Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/1/2018
05:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft, Amazon Top BEC's Favorite Brands

When attackers want to impersonate a brand via email, the majority turn to Microsoft and Amazon because of their ubiquity in enterprise environments.

Nearly two-thirds of email attacks spoofing brand names impersonate Microsoft or Amazon, according to one of two studies released today on advanced emailed threats.

More than half (54%) of attacks impersonate brands in their display names (the "from" field), according to Agari's "Q4 2018 Email Fraud & Identity Deception Report." Hackers used Microsoft in 35.8% of attacks, varying their emails to mimic various units of Microsoft, such as OneDrive. Amazon came in second at 26.8%; attackers impersonated divisions including Amazon Web Services (AWS) and Amazon Prime.

Display name deception was the most common attack vector, Agari researchers found, but common trends were different for high-value targets, such as C-suite execs. For these targets, Microsoft was used in 71% of attacks; Dropbox was a distant second at 7%.

Impersonation attacks often arrive disguised as service updates, password resets, and security alerts. It's what employees expect to see, given businesses' reliance on Microsoft. Dropbox is common for malware distribution because people frequently use it to receive files.

"The brands that are being used are ones you'd expect to get emails from on a regular basis and that people trust," says Seth Knox, vice president of marketing at Agari, adding that Office 365 is a common target. "There are a lot of people migrating to Office 365, and that gives you access to a lot of material if you get into someone's corporate account."  

Cloud infrastructure is similarly vulnerable if an attacker successfully deceives someone who handles the company's AWS account. "That could be very damaging to a business," he notes.

Overall, 62% of advanced email attacks use display name deception, researchers learned. While 54% impersonate trusted brands, 8% mimic individuals. Indeed, business email compromise (BEC) is an increasingly common, dangerous, and expensive threat to the enterprise. Earlier this summer, the FBI reported BEC and email account compromise losses hit a global $12 billion.

Supporting the rise of email fraud is Proofpoint's Q3 2018 "Quarterly Threat Report," which found targeted organizations received an average of more than 36 attacks in the third quarter – marking a 77% increase year over year. Attackers are shifting their tactics as the learn what works and what doesn't in terms of who to target and how to best deceive them.

"In a targeted attack, they can see what works and what doesn't and adjust accordingly," says Chris Dawson, threat intelligence lead at Proofpoint, pointing to a prime example from the company's most recent research: "Attackers are using fewer spoofed identities."

Fewer Impersonations, More Victims
Unlike malware campaigns, which are typically designed to send thousands of messages at once, email fraud gives attackers a chance to craft specific messages to be successful. Trial and error has taught them if they want to be effective, they need to limit their impersonations.

From Q2 to Q3, Proofpoint saw a 68% reduction in the number of identities that were spoofed. In Q3, BEC attackers impersonated an average of five users, a number previously seen in 2017. However, BEC attacks increased overall in the same quarter, a sign of threat actors trying to use a smaller number of fake identities to deceive a larger pool of victims.

Previously, Dawson says, attackers would try to spoof a range of people: CEOs, CFOs, CISOs, higher-ranking HR employees, and people in the supply chain. Now they're limiting attacks to more recognizable people, including CEOs and CFOs, and they're sending fraudulent messages to the people who have a close working relationship with those executives and will expect emails.

"They know the people who are going to be, on a regular basis, getting those emails from a CEO or CISO, asking for something to happen," he explains. "What they found is with the broader spread of spoofed identities, it's hard to do that effectively and not get caught."

Dawson points out that researchers found an increase in the number of attacks originating from addresses spoofed within the company. Nearly 50% will pretend to be from a colleague.

When they write malicious emails, researchers found attackers are conveying a greater sense of urgency. Their requests now come with timelines and warn recipients of consequences for delays. Further, they saw payroll-related scams increase 549% - a small percentage of the total but a reminder that subject lines don't necessarily need to be related to specific events.

The Step You Should Take
Both Knox and Dawson advise businesses to protect all variations of their domains that could potentially be used to trick employees. If they're registered, attackers can't use them.

"I'd recommend companies proactively register all of those potential look-alike domains," Dawson says. "Companies are less likely to do that than the bad guys are."

Knox recommends implementing Domain-based Message Authentication, Reporting and Conformance (DMARC), an open email authentication standard that prevents domain names from being spoofed in phishing or spam emails. In an analysis of more than 280 million domains in Q3 2018, Agari saw DMARC adoption increase from 3.5 million domains in July to 5.3 million in October.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...