If there is one key "feature" of phishing that has characterized the epidemic of malicious emails since the very beginning back in the early 2000s, it is the spoofing of well-recognized brand names.
The earliest phishing emails primarily spoofed banks and other financial institutions in order to trick unwitting users into coughing up their online banking credentials, thus laying bare thseir accounts for exploitation. Over the intervening years malicious actors have expanded their menu of spoofed brand names to include all manner of high profile companies that users interact with on a daily basis, especially those that provide services and products directly to consumers.
While we continue to see the bad guys reliably leveraging the trust that consumers place these well-known companies in order to successfully prosecute phishing campaigns, we have also noticed over the past year that the bad guys have been increasingly targeting other companies and brands that do not fit the usual names we typically see spoofed in phishing emails.
Take for example, this phishing email that was reported to us by one of our customers using the Phish Alert Button (PAB):
While GoDaddy will certainly be familiar to IT professionals as well as those who self-publish their own web sites, GoDaddy is not a company with which most lay users or consumers will have much direct experience. They may have heard of GoDaddy, might have seen the occasional GoDaddy banner ad, and may even have some vague idea what GoDaddy does, they are not likely to have the same level of knowledge or familiarity with GoDaddy as they would with the company being spoofed in a phish like this one:
Google is obviously one of the more well-recognized brands in the world, and most users and consumers will likely have had some interaction with the company. Many will be using the company's services daily. Google, then, is an obvious choice for spoofing. But the bad guys exploit other brands that those working in modern corporate offices will have encountered in their professional lives, if not their personal ones as well.
GoDaddy, however, does not easily fit the pattern of the most frequently spoofed brands that we typically see in malicious emails. It may have a large presence on the internet and been around in one form or another since the mid-1990s, but it does not seem as ripe for spoofing in phishing campaigns as companies like Google or DocuSign.
Nonetheless, we are now seeing just over a dozen online brands that are being reliably spoofed on almost a daily basis -- brands that strike us as less obvious targets for mass phishing campaigns. And we are now wondering why these brands became a focus for the bad guys and what the bad guys hope to do with them.
Before taking a closer look at what we shall term "sub-premium" phishing brands that we have recently noticed being spoofed in phishing campaigns, it would be useful to lay out the common characteristics of the "premium" brands that have long been staples of malicious emails.
The most frequently spoofed brands tend to fall into four large groups or industries:
- Financial services (Wells Fargo, Chase, Citi, HSBC, Santander, Navy Federal, etc.)
- Online services & consumer products (Apple, Amazon, Google, Microsoft, Yahoo, Netflix, etc.)
- Package or parcel delivery (DHL, Fedex, UPS, etc.)
- Money transfer (Paypal, Western Union)
- File sharing/delivery/signing (Docusign, OneDrive, Dropbox, etc.)
These "premium" bands share several common qualities that make them ripe for use in the social engineering schemes that power phishing campaigns:
- Many users and consumers have daily interactions with them and, thus, place some measure of trust in those companies to provide services and products as well as to receive and store their own private or confidential information.
- Even in cases where individual consumers may not personally use these companies' products and services, those consumers will nonetheless be familiar with those companies and what they do through friends, family, advertising exposure, and even news coverage. These brands are ubiquitous.
- No specialized knowledge, experience, or training is required on the part of users and consumers to interact with these well-known brands. Those who live a significant part of their lives online and engage in normal consumer behavior will be familiar with these brands and be likely to respond to them in the context of spoofed phishing emails.
The "sub-premium" phishing brands that have recently caught our attention are a strikingly different affair. For starters, these brands tend to fall in a different range of industries than the "premium" brands discussed just above:
- Ecommerce (Alibaba, eWay.ca, Shopify)
- Digital currency (Blockchain, Coinbase)
- Content management/hosting (GoDaddy, Rackspace, Squarespace)
- Payment processing (Square, Stripe)
- Money transfer (Xpress Money)
- Job search/recruiting (ZipRecruiter)
Although some or even most of these brands may be vaguely familiar to many consumers and users, they do not share the same set of characteristics that we noted among the "premium" brands discussed just above.
- Most users and consumers will not be having direct, regular interactions with these companies. They may have heard of these companies or even done business with companies that rely on these "sub-premium" brands to support their businesses, but consumer familiarity with these companies will be more indirect and incidental.
- Although these "sub-premium" brands do have some presence in advertising (even television advertising that consumers may have seen), news coverage of these companies tends to be relegated to business news sections. Moreover, it is less likely that friends and family will be talking about their interaction with these companies, even when their jobs require it.
- It is entirely possible that some users may have interactions with these companies as part of their jobs, but such interactions will be narrowly defined and may well require specialized training or domain knowledge. Indeed, many of these "sub-premium" brands will be well-known primarily to folks who maintain "back office" systems (though the sheer longevity of some of these brands may translate to passing familiarity outside of back office positions).
In short, the population of users who would seem to be an appropriate, exploitable audience for phishing emails that spoof such "sub-premium" brands is much smaller than the exploitable audience for "premium" brands like Google, Docusign, Apple, or Fedex.
