From July through October 2018, attackers overwhelmingly used display name deception to launch business email compromise attacks, stealing money and credentials from their victims while damaging trust in the brands and domains they impersonated. Among Agari’s findings:

  • 54% of attacks leveraged impersonated brands, particularly Microsoft and Amazon, in the sender display name to convince victims the email was legitimate.
  • Raw DMARC policy adoption rose by 51%, according to the most comprehensive DMARC snapshot to date—but not all DMARC adoption was benevolent.
  • The US federal government sector led DMARC policy adoption, with a 76% DMARC reject rate.

Download your copy of the Q4 2018 Email Fraud and DMARC Adoption Trends report now to learn which brands and identities were targeted most and how DMARC authentication helps businesses protect their brands and domains.

Inbound Attack Trends

The Language of Deceit

With rising cybercrime representing a serious threat to individuals, businesses, and governments, it’s vitally important to establish a consistent set of terms to describe the different challenges that make up this threat. Not every email scam is a “phishing attack,” for instance.

To address this need, Agari has developed a classification system for cyber threats—a threat taxonomy—that breaks down common email-based attacks in terms of how they are carried out, and what the perpetrators aim to achieve. This taxonomy will help readers understand the terms used in this report and what they mean to email security.

language-deceit-taxonomy-2019

For more information about the Agari Threat Taxonomy, see agari.com/taxonomy

Because email fraud centers around identity deception, or the impersonation of trusted senders in order to con recipients, we start with the method by which the impostor impersonates the trusted sender’s email account—making it appear as if the emails the impostor is sending are originating from the trusted party.

Generally speaking, we observed three primary ways in which cybercriminals impersonate an email account:

LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar to the legitimate domain they’re seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the attacker uses the actual email address of the impersonated identity in the From header (e.g. “Company Customer Service” <noreply@company.com>). Email authentication standards, such as DMARC, can be used by a domain owner to prevent spoofing of their domain, but are still not adopted widely by all businesses. Domain spoofing is addressed in Part 2 of this report.

DISPLAY NAME DECEPTION: The cybercriminal inserts the name of the impersonated individual or brand into the “from” field within Gmail, Yahoo, or other free cloud-based email platforms. These are also known as a “friendly from” attack.

display-name-deception-q4-2019

COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised— assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all.

Different types or classes of attacks will entail different elements of this taxonomy.

A business email compromise (BEC) attack, for instance, can involve an imposter who aims to impersonate a trusted individual or brand using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment.

By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand.

Angle of Attack:
Display Name Deceptions Dominate

When attacking businesses, display name deception is the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand.

Imposter Syndrome

During July 2018 through October 2018, Agari data indicates 62% of all identity-deception based attacks leveraged display name deception aimed at impersonating a trusted individual or brand—typically an outside vendor, supplier or partner. This aligns with long-term findings, with display name deception remaining the preferred tactic over look-alike domains and simple domain spoofing.

Breaking this down further, attackers demonstrated a strong preference for impersonating trusted brands versus individuals—54% vs. 8%, respectively. Perhaps this indicates the ease of impersonating generalized email notifications or departmental email vs. the risk that a fraudulent message from a known individual may quickly be spotted.

imposter-syndrome-advanced-attacks-2019

In either scenario, display name deceptions can be hard for many email systems to detect. For instance, add-on modules designed to enhance detection of attacks on a company’s own top executives can miss attacks designed to impersonate anyone else, whether its a trusted lawyer to the company or the electronic document signing system they use.

A successful account takeover not only affords fraudsters the ability to impersonate the account’s owner, but it also gives them access to all of the individual’s contacts, historical emails to craft more targeted cons, and more. With a growing marketplace for stolen email login credentials on the dark web, it’s feared this form of attack will become more prominent in the coming months.

The data also shows 3% of attacks stemming from compromised accounts that were involved in an account takeover. While the percentage of compromised account attacks is small relative to other techniques, this represents a serious vulnerability for the company involved.

Vertically Challenged:
Top Attack Modes by Industry

In most cases, trends align in terms of the forms of identity deception perpetrated against businesses. But there is some variation by industry.

