How to Combat This Scary New Phishing Technique
Thanks to innovations in email authentication, most notably the development of the DMARC (Domain-based Authentication Reporting and Conformance) standard, companies are more empowered than ever before to protect their brands and their customers from phishing.
Unfortunately, cybercriminals are innovating as well, coming up with scary new tactics to ensure fraudulent email gets delivered to the inbox. The “brute force attack” is one of these new tactics.
What is a brute force attack?
Brute force attacks were originally developed to infiltrate password protected computers. Similar to dictionary attacks, when fraudsters systematically enter lists of combinations to crack passwords, brute force attacks try every possible letter/number combination to gain access.
Return Path data revealed that cybercriminals are now using brute force attacks to send out spam and phishing messages from subdomains of well-known brands.
How brute force attacks work
Most companies have multiple domains from which they send email. Some may be ready for DMARC, some may not be.
For instance, let’s say your brand’s main sending domain, example.com, is ready for a DMARC reject policy. But your brand’s subdomain, sub.example.com, is not. It is possible for you to implement a DMARC reject policy for the main example.com sending domain without applying that same reject policy on your subdomain, sub.example.com.
At the technical level, you can do this with an “sp=” tag (or subdomain policy tag) of "none" so that the main sending domain’s policy is not inherited at the subdomain level. While this technique can help ensure that legitimate email traffic on subdomains is not blocked, it also leaves those subdomains vulnerable.
In recent months, we’ve seen fraudsters take full advantage of this vulnerability. They’re launching brute force attacks by creating random letter and number combinations of subdomains associated with the main sending domains of legitimate brands.
Through Return Path’s Email Fraud Protection platform, we can monitor any subdomain of a client’s main sending domain if it has sending volume associated with it. For the victims of brute force attacks, we’ve seen thousands of subdomains emerge. Each of these subdomains usually only send a few messages each, but when tallied together, can send up to hundreds of thousands of phishing attacks.
Fraudsters use random letter and number combinations so that the untrained eye will trust the brand name within the subdomain and click on a malicious link or attachment. For example, if a fraudster was attacking the main sending domain of example.com, he or she would attempt to send the phishing email from 1.example.com, 2.example.com, a.example.com, b.example.com, and so forth.
How to fight brute force attacks
You now know what the brute force attack is capable of. What can you do to prevent it?
First, make sure all of your legitimate subdomains either have their own DMARC policy or inherit the main sending domain’s policy. If a lot of third party senders (like salesforce.com or MailChimp) send email on behalf of your organization’s main sending domain and you are not ready to move it to reject, you can leave that domain in DMARC’s monitor mode but add a subdomain policy tag of "reject" to protect all of your subdomains. We’ll dive deeper into best practices for subdomain tags in an upcoming follow-up post.
The bottom line is this: just because you’re monitoring and protecting your organization’s main sending domain does not mean your brand and customers are secure. Phishing attacks may be occurring on subdomains beyond your visibility. Vendors like Return Path can help you gain that visibility and fully protect your brand, your customers, and your business.
Want to learn more about the latest techniques fraudsters use to send phishing emails? Check out our Email Threat Intelligence Report.
About Amy Gorrell
Amy Gorrell is a Strategic Project Manager for Return Path's Email Fraud Protection team. Amy works with some of our top-tier clients to help eliminate the impact of email fraud. When she's not fighting cyber crime you can find her enjoying the many outdoor activities Colorado has to offer. You can connect with Amy on LinkedIn @Amy Gorrell or follow her on Twitter @amy_gorrell.