Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How Cybercriminals Cheat Email Authentication

Email fraud is rife and costs companies like yours millions.

Implementing the authentication standard DMARC (Domain-based Authentication Reporting and Conformance) to block bad email before it reaches consumer inboxes is a great first step. But DMARC alone isn’t enough, protecting your brand from only 30% of email-borne attacks.

We tapped into the Return Path Data Cloud and analyzed more than 760,000 email threats associated with 40 top global brands over the course of 2 months to understand how fraudsters circumvent email authentication mechanisms like DMARC.

  • Login to see the comments

How Cybercriminals Cheat Email Authentication

  1. 1. Webinar: How Cybercriminals Cheat Email Authentication September 29, 2015 #BeyondDMARC
  2. 2. Welcome! • Follow us on Twitter @StopEmailFraud. • Use our hashtag #BeyondDMARC. • Please type in your questions using the chat box. • Yes! We’ll send you a recording.
  3. 3. Welcome! Matthew Moorehead Strategic Project Manager Email Fraud Protection Return Path @mattmooreheadRP Liz Dennison Content Marketing Manager Email Fraud Protection Return Path @LizKONeill Ash Valeski Senior Product Manager Email Fraud Protection Return Path
  4. 4. Agenda • The Email Fraud Problem. • Email Authentication Best Practices. • Real-time Insights into All Email Attacks. • Tactics Fraudsters Use to Cheat Email Authentication. • Unite Against Email Fraud. • Q&A.
  5. 5. The Email Fraud Problem
  6. 6. Email Fraud Is on the Rise 5 out of 6 big companies are targeted with phishing attacks Phishing costs brands worldwide $4.5 billion each year RSA identifies a phishing attack every minute Email fraud has up to a 45% conversion rate Source: EMC, Google
  7. 7. Hard Cost Impact Fraud Losses Malware Infection Investigation Remediation
  8. 8. Revenue Impact • Reduced trust in brand: • Customers and subscribers don’t know what to trust • Reduced effectiveness of email: • Consumer mailbox providers don’t know what to trust Customers are 42% less likely to interact with a brand after being phished or spoofed.
  9. 9. to: You <> from: Phishing Company <> subject: Unauthorized login attempt Dear Customer, We have recieved noticed that you have recently attempted to login to your account from an unauthorized device. As a saftey measure, please visit the link below to update your login details now: Once you have updated your details your account will be secure from further unauthorized login attempts. Thanks, The Phishing Team 1 attachment Making an email look legitimate by spoofing the company name in the “Display Name” field. Tricking email servers into delivering the email to the inbox by spoofing the “envelope from” address hidden in the technical header of the email. Including logos, company terms, and urgent language in the body of the email. Making an email appear to come from a brand by using a legitimate company domain, or a domain that looks like it in the “from” field. Creating convincing subject lines to drive recipients to open the message. Including links to malicious websites that prompt users to give up credentials Including attachments containing malicious content. Anatomy Of A Phishing Email
  10. 10. Email Authentication Best Practices
  11. 11. Email Authentication Keeps Bad Email Out Authenticating email helps ensure your legitimate messages reach your customers, and malicious messages don’t. There are three key authentication protocols to know: 1. SPF (Sender Policy Framework) 2. DKIM (DomainKeys Identified Mail) 3. DMARC (Domain-based Message Authentication Reporting & Conformance)
  12. 12. How DMARC Works Email received by mailbox provider Has DMARC been implemented for “header from” domain? Does email fail DMARC authentication? Mailbox provider runs filters QUARANTINE NONE REJECT Apply domain owners policy YESYES NO NO Deliver Report to Sender Control & Visibility
  13. 13. Phishing Emails DMARC Would Block
  14. 14. But Email Authentication Isn’t Enough 30% spoof your domain •Active Emailing Domains •Non-Sending Domains •Defensively-registered Domains 70% spoof your brand in other ways • Cousin Domains • Display Name Spoofing • Subject Line Spoofing • Email Account Spoofing Source: Return Path / APWG White Paper, 2014
  15. 15. Real-Time Insights Into All Email Attacks
  16. 16. The Return Path Data Cloud Contactually Molto ParibusGetAirHelp Message Finder UnsubscriberOrganizer
  17. 17. EMAIL THREAT DATA · Consumer inbox data · Email delivery data · Authentication results · Message level data · SPAM trap & complaints data EMAIL THREAT INTELLIGENCE · Domain-spoofing alerts · Brand-spoofing intelligence · Suspicious activity map · Fraudcaster URL feed · Sender Score: IP reputation
  18. 18. Tactics Fraudsters Use to Cheat Email Authentication
  19. 19. Tapping Into the Return Path Data Cloud • 40 day period (July and August 2015). • Analyzed over 240 billion emails from more than 100 data feeds. • Identified over 760,000 email threats targeting 40 top brands.
  20. 20. Tactic 1: Snowshoeing • No discernible pattern to suggest that the biggest phishing attacks are launched on distributed IP addresses. • But 22 of the 76 medium-sized attacks were sent from distributed IPs. • Assessing IP reputations should continue to provide value.
  21. 21. Tactic 2: Subject Line Spoofing The minority of serialized subject lines we did find fell under four interesting themes: 1. Social media scams 2. Account security 3. Calls to action with reference number 4. HR Scams
  22. 22. Tactic 2: Subject Line Spoofing • Urgency is a key theme in subject line spoofing. • Fraudsters prefer a template-based approach.
  23. 23. Tactic 3: Display Name Spoofing • In the majority of email threats, fraudsters spoof elements of the Header From field. • Nearly half of all email threats spoofed the brand in the Display Name.
  24. 24. Unite Against Email Fraud Tips for defending your customers, your brand, and your bottom line.
  25. 25. #1: Authenticate Your Email DMARC (Domain-based Message Authentication Reporting & Conformance): • DMARC prevents domain-based spoofing by blocking fraudulent activity appearing to come from domains under your control. • DMARC provides an email threat reporting mechanism (aggregate and forensic data). • Use our DMARC Check Tool to query your domain's record and validate that it is up to date with your current policy:
  26. 26. “Simply put, the DMARC standard works. In a blended approach to fight email fraud, DMARC represents the cornerstone of technical controls that commercial senders can implement today to rebuild trust and retake the email channel for legitimate brands and consumers.” Edward Tucker, Head of Cyber Security for Her Majesty’s Revenue & Customs
  27. 27. #2: Get Visibility Into Email Threats Email Threat Intelligence is the only way to: • Address the 70% of email attacks that spoof your brand using domains your company does not own (brand spoofing). • Get visibility into all types of email threats targeting your brand today.
  28. 28. Defend Your Customers, Brand, and Bottom Line Detect & block fraudulent emails spoofing your brand before they hit consumer inboxes Bolster malicious URL takedown efforts with real-time email threat detection Reduce spend on fraud reimbursements, phishing remediation, and customer service costs
  29. 29. “If you boil the jobs down of [IT security professionals], they are ultimately tasked with protecting the brand… If you have a breach, research suggests that 60% of your customers will think about moving and 30% actually do.” Bryan Littlefair, Global Chief Information Security Officer, Aviva
  30. 30. THANK YOU! Want more? Download “The Email Threat Intelligence Report”.