Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest game in college basketball history, we are here to crown the 2022 March Hackness winner!

Also known as: the organization most impersonated by attackers in phishing campaigns in 2021.

Despite the shiny crop of newcomers to the Top 64 impersonated organizations (which included Notion.so, Binance, and grocery stores from Costco to Kwik Shop), our March Hackness “Final Four” ended up mirroring the 2022’s NCAA Men’s Final Four: with the blue blood brands, that is.

That’s right, folks: on the heels of passing enduring the second year of the COVID-19 pandemic, the World Health Organization beat out Amazon, Microsoft and T-Mobile to become the back-to-back winner of Area 1’s “ophishal” March Hackness title!

From Jan. 2021 to Jan. 2022, a whopping 15% (over 8.5 million) of the 56 million brand phishing emails blocked by Area 1 impersonated the WHO.

This timeframe (not coincidentally) matches the WHO remaining top of mind for global businesses closely monitoring the rollout of new vaccines and booster shots, as well as the rise of the Delta and Omicron variants.

The pandemic also influenced brand phishing in other ways. The “blue blood” of online retail and the cloud — and our March Hackness runner-up — Amazon, was impersonated in over 3.2 million phishing emails blocked by Area 1.

The focus of Amazon scams vary. However, as Area 1’s principal threat researcher, Juliette Cash, explains, common ones include phishing emails claiming that accounts have been ‘placed on hold,’ payments have been declined or that Prime memberships have ‘expired.’

These types of attacks utilize Amazon branding to impersonate official emails and entice victims to click links to update their credit card information. Once the link is clicked, the user’s browser will upload malicious content and direct them to verify their identity and input their payment details.

While these messages can be sent at any time, we’ve found that they are commonly tied to events, such as Amazon Prime Day, that trigger individuals to take action in fear of missing out.

By the way, although Amazon vs. the WHO isn’t exactly the epic and storied rivalry of Duke vs. UNC, Amazon has been in our list of top 64 most impersonated brands ever since March Hackness’ inception … so, we’ll count this matchup as an important piece of cybersecurity history!

Now, we have no idea what it’s like pretending to be a Blue Devil or Tar Heel (or Jayhawk or Wildcat) for a basketball season, but we do know some things about bad actors’ impersonation tactics.

Identity deception using tactics like spoofing, domain impersonation and display name impersonation showcase the ease at which people can deceive the user through brand phishing to gain access to their goals.

In many cases, it’s as simple as a display name change. However, there are (of course) much more complex phishing techniques that will evade standard defenses.

For example, in this 2021 vaccine phishing campaign (which originally bypassed Microsoft Office 365’s native defenses before it was blocked by Area 1), attackers pretending to be the CDC:

• Used Display Name Spoofing to fake the visible FROM header

• Inserted an SMTP HELO command to spoof the Envelope From domain

• Chose to spoof a domain that did not have email authentication protocols configured and that no longer resolved to an IP address

• Compromised a legitimate host with a benign IP, and used it to launch their phishing attack

That’s what you call a playbook.

And speaking of Microsoft, it made our “Final Four” of most-phished brands for the fourth consecutive year.

Attackers not only frequently impersonate individual Microsoft tools, they also often use Microsoft’s own tools and branding to bypass legacy defenses and email authentication. (Just one example: this credential harvesting campaign specifically leveraged Microsoft SharePoint and Microsoft Planner).

The bottom line is this: Attackers know how to deliver brand phishing campaigns with techniques that evade native email defenses, email authentication and sender reputation tools (i.e., DMARC, SPF and DKIM).

But – they’re not particularly clever or unique about whom they impersonate. As you can see from our March Hackness findings, just 25 organizations were used in the majority (57%) of these phishing emails.

There are three main reasons brand phishing continues to reach many organizations’ inboxes, year after year:

• It’s easy for attackers to establish new phishing domains that exploit trusted infrastructure.

• It’s fast for attackers to set up DMARC, SPF and DKIM policies for new phishing domains to reach inboxes.

