How Cybercriminals Cheat Email Authentication
•Download as PPTX, PDF•
2 likes•490 views
Email fraud is rife and costs companies like yours millions. Implementing the authentication standard DMARC (Domain-based Authentication Reporting and Conformance) to block bad email before it reaches consumer inboxes is a great first step. But DMARC alone isn’t enough, protecting your brand from only 30% of email-borne attacks. We tapped into the Return Path Data Cloud and analyzed more than 760,000 email threats associated with 40 top global brands over the course of 2 months to understand how fraudsters circumvent email authentication mechanisms like DMARC.
More Related Content
What's hot
What's hot (9)
Viewers also liked
Viewers also liked (20)
Similar to How Cybercriminals Cheat Email Authentication
Similar to How Cybercriminals Cheat Email Authentication (20)
More from Return Path
More from Return Path (20)
Recently uploaded
Recently uploaded (20)
How Cybercriminals Cheat Email Authentication
- 2. Webinar: How Cybercriminals Cheat Email Authentication September 29, 2015 #BeyondDMARC
- 3. Welcome! • Follow us on Twitter @StopEmailFraud. • Use our hashtag #BeyondDMARC. • Please type in your questions using the chat box. • Yes! We’ll send you a recording.
- 4. Welcome! Matthew Moorehead Strategic Project Manager Email Fraud Protection Return Path @mattmooreheadRP Liz Dennison Content Marketing Manager Email Fraud Protection Return Path @LizKONeill Ash Valeski Senior Product Manager Email Fraud Protection Return Path
- 5. Agenda • The Email Fraud Problem. • Email Authentication Best Practices. • Real-time Insights into All Email Attacks. • Tactics Fraudsters Use to Cheat Email Authentication. • Unite Against Email Fraud. • Q&A.
- 7. Email Fraud Is on the Rise 5 out of 6 big companies are targeted with phishing attacks Phishing costs brands worldwide $4.5 billion each year RSA identifies a phishing attack every minute Email fraud has up to a 45% conversion rate Source: EMC, Google
- 8. Hard Cost Impact Fraud Losses Malware Infection Investigation Remediation
- 9. Revenue Impact • Reduced trust in brand: • Customers and subscribers don’t know what to trust • Reduced effectiveness of email: • Consumer mailbox providers don’t know what to trust Customers are 42% less likely to interact with a brand after being phished or spoofed.
- 10. to: You <you@yourdomain.com> from: Phishing Company <phishingcompany@spoof.com> subject: Unauthorized login attempt Dear Customer, We have recieved noticed that you have recently attempted to login to your account from an unauthorized device. As a saftey measure, please visit the link below to update your login details now: http://www.phishingemail.com/updatedetails.asp Once you have updated your details your account will be secure from further unauthorized login attempts. Thanks, The Phishing Team 1 attachment Making an email look legitimate by spoofing the company name in the “Display Name” field. Tricking email servers into delivering the email to the inbox by spoofing the “envelope from” address hidden in the technical header of the email. Including logos, company terms, and urgent language in the body of the email. Making an email appear to come from a brand by using a legitimate company domain, or a domain that looks like it in the “from” field. Creating convincing subject lines to drive recipients to open the message. Including links to malicious websites that prompt users to give up credentials Including attachments containing malicious content. Anatomy Of A Phishing Email
- 12. Email Authentication Keeps Bad Email Out Authenticating email helps ensure your legitimate messages reach your customers, and malicious messages don’t. There are three key authentication protocols to know: 1. SPF (Sender Policy Framework) 2. DKIM (DomainKeys Identified Mail) 3. DMARC (Domain-based Message Authentication Reporting & Conformance)
- 13. How DMARC Works Email received by mailbox provider Has DMARC been implemented for “header from” domain? Does email fail DMARC authentication? Mailbox provider runs filters QUARANTINE NONE REJECT Apply domain owners policy YESYES NO NO Deliver Report to Sender Control & Visibility
- 14. Phishing Emails DMARC Would Block
- 15. But Email Authentication Isn’t Enough 30% spoof your domain •Active Emailing Domains •Non-Sending Domains •Defensively-registered Domains 70% spoof your brand in other ways • Cousin Domains • Display Name Spoofing • Subject Line Spoofing • Email Account Spoofing Source: Return Path / APWG White Paper, 2014
- 16. Real-Time Insights Into All Email Attacks
- 17. The Return Path Data Cloud Contactually Molto ParibusGetAirHelp Message Finder UnsubscriberOrganizer
- 18. EMAIL THREAT DATA · Consumer inbox data · Email delivery data · Authentication results · Message level data · SPAM trap & complaints data EMAIL THREAT INTELLIGENCE · Domain-spoofing alerts · Brand-spoofing intelligence · Suspicious activity map · Fraudcaster URL feed · Sender Score: IP reputation
- 21. Tactics Fraudsters Use to Cheat Email Authentication
- 22. Tapping Into the Return Path Data Cloud • 40 day period (July and August 2015). • Analyzed over 240 billion emails from more than 100 data feeds. • Identified over 760,000 email threats targeting 40 top brands.
