The key to a successful phishing campaign is credibility—making the recipient believe that the email in their inbox is legitimate. Until relatively recently, there was nothing to stop a phisher from sending email with a 5322.From—or “friendly from”—address that was a precise match for the targeted organization.
Times are changing. With the rising adoption rate of DMARC, it is becoming increasingly difficult for phishers to get credible email into the inbox. But they’re finding new ways to do it.
What is false authority?
This post deals with a sub-category of brand spoofing that we are (currently) referring to as “false-authority.” In these attacks, phishers use generic domains that are beyond the control of the brand being spoofed, but that lend significant credibility to the maliciously crafted email, e.g. “Paypal@security.com” or “Oracle@no-reply.com.”
The domains used are common terms such as Security, Service, No-Reply, Update, Review, or Domain, and almost always include a “.com” or “.net” as these are still regarded as the most authoritative by many.
The organizations targeted are very familiar—Paypal, Apple, Amazon, and various large financial services organizations top the list, with millions of malicious emails per day being sent to consumers in their name.
In terms of quality, these malicious false-authority emails are some of the best that our researchers have seen. They are highly professional and there is nothing to warn the consumer who receives them that they are the product of the brand being attacked.
In this example from Paypal, we can see that the Display Name is service@paypal.com but the actual address is paypal@service.com. The phisher is making a fair assumption that the person receiving this email will not see the difference, given that all the same words and symbols are there, just subtly re-arranged.
The quality of the malicious site this email links to is also extremely high: the criminals have worked very hard, putting the two “alert” bars at the top which adds a lot of credibility. Simply put, you would never expect that level of attention to detail on a malicious site.
The background animation plays as soon as the page loads and the links on the page are a mixture of legitimate and malicious: if you wish to sign up for a new account, you will go to the real PayPal site. However, if you wish to sign in, you will be taken to a malicious page that will steal your credentials.
Here is another fantastic “false authority” example. This email, spoofing www.docs.com, attacks customers of Halifax Bank:
Note that the phisher has referenced the recipient’s email address twice within the body of the email in order to add authenticity, and that the email as a whole is crafted very well. Without the obfuscated link made explicit, it’s hard to say that this email is malicious, which is of course a sign of how effective it is likely to be.
Here is a similarly convincing false-authority attack on FlipKey which is sent from “message.com:”
How effective are these attacks?
As part of our ongoing research, we monitored over 60 million emails sent over a period of 30 days from false-authority domains and looked at inbox placement and engagement data.
The summary of this data is quite troubling:
- 63% of the messages went to the primary inbox and 2.7% of those were read.
- 37% went to the spam folder and of those and 13.5% were read.
- Overall read-rate was 9.3%, biased heavily toward email delivered to the spam folder.
We can draw three conclusions from this analysis. The first is that the false-authority technique is highly effective. Second, brands cannot rely on the mailbox providers to protect their customers from email fraud. And finally, even when these malicious emails are sent to spam, recipients interact with it at almost the same rate at which they interact with legitimate emails in their primary inbox folder.
How do you protect your customers?
The absolute foundation of any company’s defense against email fraud has to be visibility of the whole attack surface—both domain and brand spoofing. If you can only see part of the problem, the temptation is to believe that part is the whole problem.
Second, access to email threat intelligence must be as close to real time as possible, and must inform a mitigation service (takedown, filtering, etc.) the instant it is possible to do so.
Finally, the false-authority tactic is only one of many employed by fraudsters today, so it is critical that cyber and information security teams understand the full email threat landscape.
To fuel that understanding, Return Path recently analyzed more than 760,000 email threats associated with 40 top global brands over the course of two months. We honed in on three key tactics we suspected fraudsters use to circumvent email authentication mechanisms like DMARC, and tested those suspicions against empirical threat data.
Download The Email Threat Intelligence Report and discover how to protect your brand against the most sophisticated phishing techniques used today.