10
2019 End of Year Email Phishing Report INKY spots thousands of dangerous emails that slip through legacy email gateways. EXECUTIVE REPORT
2019 End of Year Email Phishing ReportINKY spots thousands of dangerous emails that slip through legacy email gateways.
E X E C U T I V E R E P O R T
Traditional email security products block plenty of phishing emails. But new research from anti-phishing startup INKY shows that hundreds, if not thousands, of potentially dangerous emails per company get through every year.
And it only takes one unsuspecting user clicking on one dangerous phish for an attacker to steal the credentials that will enable them to access the network and wreak havoc. Nearly one-third of all data breaches in 2018 involved phishing, according to Verizon’s 2019 Data Breach Investigations Report. The Ponemon Institute puts the average cost of a single data breach at $8.19 million in the US in 2019. The report points out that there’s a long-tail effect associated with data breaches, whereby lost revenue due to customers abandoning the brand continues to be felt years after the initial breach.
INKY, which uses AI, machine learning, and advanced visualization techniques to identify even the most well-disguised phish, sits behind the legacy email security gateways, acting as a last line of defense. From this vantage point, INKY provides real-world statistics on the number of bad emails that get through the defenses of the incumbent email security systems.
For example in 2019, between July 1 and November 25, more than 500 suspicious emails evaded the Proofpoint defenses deployed by a major health care provider. Of course, just because a phishing email gets through, that doesn’t mean the end-user will click on a dangerous link. But the Verizon report indicates that 3% of end-users still click on fake links, and that number jumps to 18% when users are on their mobile device.
2019 | End of Year Phishing Report
Aggregating data from multiple customers who also use Proofpoint, INKY identified as potentially dangerous 0.3% of emails that were deemed safe by Proofpoint. That might not seem like a lot, but, again, we’re talking about more than 7,000 emails.
Similarly, a capital management company using Mimecast as its email security gateway had more than 6,000 potentially dangerous emails evade detection through in the nine months between February and November. And, between March and November, INKY red-flagged 0.7% or nearly 1,000 phish emails for an insurance agency that uses Barracuda for its core email security.
To understand how legacy providers miss bad emails, we need to look at some of the new ways that phishers are changing their tactics to fool the end-user as well as the current crop of anti-phish defenses.
Executive Report: Phishing by the Numbers
Legacy email security companies use a variety of simple methods to identify phish, such as checking domain names and querying blacklists of bad URLs or harmful attachments. Unfortunately, attackers have been able to identify the methods used by the traditional email security vendors and come up with tricky ways to evade them.
The more complex but effective approach INKY uses is to render the email’s HTML code in a cloud-based sandbox to see the full contents of the email, and to apply deep analysis to determine whether the content of the email is phishy.
In a spear phishing scenario, the attacker crafts a message that appears to come from a specific person, such as the CEO of the company or the IT manager. The next-generation approach is to use machine learning to develop a profile of the purported sender that includes factors like which email client the sender typically use, what types of content they usually include in the body of an email, how often they make typos, etc. This enables an anti-phishing system to use anomaly detection in order to spot spear phishing attacks. Here are three examples of evolving phishing tactics and how to defend against them:
2019 | End of Year Phishing Report
Evolving phish attacks and new countermeasures
1By setting the font size in an email to zero, attackers can hide text as a way of circumventing legacy email protection software.
For example, an attacker might want to create a phish that asks the end user to verify their Office 365 account information. If the end user clicks on the link, they end up at a fake site and when they enter their login credentials, the attacker steals that information.
Hidden Text and Zero Font Attacks
2019 | End of Year Phishing Report
2Attackers have come up with a clever way to get around email security settings that block the display of remote images. They are now embedding local images into emails. If an end user sees an attachment that looks like a PDF file and clicks on it, they don’t open a PDF. They end up getting taken to a malicious site that then asks for their credentials. Thanks to its computer vision technology, INKY is able to scan the email and determine that the embedded elements are not legit.
The attacker wants to make the phish to look real, so it needs to have an Office 365 logo. But the attacker also knows that the appearance of the Office 365 logo would trigger the email protection software to try to determine if the email originated from a known Microsoft domain, which, of course, the phish doesn’t. So, the attacker adds hidden text into the logo, which confuses the email protection software.
Another trick that hackers use is something called keyword stuffing. In this scenario, the hacker adds hidden text (white text on a white background) that contains keywords which make the email appear as a normal conversation between two people, rather than a transactional email that might be a brand forgery.