• People trust emails from known organizations, business partners and internal employee accounts – accounts that they won’t identify as compromised unless they have more [advanced email security](more advanced email security in place) in place.

You can learn more about what the common email authentication standards (SPF, DKIM and DMARC) can and cannot do when it comes to correctly verifying the origins of emails (and who they claim to be from), here.

But what does work better than email authentication for preventing these kinds of phishing attacks? Advanced detection techniques.

For example, Area 1’s preemptive technology uses massive-scale web crawling to reveal emergent campaign infrastructure. Our small pattern analytics also identify phishing attack infrastructure, patterns of attack formation and threats within datasets that help us spot cyber campaigns as they’re being built.

To see which brand phishing emails are landing in your organization’s inbox (whether it’s from one of the March Hackness ‘players,’ or one of the 800-plus other brands hackers spoof), request a free Phishing Risk Assessment here.

And, in the  meantime, we hope you all enjoy the last of 2022 March Madness. We know we at Area 1 will!

Area 1 Security’s Sixth Annual March Hackness: The Perfect Phishing Bracket is here!

Learn who made the list of the top brands that attackers use in phishing lures. This bracket is based on an analysis of more than 56 million phishing emails blocked by Area 1’s solution in the preceding 12 months since Feb 2022. Like with the real tournament, there are some surprising Cinderella-like newcomers, well-known MVPs, and 800-plus spoofed organizations in between — but overall, 77% of all phishing attacks exploited just the Top 64 brands in our bracket, below.

Well, it’s that time of the year when NCAA basketball fans find themselves bemoaning broken brackets** and pondering life’s biggest questions, such as:

• How did the Wildcat men and women both lose in the first rounds?

• Was Baylor’s exit scientific proof that all good things really must come to an end?

• DID ALL THAT JUST REALLY HAPPEN?!

• What if the referees didn’t [insert your adjectives of choice here]?

**A heartbroken RIP to my unsuccessful pick-to-win-it-all, Gonzaga. Goodbye, Bulldogs, we barely knew you.

Now, the Area 1 Security folks can only offer some unscientific opinions to the questions above. After all, our job is to prevent breaches, not prognosticate about bad perfectly fine officiating.

Which means that, unlike the “sometimes it’s just luck” nature of college basketball in March, we prefer to look at cold, hard data to answer threat trend questions.

And that brings us to — DRUM ROLL PLEASE — the introduction of our Sixth Annual March Hackness: The Perfect Phishing Bracket!

This is the time of year we conclusively answer: Which organizations do attackers impersonate most in phishing campaigns?

For 2022, our analysis is based on more than 56 million phishing emails that we intercepted from January 2021 – January 2022. And although attackers pretended to be over 800 different organizations, ultimately, just 64 organizations were the go-to lures in a whopping 77% of these brand phishing attempts:

Now, we’ll reveal soon who was MOST impersonated, but let’s break down our Top 64 (and other initial findings from the overall data), below.

As always, attackers continued to take advantage of the following two, basic concepts when it comes to brand phishing campaigns (which, PS: easily evade DMARC and other email authentication standards):

1) Which technologies do people use most?In Area 1’s first-ever March Hackness, we found hackers often exploited “traditional” banks and financial institutions, and loved to spoof the likes of AOL, Yahoo!, and Craigslist. But that was in 2016, when AOL’s AIM was still around (!!), before Facebook Marketplace launched as ‘the new’ Craigslist … and before something mysterious called Crypto.com rebranded the Staples Center.

Flash forward to today, and:

• In a sign of the times, and acknowledgement of how much ‘the Cloud’ is a part of all of our lives**, more than 22%** of brand phishing attacks exploited commonly cloud services, such as Amazon, Box, DocuSign, Google, Intuit, Microsoft and many others.

• But, it isn’t just well-entrenched cloud companies on the list: viral-because-of-TikTok Notion.so, the productivity tool that’s won over high schoolers and The Wall Street Journal, appeared for the first time in our Top 64!

