Dmarc as a Service
Jan 8, 2018
Top email hacks of 2017 (that we know about)
2017 was a good year for phish — if you were a phisher, that is. For the rest of us? Not so hot.
Coming on the heels of a year in which phishing attacks exceeded all previous records, we might have expected 2017 to see the trend cool off a bit. You would have been wrong.
Research shows that business email compromise (BEC) attacks, in which emails contain no malware or malicious links, are up 45 percent year over year. These emails aim at getting the recipient to divulge sensitive information, such as employee data and W-2s, or to wire information to a bank account controlled by the attackers. They are especially difficult for content-filtering systems to protect against.
Such emails can be very hard for humans to detect as well.
Phishing is more than an annoyance, and more than mere social engineering. PhishMe found that 91 percent of cyberattacks start with a phishing email. Its findings echo those of many other reports, including Verizon’s annual Data Breach Investigation Report, in confirming that phishing is far and away the primary initial attack vector for hacks of all kinds. Many attackers take advantage of technical weaknesses in the way companies implement email: Specifically, their lack of enforcement over who can use their domains. That makes phishing especially difficult for end users to detect, because phishers can impersonate trusted senders almost flawlessly.
Here’s a look at some of 2017’s biggest phishing campaigns and email attacks.
January An “astonishingly effective” Gmail phishing campaign cropped up, using a fake Google login page to lure people into giving up their login credentials.
A variety of Amazon related phishing scams popped up this year, starting in January and continuing at least through November. Usually they’re some variety of email containing a message like “we can’t deliver your package, please click here to confirm your account details.”
A particularly frightening form of phishing scam targeted Egyptian NGOs early this year. Called NilePhish, it uses a variety of techniques to infiltrate Gmail accounts even when they’re protected by two-factor authentication.
W2 phishing scams had targeted over 100 companies and compromised the information for 120,000 employees as of March.
Defense Point Security, a major government contractor recently acquired by Accenture, admitted that it had accidentally turned over a bunch of employee W-2s in a phishing scam.
U.S. Vice President Mike Pence had an AOL account when he was governor of Indiana. Someone hacked into it, using a phishing scam, Wired reported in March.
The nation of Qatar faced 93,150 phishing attacks in the first quarter of 2017 alone.
A Lithuanian phisher scammed Facebook and Google out of $100 million using fake invoices, we learned in April.
This month, another Google phishing attack affected over a million users. This one uses an app misleadingly named “Google Docs,” just like Google’s own Google Docs apps, and takes advantage of the real Google Docs’ ability to send notifications. Those notifications show up within the Google Docs app — but also appear in email.
May’s headlines were dominated by WannaCry, a particularly effective form of ransomware that spread through computer networks via a flaw in Windows networking, using an NSA-created exploit called EternalBlue. But how did WannaCry get on computer networks in the first place? By phishing, of course. Ultimately, WannaCry (also known as WannaCrypt) infected 230,000 computers in 150 countries, causing fallout in hundreds of organizations, including Britain’s National Health Service.
WannaCry had just barely left the headlines when the Petya ransomware swept the globe, using similar attack vectors. Petya wreaked havoc with big multinationals including WPP, Mondelez, DLA Piper, and Maersk.
And in short order, NotPetya popped up. It looked a lot like Petya, but with some code differences — and it wasn’t ransomware, it just aimed to destroy data. Same general mayhem, however.
Symantec reported that phishing rates hit the highest levels seen in almost two years, with one in every 359 emails carrying some kind of malicious payload.
Yahoo admitted in October that all three billion of its user accounts had been compromised, confirming what many people had already feared or even assumed.
Yahoo managed to remain in the news when one of the key players in the Yahoo hack, a Canadian man, pled guilty to federal charges, admitting that he helped Russian hackers gain access to Yahoo accounts through spear-phishing techniques.
Email phishing spiked this month as hackers sought to take advantage of holiday shoppers by sending them bogus shipping notifications, bogus purchase confirmations, and more.
Researchers noted that “impersonation phishing attacks” are the fastest-growing cybersecurity threat. These are fairly simple emails in which the sender attempts to trick the recipient into thinking that they are someone trusted: The CEO of your company, for instance.
Finally, a survey of IT professionals at top U.S. health care providers revealed that 78 percent of health care organizations have been victimized by an email-based attack in the past 12 months.
In all, it was a pretty rough year for targets of email-based cyberattacks, and indications suggest that 2018 will be even more challenging.
What To Do In 2018
To avoid becoming a victim of email attacks, companies should take the following steps:
- Enable email authentication using DMARC — at enforcement — for all domains and subdomains you own (not just those you send email from).
- Train users not to open emails if they come from untrusted senders (and definitely don’t click on links or open attachments from unauthenticated senders). Make sure you examine the actual sender’s address shown in the From field, and check to see if the sender’s domain name is authenticated. (You can do that using Valimail’s handy domain checker.)
- Continue to use content filtering to eliminate emails containing malware and malicious links.
- Maintain a regular, automated backup policy so you can recover data in the event that it gets destroyed or encrypted by ransomware.