Barracuda: Brand Impersonation Top Spear-Phishing Tactic

Brand impersonation, in which attackers pretend to be from a trusted brand or company to gain confidential data from a targeted victim, is by far the most popular spear-phishing method used by cybercriminals.

That’s according to Barracuda‘s inaugural quarterly report, “Spear Phishing: Top Threats and Trends.” Barracuda researchers evaluated more than 360,000 spear-phishing emails in a three-month period, identifying and analyzing three major types of attacks: brand impersonation, business email compromise and blackmail.

Barracuda’s Asaf Cidon

Asaf Cidon, Barracuda Networks’ senior vice president of email protection products, tells us his company was “quite surprised” by the “very high” relative percentage of “sextortion” or blackmail attacks.

“These attacks only started appearing a couple of months ago, and now they are a significant fraction of targeted attacks,” he said. “We were also surprised by how common the usage of free personal email accounts (for example, Gmail) were for launching brand impersonation [and] business email compromise (BEC).”

Brand impersonation is being used in 83 percent of spear-phishing attacks, according to the report. Impersonating Microsoft is one of the more common techniques used by hackers trying to take over accounts.

Financial institutions are impersonated in nearly one in five attacks. Finance department employees are heavily targeted as they are most likely to deal with banks and other financial institutions.

Sextortion scams, a form of blackmail that makes up 10 percent of all spear-phishing attacks, continue to increase, while most subject lines on sextortion emails contain some form of security alert.

Employees are twice as likely to be the target of blackmail than business email compromise, according to the report. Attackers often include the victim’s email address or password in the subject line. In addition, subject lines on more than 70 percent of attack emails try to establish rapport or a sense of urgency, and many imply the topic has been previously discussed.

One in three business email compromise attacks is launched from Gmail accounts, and scammers use name-spoofing techniques, changing the display name on Gmail and other email accounts to make the email appear to come from a company employee. This tactic can be especially deceiving to those reading the email on a mobile device.

“The vast majority of ‘legacy’ email gateways do not effectively protect against any of these attacks, since they typically come from high reputation sources and sometimes do not contain any links or attachments (e.g., BEC or blackmail attacks),” Cidon said. “MSSPs face exactly the same challenges … in detecting attacks. In fact, for MSSPs the challenge is often even greater since they are expected to not only prevent these attacks, but to provide incident response and remediation for these attacks.”

Staying ahead of these types of attacks requires the right combination of technology and user training, so it’s critical to have a solution in place that detects and protects against spear-phishing attacks, he said.

“Sandboxing/virus scanning is ineffective in catching all of the attacks highlighted in the report,” Cidon said. “Also, filtering based on sender/domain/link reputation will be totally ineffective for stopping highly targeted social engineering attacks.”