• Hackers are seeing dollar signs in cryptocurrency: Binance is a March Hackness newcomer (perhaps the Saint Peter’s of surprising suspect emails??!) this year. And although they didn’t crack the Top 64, Coinbase, Metamask, Kraken, Gemini and multiple crypto exchanges were also spoofed in thousands of phishing emails.

• By the way, Bitcoin, which doesn’t technically qualify as an organization for our bracket, still deserves its own special shot-out: hackers referenced Bitcoin in over 600,000 phishing emails last year. Actually, let’s just assume now that the crypto phishing trend has only one direction to go.

2) Which brands do people trust?Attackers know users are more inclined to open and click messages from organizations that they interact with, whether it’s for information, work or play.

In addition to leveraging the hybrid/remote workforce trend to phish users using popular cloud services, attackers also pretended to be:

• Healthcare & Social Services: With the Covid pandemic lingering on yet another year, the World Health Organization (last year’s “ophishal champion”) and Humana both reappear in the top 64. Area 1 also blocked thousands of phishing emails pretending to be from organizations like UNICEF and the Centers for Medicare & Medicaid Services … proving that hackers are more than willing to exploit society’s most vulnerable.

• Grocery Stores/Food & Beverage Retailers: Like 70% of U.S. households last year, my family did a LOT of online grocery shopping. In fact, over half of all shoppers (51%) started online grocery shopping after the pandemic began — and our data shows bad actors have also been happy to jump onto this bandwagon shopping cart. Area 1 intercepted millions of phishing emails spoofing grocers of all sizes, across all regions: from Fred Meyer to Amazon Fresh, to Kwik Shop to Costco, and many, many more.  [Insert bad pun about ordering ‘fish’, not ‘phish,’ here].

We’ll reveal the March Hackness champion — the No. 1 brand used for phishing (the organization used in a whopping 15% of the overall attacks) — soon!

And, in the meantime, you might be wondering: “Why should I care? My organization has email authentication and other tools to block emails from fake senders!”

Well (unless you’re using Area 1), chances are good that brand phishing is still fouling up your organization’s inboxes.

Email authentication standards (i.e., SPF, DKIM and DMARC) can serve useful security functions such as validating server and tenant origins, protecting message integrity, and providing policy enforcement.

However, email authentication is largely ineffective against brand phishing (especially when in the form of payload-less Business Email Compromise).

We’ll dive deeper into the reasons why, after we unveil the winner of the 2022 March Hackness: The Phishing Tournament. Stay tuned here.

PS: We can’t promise our findings will be less stressful than the NCAA championship game on April 4th. But, they should be more useful than wondering what “GO VOLS! GBO!” is like in real life.

AMERICA! WE HAVE A 2021 MARCH HACKNESS CHAMPION! (Granted, it’s a phishy title that no organization really wants to win).

A Cinderella story. The underdog. The New Kid on the Block is … the World Health Organization!

Although the WHO won’t want you to get fooled (with phishing) again, they are the undisputed March Hackness Champion of 2021!

Truly, what a difference a year makes. The COVID-19 pandemic changed the world, including the world of Phishing and cyberattack lures. Our researchers identified over 2 million Phishing spoofs (out of more than 22 million) that specifically exploited the WHO brand between May 2020 to February 2021.

For example, in this phishing message from last year, the attacker lures victims by posing as the WHO, claiming to offer safety measures on how to stop the spread of the virus. We see Display Name Spoofing, where the true sender is actually this alansariornan[.]com domain.

In an attempt to add legitimacy to the phishing example above:

• The attacker added the logo for the WHO in the body of their message. This is a common tactic, which Area 1 uses to help detect malicious messages (more specifically, our advanced computer vision algorithms and statistical models essentially train computers to interpret and understand digital images).

• The attacker also used a fairly sophisticated technique to avoid detection by abusing the legitimate service, Appspot.com, to host their phishing site. Appspot is a cloud computing platform for developing and hosting web apps in Google-managed data centers, so naturally, those domains are commonly whitelisted — and the corresponding links are not typically evaluated.

• Campaigns like this use well-designed login pages in an attempt to capture login credentials, which are then sent to a remote server controlled by the attacker.