As you can see in the chart below, the manufacturing and logistics/transportation industries experienced a disproportionate percentage of attacks leveraging look-alike domains during the third quarter. Transportation businesses captured in the Agari Identity Graph include major airlines. While it’s unclear why attackers would find more success with look-alike domains in these industries, it’s possible the highvalue targets they seek are more deskbound than other businesses, making display name deceptions a little harder to pull off.

attack-types-vertical-2019

However, it’s also worth noting that both manufacturing and food processing see the highest number of display name deception attacks impersonating specific individuals of any industry. And when it comes to displaying name attacks impersonating brands, broadcasting and media see the highest overall volumes within the Agari customer base, followed by manufacturing, education, and healthcare.

Fraudsters’ Go-To Disguise:
Microsoft is #1 Most Impersonated Brand

It’s true: Microsoft appears to work magic for cybercriminals seeking to impersonate the company’s multitude of sub-brands across all forms of attack. But Amazon isn’t far behind.

brands-impersonation-attacks-2019

Maybe it’s OneDrive, Office 365, or just Microsoft as a whole. Whatever the case, fraudsters overwhelmingly impersonate some unit of this major brand when launching email-based attacks. And that’s true whether an attack is targeting personnel at any level of a business or key executives. But on that score, attack preferences deviate from there.

Below is a prototypical example of an attack that leveraged the Microsoft brand and coincidentally bypassed the protections of Microsoft Office 365 Exchange Online Protection:

brand-impersonation-microsoft-2019

Can’t DMARC Authentication Help? It’s worth noting that every one of these brands have a DMARC authentication policy of Reject, which would protect their domains from spoofing. Display name deception attacks bypass any DMARC authentication controls, and, it seems apparently virtually all secure email gateways. While these brands have taken steps to eliminate their own domains from being spoofed, cybercriminals are still using display name deception to execute phishing and advanced email attacks.

When it comes to targeting employees overall, email attackers impersonate Microsoft 35.87% of the time, followed by Amazon at 26.79%. Think Amazon Web Services (AWS), A9, and even Amazon Prime. Bank of America rounds out the top three impersonations for this broad audience, whether it’s targeting the finance department or the general employee base.

For attacks targeting high-value executive targets, it’s Microsoft by a mile—accounting for 7 out of 10 brand impersonations. Dropbox is a distant second, followed by United Parcel Service (UPS). File sharing services such as Dropbox or OneDrive are common impersonation targets because they can link to a file with embedded malware and are common within many companies, lowering user scrutiny of the message.

impersonation-attacks-executives-2019

As an example, Agari blocked a targeted Office 365 “Update” email specifically directed at a Chief Intellectual Property Counsel for a major manufacturing firm. For this attack, the attacker’s goal was likely to sit in stealth to silently harvest corporate assets—potentially a company audit report or new corporate M&A activity.

brand-impersonation-attack-microsoft-2019In most attacks involving these or the rest of the top 10 most impersonated brands, phishing scams are likely aimed at credentials harvesting, in hopes of hijacking accounts from which to launch more highly-targeted attacks of all kinds, including wire fraud based BEC schemes. Leveraging the vulnerability email gateways have in detecting and mitigating display name deception, attackers attempted to exploit the relationship employees have with trusted major technology and financial brands.

A case in point was the carefully crafted Amazon brand impersonation sent to an AWS admin for a software/SAAS company. This credential phishing attack was especially pernicious given the dependence many enterprises place on the web and compute services provided by AWS.

brand-impersonation-amazon-web-services-2019

Key Findings
  • Display Name Deception was the clear attacker technique of choice for BEC attacks
  • 54% of attacks leveraged impersonated brands in the display name, with Microsoft and Amazon being the brands of choice
  • When targeting executives and high-value targets at organizations, Dropbox replaced Amazon as the second-most impersonated brands 
  • Compromised accounts—the most difficult to address— accounted for 3% of attacks
12345
Close button
12345
Mail Letter

Would you like the confidence to trust your inbox?