Nearly 21 billion emails appearing to come from well-known commercial senders did not actually come from their legitimate IP addresses—potentially indicating a large-scale phishing attack.
Return Path found during an analysis that emails attributed to a large group of global consumer brands sent between October 2014 and March 2015 were actually bogus; out of more than 235 billion messages examined during the six-month period, 9% of them were suspicious and potentially fraudulent, because their origin could not be authenticated by the leading anti-phishing standard, DMARC.
Suspicious message volumes, unsurprisingly, peaked during the holiday season, in December, when more than 6 billion of the 47 billion messages analyzed (13%) could not be authenticated. The proportion of suspicious mail attributed to these senders remained near 10% throughout the first quarter of 2015, reaching 11% in March.
Of the industry sectors represented by multiple companies in the group, financial services brands saw the highest proportions of suspicious messages: 11% of email that appeared to come from these brands was deemed suspicious. Retailers and airlines saw less than half that rate, with roughly 4% of messages appearing to come from them categorized as suspicious.
The compromise of mass commercial email is an attractive vector for criminals, as it falls into the “more bang for your buck” variety. A single account takeover offers access to millions of opt-in addresses—a perfect data set for sending hordes of legitimate-looking phishing missives.
For instance, in April, mass email provider SendGrid, which sends 14 billion messages per month, warned users that an attacker was able to compromise an employee’s account to access several of its internal systems, including servers that contained customers’ recipient email lists/addresses and customer contact information.
“We initially believed that this account takeover was an isolated incident and worked with our customer to help them recover control of their account and minimize the damage of the attack,” the company said in a public notice. But after further investigation, the campaign was shown to be more widespread.
“As more brands employ email fraud protection technology to detect and stop phishing attacks from reaching consumers, they are discovering massive volumes of messages that seem to come from their sending domains, but which actually come from cyber-criminals,” said Robert Holmes, Return Path’s general manager of Email Fraud Protection. “Authentication-based solutions like DMARC represent the best available approach to identify and block suspicious email. Brands that properly authenticate email sent from their domains are directing mailbox providers to reject millions of potentially fraudulent messages every day, making email safer for all users.”