Attackers cleverly and maliciously pivoted to exploit other COVID-19 trends, such as businesses sending more sales emails, consumers shopping online more, the real estate surge, and the growth of online news content consumption.

Aside from the likes of the WHO (#1), Moderna (#25) and CDC (#48), these companies (whether they like it or not!) also made our annual phishing bracket for the first time this year:

• #7 — Marketo

• #20 — Columbia Sportswear

• #24 — UPS

• #38 — CNN

• #50 — Zoom

• #51 — Adidas

• #53 — Nike

• #63 — Zillow

Much like in the real tournament, there were several upsets in the Phishing brackets as well. Former 2017 and 2019 March Hackness bracket champion, PayPal, didn’t even crack the Sweet 16 round this time.

With the world on edge in 2020, hackers took every advantage they could to find a way into organizations. Their weapon of choice is trust. Who wouldn’t want information from the WHO about a virus that is affecting every aspect of their lives? Hackers know this, so they use it.

And as I shared in our prior Not-so-Sweet 16 post, email authentication and sender reputation standards (such as SPF, DKIM and DMARC) aren’t enough to prevent phishing attacks from reaching inboxes.

Email authentication and sender reputation were designed to help brands deliver their email messages properly — not to help defend your organization from the most sophisticated phish.

In fact, our co-founder/CSO, Blake Darché, and our principal security researcher, Javier Castro, demonstrated through the creation of a real-time, DMARC-passing attack, just how fast and easy it is for attackers to get phishing emails into your inbox.

Remember, even when you deploy DMARC for your domain:

• It’s easy it is to establish a new phishing domain that exploits trusted infrastructure

• It’s fast to set up DMARC, SPF and DKIM policies for new phishing domains in order to reach inboxes

• You need to detect phish beyond email authentication via comprehensive message analysis, computer vision, domain registration checks, and other techniques beyond email authentication.

Here are some other key insights on the past year’s contenders:

• The Top 4 “seeds” were seen in over 6 million phishing attacks.

• The Top 10 accounted for over 56% of ALL spoof- and impersonation-based phishing attacks.

• Our 64-brand bracket included 15 different industries. The most well-represented were Technology and Financial Services/Banking.

• Attackers will use what is in the headlines to make attacks land. COVID-19 and a Presidential Election heavily influenced the attack patterns of phishing attacks in the U.S. last year.

Well America, I had a great time with you for the 2021 March Hackness tournament. Will our Cinderella return to the ball next year? You’ll have to join us again to find out!

Until next time… (Dick Vitale one last time)

GOODNIGHT BABY! WE’LL BE DANCING AGAIN NEXT YEAR!

Dick Vitale impression returning in:

3…

2…

1…

OH MY, WHAT A TOURNAMENT IT HAS BEEN! SOME STUNNING UPSETS! MILLIONS OF BRACKETS BUSTED! IT’S AWESOME (and sometimes awful), BABY!

Whew… Got that out of the way.

So, what have we learned from the first two rounds of the Annual March Hackness phishing tournament?

The COVID-19 pandemic has definitely played into what attackers are using in their business.

The proof? Cinderella runs thus far for some of our (not-so-Sweet) 16 of top-impersonated newcomers: the World Health Organization (which we’ve seen daily in the news); Target (whose online sales surged by $10 billion last year); and DocuSign (whose revenue exploded by nearly 50%, thanks to post-COVID remote business). Reminiscent of Marquette’s 2013 run, in my opinion!

That said, our major players of Microsoft and Google are still accounted for — they remain attackers’ favorite brands year after year. (Case in point: our security research team recently uncovered a highly sophisticated Microsoft 365 phishing campaign targeting financial departments and unsuspecting assistants and CEOs).

But … who honestly could have predicted PayPal getting knocked out in the first round? Our 2019 March Hackness Champion goes home early! Congratulations to them for being Most Improved (aka, less spoofed)!

Remember folks, in our phishing bracket, a first round knockout is actually a badge of honor!

