To address this need, ACID has established a classification system for cyber threats—a threat taxonomy—that breaks down common email-based attacks in terms of how they are carried out, and what the perpetrators aim to achieve. This taxonomy will help readers understand the terms used in this report and what they mean to email security.
For more information about the Agari Threat Taxonomy, see agari.com/taxonomy
Because email fraud centers around identity deception, or the impersonation of trusted senders in order to con recipients, we start with the method by which the impostor impersonates the trusted sender’s email account—making it appear as if the emails the impostor is sending are originating from the trusted party.
When it comes to email identity, the universe of good is finite, whereas the universe of bad is unlimited.
LOOK-ALIKE DOMAINS AND DOMAIN SPOOFING: With look-alike domains, the cybercriminal registers a domain that is very similar to the legitimate domain he or she is seeking to impersonate. Look-alike domains are distinguished from domain spoofing, in which the attacker uses the actual email address of the impersonated identity in the “From” header—for example, “Company Customer Service” <noreply@company. com>. Email authentication standards such as DMARC can be used by a domain owner to prevent spoofing of the domain, but are still not adopted widely by all businesses. Domain spoofing is addressed in Part 3 of this report.
DISPLAY NAME DECEPTION: The cybercriminal inserts the name of the impersonated individual or brand into the “From” field within Gmail, Yahoo, or another free cloud-based email platform. These are also known as “friendly from” attacks.
COMPROMISED ACCOUNT ATTACKS: The cybercriminal sends targeted requests from an account that’s already been compromised— assuming the identity and the actual email account of the impersonated individual or brand, which is the most dangerous threat of all.
Different types or classes of attacks will entail different elements of this taxonomy.
A business email compromise (BEC) attack, for instance, can involve an impostor who aims to impersonate a trusted individual or brand using a look-alike domain, display name deception, or in the worst cases, a compromised legitimate account, leveraging sophisticated social engineering tactics to send highly personalized attacks. Impersonated individuals may be executives within the target’s own company, or an outside vendor or partner company. A BEC attack is targeted and uses a con with no URL or attachment.
By comparison, a phishing attack may use any identity deception technique and send more broad-based messages meant to fool someone into clicking on a malicious link that captures their username and password. When attacking businesses, display name deception is the tactic of choice for cybercriminals seeking to impersonate the email account of a trusted individual or brand.
Display name deception continues to be the tactic of choice for cybercriminals, accounting for 63% of all identity deception-based email attacks aimed at impersonating a trusted individual or brand—typically an outside vendor, supplier, or partner. But as this approach continues to gain traction over look-alike domains and simple domain spoofing, the nature of these impersonations appears to be in transition.
Fraudsters continue to favor impersonating trusted brands (50%) over trusted individuals (13%). But it’s notable that this report reflects a slight drop in brand impersonations from the previous quarter. It also corresponds with a 61% jump in impersonations of trusted individuals, up from just 8% in 90 days.
Notably, compromised accounts were used in 20% of identity-deception attacks. Legitimate email accounts that have been taken over by scammers can be an effective method to distribute phishing emails because they are, in a sense, trusted—allowing them to bypass mail filters more easily.
A potential driver for the proportion of attacks attributed to ATO-based email attacks could be the continually expanding marketplace on the dark web for stolen login credentials belonging to high-value targets.
The impact of this attack type cannot be overstated. Attacks launched from compromised email accounts are by far the hardest to detect and disrupt, making them a serious vulnerability for the account’s legitimate owner and the companies involved.
Indeed, a successful account takeover does not just give fraudsters the ability to impersonate the account’s owner. It also gives them access to the individual’s contacts, ongoing email conversations, and historical email archives—making it possible to craft new scams made all the more galling by their extraordinary personalization and crushing effectiveness.
The remaining 17% of identity-deception emails use look-alike domains to send malicious content. While some of these domains can be simply spoofed and sent from basic mailing tools, others are registered by phishing threat actors. The cost associated with registering a domain reduces a scammer’s overall return on investment, which is why this tactic likely is not used more frequently. Why pay for infrastructure when you can create a free, temporary email account—especially when the success rate is likely the same?
Given that the objective of these schemes is to manipulate recipients into initiating wire transfers, malicious email messages appearing to come from the CEO and other C-suite executives can inspire prompt action—indicating this may be one of the primary email threats facing senior executives.
For more information on how cybercriminals target the C-level, see agari.com/londonblue
Meanwhile, compromised email accounts are leveraged only sparingly for attacks targeting senior executives, accounting for only 8% of attacks during the last three months of 2018. More targeted research and personalization may account for the fact that executives seem to be far more lucrative to fraudsters if the high-value target accounts can be compromised and used to launch attacks targeting employees that rank lower on the organizational chart.
Microsoft services continue to lead the way in brand impersonation attacks, consistent with trends seen over the last few years. During the final three months of 2018, 44% of brand deception attacks displayed a Microsoft service as a way to deceive victims—up from 36% in the third quarter of 2018. As the chart below indicates, the last quarter of 2018 featured a strong showing by the IRS from an impostor perspective.
As 2018 drew to a close, deception attacks impersonating the Internal Revenue Service (IRS) shot upward. Driven by the annual scourge of BEC scams aimed at stealing W-2 information in the run-up to tax filing season, nearly one in ten identity deception-based emails impersonated the IRS, up from two percent in the third quarter.
For attacks targeting high-value executive targets, Microsoft remains the top target—accounting for more than 8 out of 10 brand impersonations. Trailing far behind in second place is FedEx, followed by the IRS and UPS. Shipping services are a common impersonation target, especially around the holiday season, because the delivery of packages during this time of year is expected,— making the phishing emails more contextually appropriate.
In most attacks involving these or other most impersonated brands, phishing scams are likely aimed at credentials harvesting, in hopes of hijacking accounts from which to launch more highly-targeted attacks of all kinds, including wire fraud-based BEC schemes.
Leveraging the vulnerability Secure Email Gateways have in detecting and mitigating display name deception, attackers attempt to exploit the relationship employees have with trusted technology and financial brands.
A case in point was the carefully crafted Amazon brand impersonation sent to an AWS admin at a software/SaaS company. This credential phishing attack was especially pernicious given the dependence many enterprises place on web and compute services provided by AWS.