“A 3 month analysis of the top US malicious email campaigns shows DMARC would have identified 90% of these malicious attacks”
Over 20 months ago, industry titans including Paypal, Google, Microsoft, Yahoo!, AOL, and Facebook banded together to launch DMARC, a new approach to reducing email phishing/spamming. In the short period since, DMARC has deployed rapidly and now covers 80% of US consumers and over 60% of consumers globally.
A known issue is that DMARC only reports back to the owner of a domain, thereby opening up a brand to phishing attacks on its consumers from domains it does not own but that appear visually similar, sometimes referred to as cousin domains. For example, a spammer could use Fceboook.com and carry out an attack, pretending to be Facebook. Even if Fceboook.com were DMARC-enabled, DMARC authentication would be sent to the owner of Fceboook.com, presumably the criminal, and would not be stopped. This has led some to question the effective coverage DMARC provides, i.e. “how big of a net does DMARC cast?”
Agari’s DMARC-based service uses several additional techniques & partners to address the cousin domain issue, but being the data geeks we are, decided to study this issue more closely. Working with our partner Malcovery, Agari studied the top US email-based phishing, spam and malware campaigns during the July-September 2013 period*. Of the 83 unique campaigns observed, DMARC would have addressed 77, or 90%, of these attacks.
While these results are encouraging, Agari also wondered how this would change moving forward. How would criminals respond to DMARC protected brands? We studied our early adopter clients who have had DMARC in place for more than 2 years. By looking at their abuse statistics, it seems that criminals have indeed tried to “go around” DMARC and have used domains not covered by Agari’s service, but only in small quantities. The overall level of attacks is still down 90% on average compared to prior to their DMARC deployments. It therefore appears that from both a frequency and effectiveness perspective, criminals have not been as successful using cousin domains. One line of questioning we hope to explore in future studies is, why this is the case?