apwg ecrime2014
DESCRIPTION
Evaluating Phishing Attacks: DMARC and non-DMARC IntelligenceTRANSCRIPT
Unifying theGlobal Responseto Cybercrime
Evaluating Phishing Attacks:
DMARC and non-DMARC
Intelligence
Robert HolmesReturn Path
Unifying theGlobal Responseto Cybercrime
What is DMARC?
• Domain-owner announces policy in the DNS
• Receivers check:• SPF passes AND SPF domain is aligned with RFC5322.From
domain (in strict or relaxed mode, as specified in the policy)
• DKIM passes AND DKIM domain is aligned with RFC5322.From domain (in strict or relaxed mode, as specified in the policy)
• Email failing both conditions has policy applied
• Receivers send reports to domain-owners
IETF draft
Unifying theGlobal Responseto Cybercrime
DMARC Adoption
• Receivers:• 85% US consumer mailboxes (MAGY)
• 60% global consumer mailboxes
• Email security filters
• Senders:• 80,000 sending domains (source: Gmail)
• 1,575 of top 10,000 sending domain (source: Return Path)
Unifying theGlobal Responseto Cybercrime
What Percentage of Attacks are Domain-
based?• DMARC.org
• OTA
• Anecdotes
• Data analysis
Unifying theGlobal Responseto Cybercrime
• Seed list:• 11 large financial institutions
• US & UK brands
• Have not achieved DMARC “reject” policy
• Source data:• Trap, spam, complaints messages
• > 300M messages per day
Seed & Source Data
Unifying theGlobal Responseto Cybercrime
• Narrow search strategies to eliminate noise
• Data pulled from over 60 days
• False positives removed
• Collapsed by campaign…
Methodology
Unifying theGlobal Responseto Cybercrime
• Header from | Subject | Date
• Header from | Subject
• Display name | Header from domain | Subject
• Header from domain | Subject
• Sending IP address | Subject
What Constitutes a Campaign?
Unifying theGlobal Responseto Cybercrime
Analysis Results
Campaign definition Count of campaigns(across 11 brands)
Domain-based campaigns(average % across 11 brands)
Header from | Subject | Date 10,823 26.66%
Header from | Subject 8,347 25.46%
Display name | Header from domain | Subject 6,770 25.45%
Header from domain | Subject 6,316 26.04%
Sending IP address | Subject 12,124 30.18%
Average 8,876 26.76%
Unifying theGlobal Responseto Cybercrime
Variability by Brand
Brand Domain-based campaigns(Sending IP address | Subject)
Brand 1 1.06%
Brand 2 8.47%
Brand 3 76.53%
Brand 4 3.22%
Brand 5 27.81%
Brand 6 43.80%
Brand 7 18.21%
Brand 8 66.39%
Brand 9 38.46%
Brand 10 1.18%
Brand 11 46.90%
Average 30.18%
Unifying theGlobal Responseto Cybercrime
• Large but not comprehensive data set
• No reason for bias in source data towards/against domain-based threats• Domain-based threats more difficult to identify and report
• Brands analysed hadn’t achieved a reject policy
• False positives/negatives…?
Confidence Considerations
Unifying theGlobal Responseto Cybercrime
• DMARC will block 25-30% of campaigns (average)• Value of DMARC will vary greatly by brand
• We predict adoption will accelerate domain-based attacks will decline
• DMARC won’t eliminate phishing, but it will push fraudsters to the margins• Reducing the credibility and therefore impact of attacks
• Protecting brand mail streams
DMARC Conclusions
Unifying theGlobal Responseto Cybercrime
• Is this analysis interesting?
• Is this analysis valuable?
• How could we improve the analysis?
• What other questions should we attempt to answer?
Questions