Deception in identity attacks continues to increase, but the type of attack seems to change. In Q3 2019, phishing campaigns by brands fell 6% compared to the previous quarter. Nevertheless, assaults by individuals rose by 10 million. The decline in brand impersonation may be partly linked to increased DMARC in the industry, which increased by 49% over the last year.
Nonetheless, while DMARC is being introduced more and more, it is not yet widely used. Only the “p= reject” enforcement option protects against brand impersonation scams by email. The two countries with the highest use of DMARC are Germany and the United States. Germany has a higher number of implementations than the United States, but the p= reject compliance is a lower percentage of DMARC data. It could change in the coming years because the proposed implementation strategy for DMARC is to begin with p= none and work to p= reject–DMARC implementation can still be in its early stages for many businesses.
However, in the meantime, the latest Agari Email Fraud & Identity Deception Trends (PDF) report notes that there are no DMARC protection available to more than 80% of Fortune 500 companies. Although only 38% of those with DMARC do not have a DMARC (down from 59% in the same quarter last year) 44% still do not have a compliance rate. “Only 13 percent of the Fortune 500 now have a DMARC record of p= rejection enforcement policy,” says Agari.
A little like vaccination is DMARC. Just because ten people have been vaccinated, it doesn’t stop a 11th person from infecting you. Before health officials consider a country safe from a specific disease, a 95 percent vaccination rate is required. The same principle applies for phishing-while vaccination against DMARC protects vaccinated brands used in phishing attacks, until the end user is protected from phishing in general by a large percentage of all brands under DMARC.
Whilst DMARC is being implemented gradually, the adoption of Brand Indicators for Message Identification (BIMI) tends to be much faster. BIMI is a standardized way for brands to publish their brand logos online with built-in spoofing protection. According to the figures of Agari, in March 2019, about 130 BIMI logos were in use. This has now grown to 949 by more than 700 percent.
Wire transfer schemes are also changing, which are often cumulatively referred to as the Business email compromise (BEC). Gift cards are demanded in 56 percent of all BEC assaults, but since March 2019 that is 10 percent lower. Payroll reversal (up 5 percent of all BEC attacks over the past three months to 25 percent) and wire transfer scams (similar growth to 25 percent of all BEC attacks) both grew. Simply a smaller payout (an average of $1,571) than a wire transfer attack (an average of $52,325) results in gift card attacks.
However, the latest report of Agari warns that there is a new threat of identity disappointment, which it calls a seller email compromise. Agari describing it as’ a disturbing new BEC phenomenon, what we call the email compromise (VEC) of the seller, that fraudsters use stolen email accounts for their employees, targeting not only one business, but entire supply chain ecosystems.’
What is still unclear is how and to what degree deep engineering appears in either group. Agari believes that deepfake audio and video could be used for enhancing BEC attacks and deep-seated audio could be used to enhance VEC attacks as well.
In investigations into a Nigerian crime group called Silent Starling, the Agari Cyber Intelligence Division (ACID) group analyzed VEC. This noticed that Silent Starling breached email accounts and tried to get companies to pay bogus supplier invoices. Although this type of attack is not limited to Silent Starling, it was the first time Agari regarded it as the main scam tool of an attack team.
“One of the most important emerging threats in the cyber threat sector,” Agari says, “is the vendor’s e-mail breach. The secret to these attacks is to have access to e-mail accounts of key individuals in the accounts receivable or financial department of an undertaking through standard phishing.”
When one email account is first compromised, the attacker can slowly compromise others. The information contained in the emails helps an attacker to know how and when the company operates. The attackers look for invoice and payment patterns with a significant customer in particular. The attacker is aware of the invoicing times, processes and customers of a seller. This intelligence helps him to make messages that are so believable that they’re virtually undetectable–and since the email account has already been compromised, he can launch an attack from a legitimate email account instead of a spoofed one.
The hacker will send the wrong bill at the correct time-perhaps a week before the customer expects an invoice-but with different bank information, he will move the fee to his own account. “These sophisticated attackers are looking for large-scale, deep-pocket scenarios –think of providing a major part of the aviation production process that is hundreds of thousands of dollars,” said Armen Najarian, Agari’s chief identity officer.
By principle, if the compromised firm sends several invoices simultaneously to multiple customers, the fraud might be carried out on several customers— but, the greater is the primary target.
“Think of this as a kind of supply chain attack,” continued Najarian. “The seller / customer partnership is the point of weakness from which to steal funds from deeper clients. We see a marked shift in focus from targeting stakeholder groups to such an assault mainly because the payoff is far greater. On average, a BEC CEO fraud attack would usually pay in the range of $50,000 to $55,000.
Agari noticed more than 70 phishing sites, from which over 700 employee email accounts of more than 500 companies in 14 countries were obtained. However, 97% of the victims are in the United States, Canada and the UK alone. Agari predicts that BEC will likely be overtaken by VEC as the largest possible financial fraud during 2020.