So how well have the bad guys been tailoring their phishing campaigns to maximize their ROI from spoofing these "sub-premium" brands? From what we have seen in phishing emails reported to us by customers, the answer is (so far): not well at all.
Leaving It on the Table
To effectively spoof these "sub-premium" phishing brands in malicious email campaigns, the bad guys would almost certainly need to master the art of targeting the appropriate audiences for these brands. That entails at least two distinct tasks:
- Identifying organizations that actually do business with and rely on the services provided by these "sub-premium" brands. If a targeted organization doesn't use ZipRecruiter or Rackspace, there's little reason to expect that spoofing these companies in phishing campaigns would produce clicks.
- Identifying the appropriate user population within targeted organizations. Even if a organization did use ZipRecruiter or Rackspace, we would expect that only a small sub-set of employees within that organization would be familiar enough with those companies that they might unwittingly click through malicious links or attachments delivered in emails purporting to hail from those spoofed companies.
- "Spray and pray" phishing campaigns that spoof Google and Apple can succeed because a large percentage of targeted users will have interacted with those companies daily. Not so with companies like Blockchain or Square.
Moreover, there are good incentives to target potentially vulnerable organizations and employees. An employee who does, for example, deal with Stripe on a daily basis is very likely to have access to other sensitive and potentially lucrative financial accounts within the company.
Similarly, an employee who regularly interacts with Rackspace can be assumed to have access to a whole range of network accounts and devices that could be leveraged for fraudulent ends.
Surprisingly, however, in our review of phishing emails spoofing this dozen or so "sub-premium" brands over the past few months, the bad guys do not seem to have become very proficient at threading this particular needle -- putting these spoofed emails in the right inboxes at the right organizations.
The majority of the emails we reviewed that spoofed the "sub-premium" brands listed above exhibited little if any evidence of having been targeted at all. Some emails did reach the inboxes of specifically named individuals (as opposed to general departmental or group inboxes), but those individuals were not in roles that would likely see them interacting with the companies being spoofed.
We also observed plenty of malicious emails that were sent to email addresses likely scraped off the targeted organization's web site.
We even encountered malicious emails that appeared to be mass-mailed to lists of bcc'ed recipients.
To be sure we also saw the occasional phish that did appear to be sent to an appropriate and potentially responsive inbox.
Even in these cases, however, the email addresses used were likely obtained off publicly facing web pages for the organizations targeted.
The most successfully targeted emails that we observed involved phishes spoofing brands in the job search and recruiting industry.
As with the other emails just discussed, however, the bad guys simply scraped email addresses off the targeted organizations' web sites.
To summarize, some of the spoofed emails we received from customers did indeed manage to target appropriate audiences, but those emails were definitely in the minority of the emails we reviewed. Moreover, the level or quality of targeting was based on the simplest of information (scraped email addresses).
It is certainly possible that there are malicious actors out there who are prosecuting sophisticated spear phishing campaigns based on quality intelligence that allows them to reliably target specific individuals known to be interacting with these "sub-premium" spoofed brands. That intelligence might be the product of previous phishing campaigns that gave those malicious actors access to the email accounts of others within those targeted organizations or the spoofed companies themselves -- accounts that could contain a wealth of organizational data. Such intelligence might also have been simply been purchased in the form of commercially available lists and databases.
As we noted above, these "sub-premium" phishing brands do seem ripe for highly targeted phishing campaigns. If the malicious actors behind the campaigns we observed were not particularly savvy in developing quality intelligence and then using it to compromise well-placed, vulnerable employees within targeted organizations, we take that as evidence that those particular bad guys are still in the process of learning how to successfully prosecute these types of phishing campaigns.
What You Can Do
We have no reason to believe that the bad guys will stop exploiting the "sub-premium" phishing brands discussed here. If anything, we anticipate that malicious actors will not only grow more sophisticated in crafting effective phishing campaigns based on spoofing these brands, but we expect that they will further expand their menu of "sub-premium" phishing brands, allowing them to target a wider population of employees within vulnerable organizations. In other words, this could well be an emerging growth area for malicious actors interested in phishing their way to ill-gotten riches.
So what can concerned organizations do? For starters, you should review your organization's vulnerability to these types of phishing campaigns. That means at the very least getting a handle on which email addresses and which employees within your organization may already be publicly exposed and, as a result, ripe for targeting by the bad guys.
Similarly, it would also be useful to review the outside companies your organization relies on for its business operations, which employees within your organization are responsible for managing those relationships, and what intelligence about those relationships might be publicly visible to malicious actors. The same holds true for the back office systems and services that underpin your organization's day-to-day operations.
Finally, your employees need to be stepped through new-school security awareness training. Many of your employees may already have an inkling that a spoofed Google security alert could in fact be a dangerous credentials phish. But they also need to recognize when the bad guys shift gears and begin spoofing companies like Square, Rackspace, Stripe, and Zip Recruiter -- companies some of your employees deal with on a daily basis and have learned to trust.