SHARED INTEL: Bogus Coronavirus email alerts underscore risk posed by weaponized email
March 16, 2020
It comes as no surprise that top cyber crime rings immediately pounced on the Coronavirus outbreak to spread a potent strain of malware via malicious email and web links.
IBM X-Force researchers shared details about how emails aimed at Japanese-speaking individuals have been widely dispersed purporting to share advice on infection-prevention measures for the disease. One of the waves of weaponized emails actually is designed to spread a digital virus: the notorious Emotet banking Trojan designed to steal sensitive information.
One cybersecurity company, Tel Aviv-based Votiro, is taking a different approach to strengthen protection against such weaponized documents, using technology that disarms files before they are delivered to the recipient’s inbox. I had the chance to visit with Votiro CEO and founder Aviv Grafi at RSA 2020. For a full drill down give a listen to the accompanying podcast. Here are a few key takeaways:
Filtering falls short
As a former penetration tester who specialized in testing employees aptitude for resisting email lures, Grafi saw time-and-again how – and why – attackers leverage timely events, such as celebrity deaths, holidays or tax deadlines to lure email recipients to click on corrupted Word docs or PDF attachments.
Votiro introduced their ‘Disarmer’ technology, called CDR, for “content, disarm and reconstruction” to the U.S. market in 2019. CDR takes a prevention, instead of detection, approach to disarming weaponized email and deterring document-delivered malware.
“We’ve tried over the years to solve weaponized email in many different ways,” Grafi says. “We’ve tried using anti-virus signatures, and that doesn’t work. We tried sandboxing, and detonating the document in a safe environment to see if the document is doing something malicious, but the attackers outsmarted us and figured out how to evade sandboxes.
“And then came next-gen anti-virus, which used machine learning to build a model, based on past samples, to try predict the future, but prediction, by definition, cannot be 100 percent . . . so we at Votiro knew we had to solve this problem.”
Gaining peace of mind
Instead of joining the never-ending arms race to put up more rigorous email filters, Votiro delivers a service that grabs every document coming in via email and generates a safe version of it before allowing it to continue through to the recipient. It can do this at scale and in near real time.
The result is that the targeted company, and the individual employee, gain peace of mind. The expectation becomes that attachments in company email always arrive in a safe state. Everything relevant to the user’s experience has been vetted and verified as being valid. Embedded malware, such as a copy of the Emotet Trojan arriving as an attachment purporting to be Coronavirus health tips, get stripped out.
“We solve the problem by flipping it on its head,” Grafi told me. “Instead of looking for a bad document, or bad parts in a document, we take the content of each and every document and generate a safe version . . . for instance we take the text, the bookmarks and the images and generate a safe document, delivering that in milliseconds to the user. That way, we don’t need to participate in the cat and mouse game, anymore.”
With startups and established organizations migrating to the cloud at an accelerated pace, Microsoft’s Office 365 and Google’s G Suite have now emerged as go-to work tools. Google recently claimed 5 million folks use a paid version of G Suite, while Microsoft boasts that one in five corporate employees use an Office 365 cloud service, and that Office 365 is the most widely used cloud service by user count.
Since hackers go where the users are, we should expect weaponized email to remain with us for the foreseeable future. Employee awareness training and the latest iterations of firewalls and endpoint protection systems have their place. Yet Votiro has landed big financial institutions as clients and secured $14 million in VC funding for its disarming approach. And it has made its core services cloud ready.
“One of the things we’ve done in the past 12 months is to expand our platform,” Grafi says. “We can now protect any file that’s coming into the organization, no matter where it comes from.”
Votiro’s service integrates with Office 365 and G Suite, as well as with popular cloud storage and collaboration tools, like Dropbox and Slack. “We can actually integrate with any platform that deals with documents,” he says. “We want to make users lives easier, and convince them that it’s okay to click on anything, without having to think twice, if they’re using Votiro’s technology”
There’s a place for coming at protection from another angle, as Votiro is doing. I can see how a startup that’s entirely cloud-based, using subscription services to run IT operations traditionally handled on premises, would go for this approach. I’ll keep watch.