- 23. Tactic 1: Snowshoeing • No discernible pattern to suggest that the biggest phishing attacks are launched on distributed IP addresses. • But 22 of the 76 medium-sized attacks were sent from distributed IPs. • Assessing IP reputations should continue to provide value.
- 24. Tactic 2: Subject Line Spoofing The minority of serialized subject lines we did find fell under four interesting themes: 1. Social media scams 2. Account security 3. Calls to action with reference number 4. HR Scams
- 25. Tactic 2: Subject Line Spoofing • Urgency is a key theme in subject line spoofing. • Fraudsters prefer a template-based approach.
- 26. Tactic 3: Display Name Spoofing • In the majority of email threats, fraudsters spoof elements of the Header From field. • Nearly half of all email threats spoofed the brand in the Display Name.
- 27. Unite Against Email Fraud Tips for defending your customers, your brand, and your bottom line.
- 28. #1: Authenticate Your Email DMARC (Domain-based Message Authentication Reporting & Conformance): • DMARC prevents domain-based spoofing by blocking fraudulent activity appearing to come from domains under your control. • DMARC provides an email threat reporting mechanism (aggregate and forensic data). • Use our DMARC Check Tool to query your domain's record and validate that it is up to date with your current policy: bit.ly/DMARCcheck.
- 29. “Simply put, the DMARC standard works. In a blended approach to fight email fraud, DMARC represents the cornerstone of technical controls that commercial senders can implement today to rebuild trust and retake the email channel for legitimate brands and consumers.” Edward Tucker, Head of Cyber Security for Her Majesty’s Revenue & Customs
- 30. #2: Get Visibility Into Email Threats Email Threat Intelligence is the only way to: • Address the 70% of email attacks that spoof your brand using domains your company does not own (brand spoofing). • Get visibility into all types of email threats targeting your brand today.
- 31. Defend Your Customers, Brand, and Bottom Line Detect & block fraudulent emails spoofing your brand before they hit consumer inboxes Bolster malicious URL takedown efforts with real-time email threat detection Reduce spend on fraud reimbursements, phishing remediation, and customer service costs
- 32. “If you boil the jobs down of [IT security professionals], they are ultimately tasked with protecting the brand… If you have a breach, research suggests that 60% of your customers will think about moving and 30% actually do.” Bryan Littlefair, Global Chief Information Security Officer, Aviva
- 33. THANK YOU! Want more? Download “The Email Threat Intelligence Report”. bit.ly/EmailThreatIntel
Editor's Notes
- [Liz]
- [liz]
- [liz]
- [liz]
- [matt]
- [Matt] Email Fraud is on the rise and it’s costing companies millions. Additional stats: More than 400 brands are phished each month (Anti-Phishing Working Group) Every day, beyond your control, cybercriminals send emails that spoof your brand, targeting your customers, partners, and suppliers with malicious content. As a result, customers lose trust in your brand, and your company loses business.
- [Matt] First there is a hard cost impact. Fraud losses Malware infection (secondary damages/losses) Investigation Remediation
- [Matt] Second there is a revenue impact. Email fraud has a dramatic impact on the trust your customers have in your brand. It also reduce the effectiveness of email that is legitimate. A great data point from Cloudmark here: customers are 42% less likely to interact with a brand after being phished or spoofed. While consumer fraud losses, increases in cyber insurance premiums, investigation and remediation costs are key drivers in justifying the investment in a solution, the more significant damage is the erosion of trust in your brand and potential loss in customer loyalty. After falling victim to email fraud, the trust your consumers have in your brand will be negatively impacted and this will ultimately affect their buying decisions. Phishers can erase years of goodwill in a second by exploiting that trust, but only if you let them. As a result, customers lose trust in your brand, and your company loses business.
- [Matt] So why is email the chosen threat vector? Because it is so easy to abuse as a channel. Think about this: 97% of people globally cannot correctly identify a sophisticated phishing email. And here is why. Lets look at the all the different aspects of an email that fraudsters leverage to target victims.
- [Ash]
- [Ash] - go through these at a high level. It is best practice to authenticate all legitimate email streams so your organisation can address direct domain spoofing attacks with DMARC. SPF allows the owner of a domain to specify which mail servers they use to send messages from that domain. Prevents fraudsters from spoofing the sending domain contained within the “envelope from” (aka mfrom or return path) address. An SPF-protected domain is less attractive to phishers, and is therefore less likely to be blacklisted by spam filters. DKIM allows an organization to take responsibility for transmitting a message in a way that can be verified by mailbox provider. Can ensure that the message has not been modified or tampered with in transit. Can help inform how mailbox providers limit spam and spoofing. Not a universally reliable way of authenticating the identity of a sender. DMARC ensures that legitimate email is properly authenticating, and that fraudulent activity appearing to come from domains under the organization’s control is blocked. Makes the “header from” address (what users see in their email clients) trustworthy. Helps protect customers and the brand. Discourages cybercriminals are less likely to go after a brand with a DMARC record.
