How Cybercriminals Cheat Email Authentication

1. Webinar: How Cybercriminals Cheat Email Authentication September 29, 2015 #BeyondDMARC

2. Welcome! • Follow us on Twitter @StopEmailFraud. • Use our hashtag #BeyondDMARC. • Please type in your questions using the chat box. • Yes! We’ll send you a recording.

3. Welcome! Matthew Moorehead Strategic Project Manager Email Fraud Protection Return Path @mattmooreheadRP Liz Dennison Content Marketing Manager Email Fraud Protection Return Path @LizKONeill Ash Valeski Senior Product Manager Email Fraud Protection Return Path

4. Agenda • The Email Fraud Problem. • Email Authentication Best Practices. • Real-time Insights into All Email Attacks. • Tactics Fraudsters Use to Cheat Email Authentication. • Unite Against Email Fraud. • Q&A.

5. The Email Fraud Problem

6. Email Fraud Is on the Rise 5 out of 6 big companies are targeted with phishing attacks Phishing costs brands worldwide $4.5 billion each year RSA identifies a phishing attack every minute Email fraud has up to a 45% conversion rate Source: EMC, Google

7. Hard Cost Impact Fraud Losses Malware Infection Investigation Remediation

8. Revenue Impact • Reduced trust in brand: • Customers and subscribers don’t know what to trust • Reduced effectiveness of email: • Consumer mailbox providers don’t know what to trust Customers are 42% less likely to interact with a brand after being phished or spoofed.

9. to: You <you@yourdomain.com> from: Phishing Company <phishingcompany@spoof.com> subject: Unauthorized login attempt Dear Customer, We have recieved noticed that you have recently attempted to login to your account from an unauthorized device. As a saftey measure, please visit the link below to update your login details now: http://www.phishingemail.com/updatedetails.asp Once you have updated your details your account will be secure from further unauthorized login attempts. Thanks, The Phishing Team 1 attachment Making an email look legitimate by spoofing the company name in the “Display Name” field. Tricking email servers into delivering the email to the inbox by spoofing the “envelope from” address hidden in the technical header of the email. Including logos, company terms, and urgent language in the body of the email. Making an email appear to come from a brand by using a legitimate company domain, or a domain that looks like it in the “from” field. Creating convincing subject lines to drive recipients to open the message. Including links to malicious websites that prompt users to give up credentials Including attachments containing malicious content. Anatomy Of A Phishing Email

10. Email Authentication Best Practices

11. Email Authentication Keeps Bad Email Out Authenticating email helps ensure your legitimate messages reach your customers, and malicious messages don’t. There are three key authentication protocols to know: 1. SPF (Sender Policy Framework) 2. DKIM (DomainKeys Identified Mail) 3. DMARC (Domain-based Message Authentication Reporting & Conformance)

12. How DMARC Works Email received by mailbox provider Has DMARC been implemented for “header from” domain? Does email fail DMARC authentication? Mailbox provider runs filters QUARANTINE NONE REJECT Apply domain owners policy YESYES NO NO Deliver Report to Sender Control & Visibility

13. Phishing Emails DMARC Would Block

14. But Email Authentication Isn’t Enough 30% spoof your domain •Active Emailing Domains •Non-Sending Domains •Defensively-registered Domains 70% spoof your brand in other ways • Cousin Domains • Display Name Spoofing • Subject Line Spoofing • Email Account Spoofing Source: Return Path / APWG White Paper, 2014

15. Real-Time Insights Into All Email Attacks

16. The Return Path Data Cloud Contactually Molto ParibusGetAirHelp Message Finder UnsubscriberOrganizer

17. EMAIL THREAT DATA · Consumer inbox data · Email delivery data · Authentication results · Message level data · SPAM trap & complaints data EMAIL THREAT INTELLIGENCE · Domain-spoofing alerts · Brand-spoofing intelligence · Suspicious activity map · Fraudcaster URL feed · Sender Score: IP reputation

18. Tactics Fraudsters Use to Cheat Email Authentication

19. Tapping Into the Return Path Data Cloud • 40 day period (July and August 2015). • Analyzed over 240 billion emails from more than 100 data feeds. • Identified over 760,000 email threats targeting 40 top brands.

20. Tactic 1: Snowshoeing • No discernible pattern to suggest that the biggest phishing attacks are launched on distributed IP addresses. • But 22 of the 76 medium-sized attacks were sent from distributed IPs. • Assessing IP reputations should continue to provide value.

21. Tactic 2: Subject Line Spoofing The minority of serialized subject lines we did find fell under four interesting themes: 1. Social media scams 2. Account security 3. Calls to action with reference number 4. HR Scams

22. Tactic 2: Subject Line Spoofing • Urgency is a key theme in subject line spoofing. • Fraudsters prefer a template-based approach.

23. Tactic 3: Display Name Spoofing • In the majority of email threats, fraudsters spoof elements of the Header From field. • Nearly half of all email threats spoofed the brand in the Display Name.

24. Unite Against Email Fraud Tips for defending your customers, your brand, and your bottom line.

25. #1: Authenticate Your Email DMARC (Domain-based Message Authentication Reporting & Conformance): • DMARC prevents domain-based spoofing by blocking fraudulent activity appearing to come from domains under your control. • DMARC provides an email threat reporting mechanism (aggregate and forensic data). • Use our DMARC Check Tool to query your domain's record and validate that it is up to date with your current policy: bit.ly/DMARCcheck.

26. “Simply put, the DMARC standard works. In a blended approach to fight email fraud, DMARC represents the cornerstone of technical controls that commercial senders can implement today to rebuild trust and retake the email channel for legitimate brands and consumers.” Edward Tucker, Head of Cyber Security for Her Majesty’s Revenue & Customs

27. #2: Get Visibility Into Email Threats Email Threat Intelligence is the only way to: • Address the 70% of email attacks that spoof your brand using domains your company does not own (brand spoofing). • Get visibility into all types of email threats targeting your brand today.

28. Defend Your Customers, Brand, and Bottom Line Detect & block fraudulent emails spoofing your brand before they hit consumer inboxes Bolster malicious URL takedown efforts with real-time email threat detection Reduce spend on fraud reimbursements, phishing remediation, and customer service costs

29. “If you boil the jobs down of [IT security professionals], they are ultimately tasked with protecting the brand… If you have a breach, research suggests that 60% of your customers will think about moving and 30% actually do.” Bryan Littlefair, Global Chief Information Security Officer, Aviva

30. THANK YOU! Want more? Download “The Email Threat Intelligence Report”. bit.ly/EmailThreatIntel