A “surprisingly large number” of phishing attacks are launched through large, legitimate cloud service providers (CSPs), security specialist Barracuda Networks said in a new report tracking the geography and network characteristics of such malware.
Phishers commonly use social engineering to trick targets into handing over personal identifiable information (PII), including usernames, passwords and/or banking information.
The Campbell, California-based email security company said in its latest Threat Spotlight report that malware phishers can more readily compromise legitimate servers and/or email accounts hosted by providers such as Amazon, Microsoft and other popular services, even though the likelihood of any individual email housing malware is “very low.” Most of the attacks springing from these networks come from hackers succeeding in stealing credentials, the report said.
Phishing Emails: Countries and Regions of Origination
In examining the geolocation data and network infrastructure of some two billion emails, including 218,000 phishing emails sent in January, 2020 to compile its analysis, Barracuda determined that the likely spring boards are certain countries in Eastern Europe, Central America, the Middle East and Africa (EMEA). Phishing emails are “more likely to be routed through a higher number of locations than emails that are benign,” Barracuda said.
Here are additional key findings Barracuda’s researchers uncovered:
- Nearly eight in 10 benign emails are routed through two or fewer countries while roughly 60 percent of phishing emails are transmitted through two or fewer countries. Thus, the number of countries an email traverses can serve to detect phishing activity.
- Countries in Eastern Europe, Central America and EMEA have a higher probability of phishing. However, some countries associated with a high volume of phishing may have an extremely low probability of phishing. For example, 129,369 phishing emails in the Barracuda dataset were sent from the U.S. but the U.S. only has 0.02 percent probability of phishing.
“While it is not reasonable to block list all email traffic coming from countries with a high probability of phishing, it may be good to flag emails from these countries for further analysis," Barracuda said.
Phishing Attack Mitigation: Recommendations and Tips
Barracuda offered three recommendations to help MSPs and MSSPs protect customers against phishing attacks:
1. Artificial intelligence: Deploy a solution that doesn't rely entirely on looking for malicious links or attachments and uses machine learning to analyze normal communication patterns within your organization to identify anomalies that may indicate an attack.
2. Account-takeover protection: Prevent attackers from using your organization as a base camp to launch spear-phishing campaigns. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.
3. Awareness through training: Use phishing simulation for email, voicemail, and SMS to train users to identify cyber attacks, test the effectiveness of your training, and evaluate the most vulnerable users.
Barracuda’s researchers examined the network-level characteristics of phishing emails because network-level features are more persistent and harder for attackers to manipulate. The analysts then extracted IP addresses from email headers, which record information about the servers traversed in transit.