Stopping the W-2 Spear Phishing Scam
On March 1, 2016, data storage giant Seagate Technology learned the 2015 W-2 tax form information for current and former U.S.-based employees were compromised due to a spear phishing email.
Unfortunately, Seagate is not alone. The same W-2 phishing attack compromised SnapChat just last week. Many other companies have fallen victim to similar spear phishing emails, resulting in similar data breaches. Last year, refund scam artists stole W-2 information on more than 330,000 people from the Internal Revenue Service website.
In this post, we’ll examine how your company can avoid a similar fate by revealing how W-2 scams work and how GreatHorn, Return Path’s newest partner, can help you fight them.
Why spear phishing is effective
What’s notable about spear phishing scams is that they exploit the weakest link in any security system: human beings.
Most employees, even executives, are responsive to requests from the C-suite—their natural inclination is to respond and be helpful. Unfortunately, it is relatively easy for an attacker to exploit this reaction.
There are four primary means of executing an impersonation attempt, and except for the most basic kind of attack, none of them can be detected at the email provider level.
Let’s examine them in turn.
Example attack 1: “Pure” spoofing
The simplest type of attack is the “pure” spoofing attack. In this scenario, an attacker simply rewrites the mail headers (the "from" line, typically) to make it appear as though their email comes from someone inside an organization’s mail domain.
The screenshot below is an example of a "pure" spoofing attack. Note the recipient’s Google Apps environment automatically adds the Google+ picture for the supposed CEO, Will Shorlin, even though this message was never actually sent by him.
Roy, the recipient, would likely never know this was not really from Will. However, with GreatHorn in place, this message can be detected as a fraud within seconds, and automatically removed from Roy’s inbox, in addition to alerting the information security team of the fraud attempt. GreatHorn’s analysis shows that this is a fake for a number of reasons:
Luckily, Google Apps does enforce a DMARC policy for email received in Gmail-hosted mailboxes. So in this example, if packagetrack.info had a DMARC “reject” policy in place, the fraudulent message would have been rejected. But if a “reject” policy is not in place, the fraudulent message does get through. That’s where GreatHorn’s analysis comes in.
Example attack 2: Homograph domains
A more sophisticated attack is the “homograph domain” attack. In this variant, an attacker registers a domain that looks visually similar to their target’s domain, and even sets up SPF, DKIM, and DMARC to ensure that messages from that domain are deliverable.
The way that this works is that the attacker registers a name and domain that would trick the target. Often, we see this as a manipulation of the top-level domain; .com and .cm are commonly substituted, for example.
In combination with an identical “sender”—note the example below, where email@example.com is being impersonated by firstname.lastname@example.org—most users won’t notice the change, especially if they are using a mobile device, which will reveal the Display Name of “Will Shorlin” only.
With GreatHorn in place, however, organizations don’t need to rely on eagle-eyed users to catch these kinds of attacks. Here, the platform can identify the “look-alike” domain automatically, in addition to the duplicated sender address, and then take automated action such as deleting or quarantining the email before it leads to a breach:
Example attack 3: User name and private email spoofing
A third way that organizations get breached is through impersonation that doesn’t rely on a spoofed or look-alike domain, but rather, impersonation of the sender as an individual.
We most often see this kind of attack when an organization has a large number of domains and brands under management and a large employee base. The attack begins with an email that mimics the “friendly” display name—“Will Shorlin” in this example—of an executive, and comes from a domain that looks familiar even if not identical to the recipient’s domain:
Unless the recipient knows every domain that their company uses, this can often be a highly effective attack mechanism. Likewise, we’ve seen attacks in the wild that use private email addresses (@gmail.com, for example) to mimic executive names and generate this type of attack.
Gateways and filter-based security tools can’t detect this as a potential attack—no spoofing is occurring, and the sender domain is likely not on any blacklist. However, GreatHorn’s combination of Keyword Detection, Display Name Impersonation Detection, and Sender Address Analysis can automatically find and remove even these highly sophisticated attacks:
Preventing W-2 scam attacks
Since the nature of these attacks extends beyond what can be addressed by the email providers themselves, the only effective means of defense lies in a purpose-built spear phishing solution.
Roughly one in five (18 percent) of all of the identified threats we see today use one of the four attack mechanisms described above. CISOs have a decision to make: wait to be breached, or get proactive. Yesterday's solutions (email gateways, employee training, and so on) simply can't address these new kinds of attacks.
Want more blog posts like these? Subscribe to the Return Path blog.
About Kevin O'Brien
Kevin O'Brien is the CEO and co-founder of GreatHorn, Inc.; he has 16 years of experience in the security industry, and has served in various sales, marketing, and operational roles throughout his career, helping companies from pre-revenue to product-market-fit and rapid growth. GreatHorn is the 6th early stage company of which he has been a part of, and he is a regular author and speaker on security and its role in the digital economy. Kevin holds a BA in philosophy from the University of Massachusetts Amherst.