Over the past 18 months there has been a phenomenal increase in the frequency of socially targeted email attacks.
The FBI recently reported that global losses related to these Business Email Compromise (BEC) scams experienced a 270% increase from January to August 2015. These kinds of attacks do real damage, including the compromise of internal networks, the inappropriate disclosure of company IP or PII, the incorrect transfer of funds from the company treasury, to name a few of the most common outcomes. Hundreds of millions of dollars have been stolen through these schemes, directly affecting corporate bottom lines.
In these sophisticated attacks, employees, and/or business partners are targetedby emails that appear to come from a trusted company executive. The emails are meticulously designed, right down to corporate standard email signatures. Finally, they seem to originate from a legitimate corporate email server. These emails succeed because they combine three critical elements to create legitimacy....
(1) The apparent "sender" is known and trusted.
(2) The emails are sent to logical recipients
(3) They originate from a seemingly trusted email domain
Threat actors accomplish the first and second elements listed above through social engineering, and executive masquerading. Social Domains and social networks provide a treasure trove of personal and relationship data that is easily mined by the criminals. Accomplishing step 3 is not so difficult, either. All the attackers need to do is create a “plausibly safe” email domain and activate the MX (Mail Exchange) record of the copycat domain
The most effective attacks originate from a domain that is a close variant of a company’s actual email domain. (instead of XYZ.com, they’ll register XYZ.biz, or XYZ-finance.net). Cybersquatters register domains like these every day. To turn that cybersquatting domain into a spear phishing platform, a potential phisher activates the domain’s MX record.
An MX record is a type of resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient's domain, and a preference value used to prioritize mail delivery if multiple mail servers are available. An active MX record allows a domain to communicate with other emails domains to send and receive messages.
To put it another way, a rogue domain without an MX record is only a destination -- a bad destination, a destination that should be taken down. A rogue domain with an MX record represents danger on an entirely different scale - it becomes a potential attack launching platform.
To CISOs who are trying to protect their company from spear phishers, MX record can be thought of as an early warning system When CISOs gain intelligence about rogue domains with MX records, they can take immediate steps to block any email to the enterprise that originates from these possibly dangerous domains, completely neutralizing these potential sources of targeted email attacks.
BrandProtect provides comprehensive anti-phishing capabilities. We provide enterprise-class effectiveness in each of the three major phases of anti-phishing protection. We constantly monitoring for new domains with names that mimic yours and for domains with other infringing content. We have one of the industry's most complete infrastructures for capturing phish "in the wild". We provide full-scale mitigation services to neutralize phishing attacks and phishing sites.
Beginning in April, 2016, the best anti-phishing solution gets better. BrandProtect will add MX record monitoring as a standard component of our anti-phishing services.
CISOs, if your anti phishing protection does not include integrated MX record monitoring, it should. By insisting that MX record monitoring be added to domain searching strategies, you take a big step forward in securing their enterprise or institution from outside email attacks. Without MX record monitoring, you are more vulnerable to sophisticated, targeted phishing attacks that are extremely hard to detect.