INKY is able to thwart these types of attacks by rendering the email exactly as the end user would see it. That means the Office 365 logo would be spotted and the email would be identified as a phish because it came from a non-Microsoft domain. In the keyword stuffing example, INKY is able to make the hidden HTML visible, and to use its computer vision technology to identify the email is a phish.
Malicious Fake Attachments
Attackers can hide domain names and other brand-indicative text from secure email gateways using confusable text. This is text that looks correct to the end user but confuses the secure email gateway. A common example is domain names: an attacker can register a new domain like amzon.com or amazon-storefront.com that is easily confused with a well-known brand term or which somehow embeds the brand term in a way that seems legitimate to end users.
The details vary widely: attackers may disguise text in domain names, subject lines, or in the email body. They might hide branding (“Amazon”) or sensitive content (“password”). They might insert a typo, add extra characters or words, or substitute Unicode homographs where Latin letters would normally appear. For example, the Cyrillic character А looks identical to a Latin capital A, but is actually a completely different Unicode character!
INKY is able to combat these tactics with a countermeasure called “approximate matching.” There is a mini-search engine built into INKY Phish Fence that scans domain names and all text in the email, looking for strings that are visually similar to a predetermined set of terms.
2019 | End of Year Phishing Report
3 Confusable Text and Homograph Attacks
2019 | End of Year Phishing Report
Here are two specific examples of phishing attacks that Barracuda and Proofpoint missed.
A user with both Barracuda and INKY received this DocuSign impersonation from [email protected]. This domain was specifically created to send phishing emails since nicolettetorres.com is just a parked GoDaddy page.
INKY vs. The Competition
inky.com
Barracuda uses a scoring system based on custom rules created by the company admin. In this instance, Barracuda quarantines emails in the 3-5 score range and any score above 5 gets blocked. Barracuda scored this phish at 2.6 and let it through.
However, INKY recognized all the red flags and delivered the email with this red banner warning the recipient that the email looks dangerous:
In the Proofpoint example, a hijacked account ([email protected]) sent a Microsoft brand impersonation to a user protected by both Proofpoint and INKY. The phish is what a real OneDrive notification looks like. The phisher simply copied and pasted HTML/CSS from a real Microsoft email.
2019 | End of Year Phishing Report
inky.com
While Proofpoint let the email go through, INKY flagged the email as dangerous and delivered it with a red banner.
Brand impersonation was detected because INKY recognized the logo and footer belong to Microsoft, but the email does not come from a Microsoft domain. This user also got a warning that this is the first message received from this sender.
INKY not only counters the known tricks that attackers use, INKY is constantly learning and getting better at stopping both known and unknown, zero-day attacks. INKY’s human developers are always on the lookout for new phish attacks, so they can develop countermeasures as quickly as possible. The machine learning systems are working in the background to improve the ability to spot attacks and to more accurately create sender profiles that are used to combat spear phishing. And when end users report phishing attempts, that data is used to adjust the Phish Fence algorithms in real time.
INKY even provides one final anti-phish safeguard whereby it can intercept all links in mails and actually go to the destination site and apply machine-learning based analysis to determine if the site is fake. If INKY detects indications of forgery, it won’t allow the user to click through.
Finally, INKY integrates seamlessly with all of the major email security gateways, it can be installed quickly and it provides that last line of defense against the types of phishing attacks that can lead to devastating security breaches.
An agile, next-generation approach
2019 | End of Year Phishing Report
What Makes INKY Different?INKY provides the most comprehensive malware and email phishing protection available. To see INKY’s anti-phishing solution in action, request a demo. Let us show you what a difference it can make.
Unlike any other anti-phishing systems, INKY® Phish Fence uses proprietary technology and algorithms to “see” each email as the recipient would. Unlike a person, however, it can detect an email forgery and/or malicious or suspicious content. Once detected, it can redirect the email to a quarantine area or deliver it with disabled links and warnings.
Alerts are added to the email itself, which means they look the same on desktop or mobile. This is a significant difference from other systems, which display warnings in headers or with add-ins that may not render properly, or at all, in mobile applications.
A comprehensive dashboard allows admins to see both the bigger pictures and to drill down to specific attacks, individuals, and individual messages. A robust search allows for detailed reporting at the granular level.
INKY® Phish Fence sits on top of any email system, including Microsoft Office 365 and Google Suite.
It can be set up and ready to go in just a few hours.
INKY® Phish Fence scans every sent and delivered email automatically and flags malicious emails.
INKY® Phish Fence uses a proprietary blend of Machine Learning and Artificial Intelligence that blocks even the most sophisticated phishing attacks that get past other systems.
We’re passionate about email.
Ready to talk about an issue you’re facing in email security at
your organization?
www.inky.com
