To address this need, Agari has developed a classification system for cyber threats—a threat taxonomy—that breaks down common email-based attacks in terms of how they are carried out, and what the perpetrators aim to achieve. This taxonomy will help readers understand the terms used in this report and what they mean to email security.
For more information about the Agari Threat Taxonomy, see agari.com/taxonomy
Because email fraud centers around identity deception, or the impersonation of trusted senders in order to con recipients, we start with the method by which the impostor impersonates the trusted sender’s email account—making it appear as if the emails the impostor is sending are originating from the trusted party.
Generally speaking, we observed three primary ways in which cybercriminals impersonate an email account:
LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar to the legitimate domain they’re seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the attacker uses the actual email address of the impersonated identity in the From header (e.g. “Company Customer Service” <firstname.lastname@example.org>). Email authentication standards, such as DMARC, can be used by a domain owner to prevent spoofing of their domain, but are still not adopted widely by all businesses. Domain spoofing is addressed in Part 2 of this report.
DISPLAY NAME DECEPTION: The cybercriminal inserts the name of the impersonated individual or brand into the “from” field within Gmail, Yahoo, or other free cloud-based email platforms. These are also known as a “friendly from” attack.
COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised— assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all.
Different types or classes of attacks will entail different elements of this taxonomy.
A business email compromise (BEC) attack, for instance, can involve an imposter who aims to impersonate a trusted individual or brand using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment.
By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand.
During July 2018 through October 2018, Agari data indicates 62% of all identity-deception based attacks leveraged display name deception aimed at impersonating a trusted individual or brand—typically an outside vendor, supplier or partner. This aligns with long-term findings, with display name deception remaining the preferred tactic over look-alike domains and simple domain spoofing.
Breaking this down further, attackers demonstrated a strong preference for impersonating trusted brands versus individuals—54% vs. 8%, respectively. Perhaps this indicates the ease of impersonating generalized email notifications or departmental email vs. the risk that a fraudulent message from a known individual may quickly be spotted.
In either scenario, display name deceptions can be hard for many email systems to detect. For instance, add-on modules designed to enhance detection of attacks on a company’s own top executives can miss attacks designed to impersonate anyone else, whether its a trusted lawyer to the company or the electronic document signing system they use.
A successful account takeover not only affords fraudsters the ability to impersonate the account’s owner, but it also gives them access to all of the individual’s contacts, historical emails to craft more targeted cons, and more. With a growing marketplace for stolen email login credentials on the dark web, it’s feared this form of attack will become more prominent in the coming months.
The data also shows 3% of attacks stemming from compromised accounts that were involved in an account takeover. While the percentage of compromised account attacks is small relative to other techniques, this represents a serious vulnerability for the company involved.
As you can see in the chart below, the manufacturing and logistics/transportation industries experienced a disproportionate percentage of attacks leveraging look-alike domains during the third quarter. Transportation businesses captured in the Agari Identity Graph include major airlines. While it’s unclear why attackers would find more success with look-alike domains in these industries, it’s possible the highvalue targets they seek are more deskbound than other businesses, making display name deceptions a little harder to pull off.
However, it’s also worth noting that both manufacturing and food processing see the highest number of display name deception attacks impersonating specific individuals of any industry. And when it comes to displaying name attacks impersonating brands, broadcasting and media see the highest overall volumes within the Agari customer base, followed by manufacturing, education, and healthcare.
Maybe it’s OneDrive, Office 365, or just Microsoft as a whole. Whatever the case, fraudsters overwhelmingly impersonate some unit of this major brand when launching email-based attacks. And that’s true whether an attack is targeting personnel at any level of a business or key executives. But on that score, attack preferences deviate from there.
Below is a prototypical example of an attack that leveraged the Microsoft brand and coincidentally bypassed the protections of Microsoft Office 365 Exchange Online Protection:
Can’t DMARC Authentication Help? It’s worth noting that every one of these brands have a DMARC authentication policy of Reject, which would protect their domains from spoofing. Display name deception attacks bypass any DMARC authentication controls, and, it seems apparently virtually all secure email gateways. While these brands have taken steps to eliminate their own domains from being spoofed, cybercriminals are still using display name deception to execute phishing and advanced email attacks.
When it comes to targeting employees overall, email attackers impersonate Microsoft 35.87% of the time, followed by Amazon at 26.79%. Think Amazon Web Services (AWS), A9, and even Amazon Prime. Bank of America rounds out the top three impersonations for this broad audience, whether it’s targeting the finance department or the general employee base.
For attacks targeting high-value executive targets, it’s Microsoft by a mile—accounting for 7 out of 10 brand impersonations. Dropbox is a distant second, followed by United Parcel Service (UPS). File sharing services such as Dropbox or OneDrive are common impersonation targets because they can link to a file with embedded malware and are common within many companies, lowering user scrutiny of the message.
As an example, Agari blocked a targeted Office 365 “Update” email specifically directed at a Chief Intellectual Property Counsel for a major manufacturing firm. For this attack, the attacker’s goal was likely to sit in stealth to silently harvest corporate assets—potentially a company audit report or new corporate M&A activity.
In most attacks involving these or the rest of the top 10 most impersonated brands, phishing scams are likely aimed at credentials harvesting, in hopes of hijacking accounts from which to launch more highly-targeted attacks of all kinds, including wire fraud based BEC schemes. Leveraging the vulnerability email gateways have in detecting and mitigating display name deception, attackers attempted to exploit the relationship employees have with trusted major technology and financial brands.
A case in point was the carefully crafted Amazon brand impersonation sent to an AWS admin for a software/SAAS company. This credential phishing attack was especially pernicious given the dependence many enterprises place on the web and compute services provided by AWS.