- [ash]
- [Ash] Talk through why this phishing email is protected by DMARC. Then, pass it to Ash with something like, “But, while critical, DMARC doesn’t combat against all phishing attacks. I’ll pass it to Ash to reveal why.”
- [ash] We ran some primary research in sept 2014, looking at 18 billion suspicious emails, targeting 11 banks in the UK and the US. And what did we discover? 30% of the attacks came from an email address from a domain that was owned by the bank that leaves 70% that were spoofed in some other ways like display name spoofing. This is REALLY relevant to our solution because we seek to address both: the 30% and the 70%. We analysed 40 of the top global brands for a period of 2 months (july/August 2015) and looked at fraudulent emails coming from the 70% we covered here. These are some of the tactics we were able to uncover thanks to email threat data: 1. Snowshoeing is still rife and monitoring IP reputations needs to be part of a multi-faceted email fraud protection strategy 2. Fraudsters do not go to the trouble of rotating elements of their subject lines, preferring a more template-based approach. Access to message-level data from email threat intelligence sources should help you prioritize your efforts around attack mitigation. 3. The most frequently spoofed Header From field is the Display Name, for which there is currently no authentication mechanism. Visibility into Display Name spoofing is critical in identifying and responding to phishing attacks leveraging your brand.
- [ash]
- With such a complex threat landscape, you need breadth, depth and speed when it comes to email threat intelligence, and this is what we mean by it: data from mailbox providers, data from security vendors, and data from consumer inboxes to give you a complete pictures of all the threats spoofing your domains (under your control) and your brand (outside your control).
- Powered by the Return Path Data Cloud, our proprietary email threat intelligence empowers you to identify threats beyond DMARC — so you can respond to the 70% of email attacks spoofing your brand from domains that you do not control. We use over 100 data feeds from more than 70 providers to detect, classify and analyze data relating to over 6 billion emails every day. Respond to the 70% of email attacks spoofing your brand from domains that you do not own. DMARC is a great first step, but it’s not a complete solution, protecting your brand from only 30% of email threats. Powered by the Return Path Data Cloud, our proprietary email threat intelligence empowers you to identify threats beyond DMARC. We use over 100 data feeds from more than 70 mailbox and security providers to detect, classify and analyze data relating to over 5.5 billion emails every day. With Email Threat Intelligence, you can: Get insight into email threats, coming from domains that your company does not own (e.g. cousin domains, display name spoofing, subject line spoofing). View redacted message-level samples of fraudulent emails targeting your brand. Identify phishing URLs embedded in fraudulent emails and inform your takedown vendor(s). Integrate intelligence into your existing systems through a RESTful API. Manage all Email Governance and Email Threat Intelligence alerts from a single portal.
- [ash] Here is an example of the data we get through
- [ash]
- [matt]
- [matt] For this project, we leveraged the Return Path Data Cloud—our proprietary network of over 70 mailbox and security providers representing 2.5 billion email accounts and in-depth behavioral insights from more than 2 million individual consumer inboxes.
- [matt] DEFINE SNOWSHOEING FIRST: - Just as a snowshoe spreads the load of a person’s weight across a wide area of snow, snowshoe spamming distributes spam from various IP addresses in order to dilute reputation metrics, evade filters, and avoid getting blacklisted. Traditional spam filters struggle with snowshoeing because they may not see enough volume from a single IP to trigger the filter. Therefore, we suspect fraudsters use this technique in large-scale phishing attacks to stay under the radar. Volume of sample fraudulent emails seen Attack size HUGE: >7,500 LARGE: >2,500 MEDIUM: >500
- [matt]
- [matt]
- [matt] In the majority (62.69%) of email threats, fraudsters spoof elements of the Header From field, the most popular being the Display Name field (for which there is currently no authentication).
- It’s time to unite against email fraud… And here are some of the leading brands out there at the forefront of this initiative (next slide)
- [Matt m]
- So how can Return Path help you? Defend Your Customers Detect and block all fraudulent emails spoofing your domains and brand before they hit consumer inboxes Prevent loss of sensitive customer data by eliminating malicious emails Defend Your Brand Bolster malicious URL takedown efforts with real-time email threat detection Preserve your organization’s reputation without impacting deliverability of legitimate emails Defend Your Bottom Line Reduce spend on fraud reimbursements, phishing remediation and customer service costs Build trust in the email channel and and secure marketing-generated revenue
- Here is a great quote from Aviva’s CISO Bryan Littlefair on why it is the CISO’s responsibility to protect the brand, in collaboration with Marketing.