Which brings us into the Not-So-Sweet 16. Can the WHO continue its historic run? Can Twitter upset the Duke-esque status of Microsoft? Will Facebook survive a matchup against Amazon? Only time will tell!

The Madness is setting in!

Let’s check back with Dicky V for analysis of the perfect phishing bracket:

• OH BABY! We’ve got quite a few Juggernaut matchups! Microsoft has that champion pedigree but Twitter is a strong contender!

• Facebook vs Amazon! That’s a championship matchup in its own right … expect a lot of fireworks there!

• I like Apple’s odds of making it to the finals!

• I think our Cinderella, the WHO, might be making it to the ball!

Tune in on April 5th to see who will be crowned our OPHISHAL Champion for 2021! IT’S AWESOME BABY!

By the way, in case you’re wondering: is email authentication (SPF, DKIM, DMARC) THE winning way to stop brand spoofing and impersonation-based phishing attacks from ever reaching inboxes?

The answer is: No. Over the past year, we’ve blocked 22 million of these types of phishing attacks — and while we know all three standards can help with preventing some forms of phishing, attackers can easily bypass email authentication.

The SPF, DKIM and DMARC standards are certainly useful for validating server and tenant origins, protecting message integrity and providing policy enforcement. However, security professionals should know that:

1. Anyone can set up emails that pass email authentication.

2. Email authentication does not inspect content.

3. Email authentication does not protect against look-alike domains.

4. Email authentication does not protect against compromised domains.

5. The vast majority of organizations and domains do not use email authentication.

6. Email authentication can be difficult to set up properly.

Below is a brief description of what each standard does, what types of threats it can protect against and what types of threats it cannot protect against.

Well America, it’s back! That glorious time of year that has everyone asking, “Is Gonzaga actually for real this time? Have we learned nothing?!” Yes that’s right, March Madness is back!

After a LONG and hard 2020, it’s beginning to look a little more normal these days. Nothing signals normal like the return of March Madness! We can finally have the thrill and gut punching heartbreak of busted brackets, 15-seed upsets, and those weird bragging rights of “I called that upset, I just didn’t put it down on my bracket…”

We at Area 1 have been doing our own Phishing brackets over the past five years. We took a hiatus in 2020 (as did the NCAA), so today, we proudly introduce the 5th Annual March Hackness: The Phishing Tournament.

In creating their Phishing campaigns, attackers take advantage of a simple idea - Trust. Nothing speaks to that more than the brands that everyone knows and loves and interacts with in their everyday lives or see in the headlines.

We’ve analyzed over 500 different organizations — across multiple divisions (aka industries) — that have been spoofed in more than 22 million Phishing messages over the past year. From there, we’ve identified the Top 64 companies whose brands have become the go-to lures for Phishing campaigns.

Although March Madness took last year off due to the COVID-19 pandemic, attackers sure didn’t. (Just see some proof here, and here, and here…)

And now…

(Prepares best Dick Vitale voice possible) …

WE’RE BACK AT IT  BABY! OH AMERICA, ARE YOU SERIOUS? IT’S AWESOME BABY!

Wow, that takes a ton of energy to pull off!

With Area 1’s March Hackness tournament, you’ll get to see who is the latest Cinderella story to come out of nowhere and disrupt the typical “Power 5” technology brands that typically dominate the Phishing world. (Here’s looking at you PayPal, our previous 2019 champion).

Let’s see what a difference a year makes in the world of Phishing.

I’m excited, you get excited!

EVERYONE ON THEIR FEET!

LET’S SEE THAT BRACKET BABY!

• We see some (unfortunate) new players in the space this year: themes around COVID-19 made a strong impact on our Top 64 bracket.

• For example, newcomers like the World Health Organization and Centers for Disease Control make appearances for the first time, as well as pharmaceutical sweethearts, Moderna.

• Our typical heavy hitters are still accounted for, like Microsoft, Google, Facebook, and PayPal. However, how well will they survive the tournament? Can they make it to the championship?

Tune in soon to find out who cuts down the nets to evade detection in this year’s tournament!