Email Security Blog

DMARC: How Phishing Rings Can Use Your Email Authentication Controls Against You

Michael Paiko July 23, 2020 DMARC

In the first reported case of its kind, a phishing ring in Eastern Europe is exploiting companies’ own Domain-based Message Authentication, Reporting and Conformance (DMARC) controls to impersonate CEOs in business email compromise (BEC) scams worth millions.

As detailed in our new threat actor dossier on a group we call Cosmic Lynx, the Agari Cyber Intelligence Division (ACID) has identified the first known Russian cybercrime group to conduct BEC attacks. During its investigation, the ACID team documented more than 200 Cosmic Lynx BEC scams targeting large, multinational companies in 46 countries just within the last 12 months.

BEC has emerged as one of the costliest forms of cybercrime, accounting for more than $26 billion in business losses since 2016. Because these attacks employ social engineering ploys instead of malicious links or malware, they easily evade signature-based email security controls. And while the typical BEC scam nets $55,000, Cosmic Lynx has developed a mergers-and-acquisitions ruse that can net tens of millions of dollars.

Cosmic Lynx is also the first group known to specifically factor a targeted company’s level of DMARC adoption, or lack thereof, into its plans to impersonate corporate executives in the emails that drive its schemes. For companies that fall prey, the result can be as calamitous as it is preventable. Yet most organizations leave themselves wide open to attack.

DMARC: Stopping Phishing Impersonations in Their Tracks

First introduced in 2012, DMARC was developed by a group of industry leaders that includes Agari founder and CEO Patrick Peterson.

At its most essential DMARC is an open standard email authentication protocol that enables email receiver systems to recognize when an email isn’t coming from a specific company’s approved domains, and gives the company the ability to tell email receiver system what to do with these unauthorized email messages.

Its most aggressive enforcement policy is reject (p=reject), which means that email messages that do not pass DMARC authentication will be rejected by a mail server and not delivered to its intended recipient.

When implemented with this enforcement level, DMARC has proven effective at thwarting fraudsters seeking to pirate an organization’s domains to launch phishing-based brand impersonation scams targeting its customers, partners, and the general public.

But the vast majority of companies have yet to implement DMARC, including 85% of the Fortune 500—a fact Cosmic Lynx leverages to maximum effect.

Cosmic Lynx: What’s in Your Email Infrastructure?

As we report in our Q1 ’20 Email Fraud & Identity Deception Trends Report, most BEC groups leverage free webmail accounts or registered domains to send malicious emails.

But Cosmic Lynx is part of the 4% of all attacks to exploit organizations that do not have an established DMARC policy. Hijacking an organization’s domains enhances the voracity of email messages by directly spoofing a legitimate corporate email address, including that of the CEO, when possible.

Based on our analysis, Cosmic Lynx is the first threat group known to actively assess and then act on a targeted organization’s level of DMARC adoption.

If a company has not implemented a DMARC policy, or has a policy set to monitor only (p=none), Cosmic Lynx will directly spoof the CEO’s email address and set the Reply-To email to the operational email account the fraudsters use to correspond with recipients it hopes to victimize through the impersonation.

But if the organization has an established DMARC policy set to reject or quarantine (p=quarantine), Cosmic Lynx will forego spoofing the sending email address. Instead, the group settles for changing the display name to include the impersonated CEO’s email address (e.g., “John Smith – jsmith@acme.com”), which at least offers some appearance of legitimacy.

DMARC Isn’t Just for Good Guys Anymore

There’s another troubling aspect to Cosmic Lynx relative to DMARC. It turns out that while the group is more than happy to spoof a company’s email infrastructure to target the organization or others in a BEC attempt, Cosmic Lynx isn’t so keen to having someone spoof its own domains.

By implementing properly configured DMARC policies itself, the group is able to monitor any attempts at spoofing its domains, just as any legitimate enterprise would do. It also helps prevent spam bots and other parties from being able to piggyback on the reputation of the group’s sending domains, which would negatively impact the reputation if those domains and reduce the likelihood that its malicious emails would reach their intended targets.

And there’s more. Cosmic Lynx’s DMARC-enabled domains are configured to send spoofs to abuse@(domain), with variations that include legal@(domain), and dmarc@(domain). This serves two rather devious purposes. Yes, Cosmic Lynx receives a copy of any emails attempting to impersonate its domains. But the approach also adds an appearance of legitimacy that can help fool organizations investigating their domains into refraining from reporting fraud attacks against them.

Securing Domains, Defending Against Attacks

That last part may be especially instructive. If cybercriminals are using DMARC to protect themselves from impersonation, why are only 15% of all corporate domains likewise defended, especially when phishing-based impersonation attacks can result in lost business, lawsuits and reputational damage?

Part of the reason is that while attaching a DMARC record to a domain is a relatively simple proposition, implementing DMARC across an enterprise’s total universe of domains—which can span hundreds or even several thousand domains—can be cumbersome and complicated.

But according to a study from Forrester Research, DMARC deployments using automated implementation tools have been shown to drive phishing-based brand impersonations to near zero almost instantly.

Of course, there may be another less obvious reason to implement DMARC, post haste. Given Cosmic Lynx’s analytical acumen, it’s possible that a lack of DMARC protections signal that an organization is also lax about employing the kind of identity-based phishing defenses required to block BEC attacks spoofing its own or other companies’ legitimate domains.

Just the fact that an Eastern European cybercriminal organization is now engaging in BEC scams, until now the prevue of less-sophisticated email fraud rings in West Africa, is cause enough for concern. The fact that this organization is actively modulating its BEC attacks based on the status of an organization’s DMARC regime?

That should be setting off alarms the world over.

To learn more about how Cosmic Lynx exploits DMARC in its phishing attacks, download our new threat actor dossier, Cosmic Lynx: The Rise of Russian BEC.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

September 15, 2020 Armen Najarian

Why Full DMARC Protection is a Pressing Business Imperative in 2020 and Beyond

If you haven't deployed Domain-based Messaging Authentication, Reporting, and Conformance (DMARC) to protect your brand…

Person using Google AMP for Email

September 3, 2020 Michael Cichon

Implement DMARC for Trust Before Google AMP for Email

With marketers more dependent on digital channels, many may accelerate their tests of Google's AMP…

Happy african man working on DMARC

August 17, 2020 Armen Najarian

DMARC Adoption Slows, 80% of Fortune 500 Email Senders Remain Unauthenticated

The first half of 2020 saw 25 additional Fortune 500 companies adopt Domain-based Messaging, Reporting…

Agari Blog Image

July 7, 2020 Crane Hassold

Cosmic Lynx: A Russian Threat Hits the BEC Scene

“At some point, Russian and Eastern European cybercriminals are going to start thinking to themselves,…

Agari Blog Image

May 12, 2020 Chuck Holland

Hosted DMARC: Accelerating Protection Against Email-based Brand Jacking Scams

The coronavirus pandemic is shining a spotlight on the importance of hosted Domain-based Message Authentication,…

mobile image