Despite lessons learned from the hacking of Clinton campaign chairman John Podesta’s email account and subsequent release of sensitive emails on WikiLeaks, little progress has been made since the 2016 US presidential election. As the 2020 election cycle revs up, campaigns are still struggling with email security, primarily because few of the current and most prominent candidates have dedicated staff or resources to implement effective defenses. In fact, over 90% of the current presidential contenders rely on the easily-bypassed security controls built into their email platforms—almost exclusively Google Suite and Microsoft. While these controls offer basic defenses, they won’t protect against the kind of advanced email attacks likely to target campaign staff.
And that’s not the only kind of email threat candidates should fear. As of April 29, ACID analysis of domain data indicates only one of the leading candidates polling over 1%—Massachusetts Senator Elizabeth Warren (D)—has a DMARC record established for their domains with a policy that would prevent the campaign or the candidate from being impersonated in emails targeting donors, voters, and others. Given the stunning success of phishing and disinformation operations during the 2016 election cycle, 2020 is surely in the crosshairs of world-class hackers, especially as more than 90% of the leading candidates remain wide open to attack.
ACID analysis finds continued volatility in the identity deception tactics used by cybercriminal organizations behind a growing number of BEC scams. The percentage of all phishing attacks employing identity-deception tactics that use a display name intended to impersonate a trusted individual or brand has dropped to 53%, but most troubling has been the steady increase in the use of compromised email accounts. From January through March 2019, 27% of all identity-deception attacks were launched from compromised accounts. That’s an increase of nearly 30% in just 90 days, making this the second-most prevalent form of identity deception technique. Because phishing attacks launched from compromised accounts are by far the hardest to detect and disrupt, they are especially effective at defrauding the rightful owners of the account—as well as targeted businesses.
According to the Q2 ACID Phishing Incident Response Survey of 176 SOC professionals at 325 organizations with 1,000+ employees, the number of employee reported phishing attacks climbed 25% in the past quarter—increasing the total volume of incidents corporate security operations centers (SOCs) must remediate to an average of more than 29,000 annually. During this same period, the time needed to triage, investigate, and remediate each incident rose to an average of 6.5 hours. While the number of SOC analysts increased to 14, the gap between the number of analysts needed (90) and the actual number of analysts widened.
By the end of March 2019, ACID identified 6.75 million domains with valid DMARC records out of 328 million total domains examined as part of the industry’s largest ongoing study of DMARC adoption worldwide. Germany ranks first in raw domains with established DMARC records, though the United States maintains the highest percentage of domains with DMARC records with a reject policy. Overall, domains with DMARC records rose 1%, with the rate of growth rising at a much slower pace than the previous quarter. This leaves the vast majority of the world’s most prominent companies vulnerable to email-based impersonation attacks targeting their customers, partners, and other businesses—including nearly 90% of the Fortune 500.
In this quarterly report, we examine trends in phishing and email fraud perpetrated against businesses and their customers.
For the first time ever, we also begin tracking both Domain-based Message Authentication, Reporting and Conformance (DMARC) and Advanced Threat Protection adoption among presidential candidates seeking their parties’ nominations heading into next year’s 2020 US elections. This report includes a look at which campaigns may be most vulnerable to email-based impersonation scams that can damage candidates’ reputations, operational effectiveness, fundraising efforts, and even national security.
Also included are the results from our quarterly survey on the impact of phishing incident response in the enterprise, and the burden and cost for a security operations center (SOC) team to respond to employee-reported emails. The statistics presented here reflect information captured from the following sources from January through March 2019:
The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide BEC and spear phishing investigation. ACID supports Agari’s mission of protecting communications so that humanity prevails over evil. The ACID team uncovers identity deception tactics, criminal group dynamics, and relevant trends in advanced email threats. Created by Agari in 2018, ACID helps to impact the cyber threat ecosystem and mitigate cybercrime activity by working with law enforcement and other trusted partners.