Annual March Hackness 2021: The Not-So-Sweet 16

/March 31, 2021

Dick Vitale impression returning in:

3…

2…

1…

OH MY, WHAT A TOURNAMENT IT HAS BEEN! SOME STUNNING UPSETS! MILLIONS OF BRACKETS BUSTED! IT’S AWESOME (and sometimes awful), BABY!

Whew… Got that out of the way.

So, what have we learned from the first two rounds of the Annual March Hackness phishing tournament?

The COVID-19 pandemic has definitely played into what attackers are using in their business.

The proof? Cinderella runs thus far for some of our (not-so-Sweet) 16 of top-impersonated newcomers: the World Health Organization (which we’ve seen daily in the news); Target (whose online sales surged by $10 billion last year); and DocuSign (whose revenue exploded by nearly 50%, thanks to post-COVID remote business). Reminiscent of Marquette’s 2013 run, in my opinion!

That said, our major players of Microsoft and Google are still accounted for — they continue to remain attackers’ favorite brands year after year. (Case in point: our security research team recently uncovered a highly sophisticated Microsoft 365 phishing campaign targeting financial departments and unsuspecting assistants and CEOs).

But … who honestly could have predicted PayPal getting knocked out in the first round? Our 2019 March Hackness Champion goes home early! Congratulations to them for being Most Improved (aka, less spoofed)!

Remember folks, in our phishing bracket, a first round knockout is actually a badge of honor!

Which brings us into the Not-So-Sweet 16. Can the WHO continue its historic run? Can Twitter upset the Duke-esque status of Microsoft? Will Facebook survive a matchup against Amazon? Only time will tell!

The Madness is setting in!

Let’s check back with Dicky V for analysis of the perfect phishing bracket:

Some takeaways for the Sweet 16?

  • OH BABY! We’ve got quite a few Juggernaut matchups! Microsoft has that champion pedigree but Twitter is a strong contender!
  • Facebook vs Amazon! That’s a championship matchup in it’s own right … expect a lot of fireworks there!
  • I like Apple’s odds of making it to the finals!
  • I think our Cinderella, the WHO, might be making it to the ball!

Tune in on April 5th to see who will be crowned our OPHISHAL Champion for 2021! IT’S AWESOME BABY!

And Now Some Additional Analysis

By the way, in case you’re wondering: is email authentication (SPF, DKIM, DMARC) THE winning way to stop brand spoofing and impersonation-based phishing attacks from ever reaching inboxes?

The answer is: No. Over the past year, we’ve blocked 22 million of these types of phishing attacks — and while we know all three standards can help with preventing some forms of phishing, attackers can easily bypass email authentication.

The SPF, DKIM and DMARC standards are certainly useful for validating server and tenant origins, protecting message integrity and providing policy enforcement. However, security professionals should know that:

  1. Anyone can set up emails that pass email authentication.
  2. Email authentication does not inspect content.
  3. Email authentication does not protect against look-alike domains.
  4. Email authentication does not protect against compromised domains.
  5. The vast majority of organizations and domains do not use email authentication.
  6. Email authentication can be difficult to set up properly.

Below is a brief description of what each standard does, what types of threats it can protect against and what types of threats it cannot protect against. (You can also download a handy Email Authentication Cheat Sheet, here).

SPF
(Sender Policy Framework)
Purpose Validating server origin (i.e., validates where a message originates from)
Defining which email servers and services are allowed to send messages on a domain owner’s behalf
Best for: Preventing spoofing of a legitimate email’s return address domain, i.e., the “Reply to” email address or return-path domain
Limitations
  • Does not prevent look-alike email, domain or display name spoofing
  • Does not validate the “From” header; uses envelope “From” to determine sending domain
  • Validation fails when emails are forwarded or when messages sent to a mailing list is sent to each subscriber
  • SPF evaluation process is limited to 10 DNS lookups
  • Does not protect against attacks using “validated” emails with embedded URLs, malicious payloads or attachments
DKIM
(Domain Keys Identified Mail)
Purpose Providing tenant origin validation (i.e., checks that an email was sent/authorized by the owner of the domain via a digital signature)

Ensuring email is not altered while transferred from server to server; protecting message integrity
Best for: Preventing spoofing of the “Display From” email address — the address usually shown to the end user when an email is opened
Limitations
  • Does not prevent look-alike email, domain or display name spoofing
  • Does not protect against replay attacks (DKIM only signs specific parts of a message. Attackers can add other header fields to emails passing DKIM then forward them.)
  • Does not protect against attacks using “validated” emails with embedded URLs, malicious payloads or attachments
DMARC
(Domain-based Message Authentication, Reporting and Conformance)
Purpose Providing policy enforcement and reporting for SPF and DKIM

Stipulating what policy to follow if an email doesn’t pass SPF or DKIM authentication (e.g. reject/delete, quarantine, no policy/send)

Reporting function allows domain owners to who is sending email on their behalf
Best for: Protecting against spoofing of your own domain and brand abuse

(Does not prevent spoofing of another brand’s domain.)
Limitations
  • Does not prevent spoofing of another brand’s domain
  • Does not prevent look-alike email, domain or display name spoofing
  • Domain owners specify what percentage of mail DMARC policies applies to; application percentages of less than 100% are virtually meaningless
  • Does not protect against attacks using “validated” emails with embedded URLs, malicious payloads or attachments

Kevin Wilson is a Sr. Product Manager at Area 1 Security. Throughout his 14 years in Cyber Security, Kevin has been an Analyst and Engineer in various organizations such as the U.S Navy, First Data, and Lowe’s. Previously he served as the Global Information Security Officer at Guess? Inc as well as a Product Manager for McAfee.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!

 

SUBSCRIBE

Shalabh

Shalabh Mohan

VP, Product at Area 1

With a career spanning 20 years fighting bad guys online, Shalabh leads all product and go-to-market functions at Area 1 Security, with extensive prior experience across security, enterprise, and cloud infrastructure companies such as Aspen Networks, IronPort Systems, Cisco and Bracket Computing. Shalabh and his teams have taken products from conception all the way to large scale businesses; and in the process have consistently helped make the Internet a safer place. An alumnus of Stanford University and the University of Texas at Austin, Shalabh holds five patents and can claim to know something about enterprise infrastructure and security.

Tags: phishing, phishing email, spoofing

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.

Understanding the Four Business Email Compromise Attack Types

Business Email Compromise (BEC), also sometimes referred to as email account compromise (EAC) or vendor email compromise (VEC), is a type of phishing attack that takes advantage of an existing relationship between a victim and organization.