phishing emails containing phoney attachments. We know that more than 90 per cent of successful cyber-attacks commence when someone receives a cunningly personalised or disguised email and unknowingly opens a PDF, Word, PowerPoint or Excel file that has been subtly altered.

Innovation is the answer in the shape of file-regeneration technology

Experience shows that file-regeneration is the sole means by which organisations can prevent themselves being turned into malware hubs. Towards the end of last year Glasswall found that unexplained code was being written into some of the thousands of documents two law firms sent out to clients and business partners.

In the first incident, code was being inserted into documents by the law firm’s PDF-writing software. At the second firm, the document scanner was incorporating unauthorised code into the structure of digital files it was generating.

In the event it proved to be purely anomalous but it was only detected because each firm has installed file-regeneration technology that examines every out-bound file. This technology will conduct byte-level examinations of each document in fractions of second, generating a ‘known good’ clean and sanitised version that can be used in total safety. The technology has already detected a minute, two-byte change hidden by criminals inside a PDF file structure in order to crash the recipient’s reader so that malicious code would trigger a malware attack. As a zero-day attack this would bypass traditional signature based security software. 

Once files have been sanitised, email traffic continues in full confidence, having been cleaned of all malicious code. The intelligence derived from this technology also gives organisations vital insights into the nature of the threats they are facing and how criminals are adapting code or shifting vectors.

In the absence of technologies such as file-regeneration, financial institutions are putting their clients and their business partners at risk. One of those commenting on the Anthony Gold attack spoke from experience, saying such incidents led to “days of hell” for the firm hijacked as a malware hub.  For financial organisations these “days of hell” could be interminable unless they adopt a more innovative approach to email security.