A cyber-threat odyssey: Identifying geography, network characteristics of phishing attacks

The coronavirus pandemic has been disrupting industries and businesses across the globe forcing them to adopt damage-curbing tactics and new methods of functioning in this new normal. The strategy has majorly revolved around a worldwide shift towards remote working alongside an imperative digital transformation of end-to-end operations to maintain business sustenance and continuity in the post-pandemic environment. However, this seemingly abrupt transformation and the overarching digitisation coupled with remote working have also multiplied the risk of cyber security threats and specialised phishing attacks that are leading to losses worth billions in the corporate sphere.

Between March 1 and March 23 last year, 467,825 spear-phishing email attacks were detected by our networks. The goals behind the attacks ranged from distributing malware to stealing credentials, and financial gain. The attackers leveraged the fear, uncertainty, and even sympathy stemming from the pandemic to identify some key emotions. After capitalising on the global pandemic with coronavirus-related phishing attacks last year, cybercriminals have been trying to leverage the vaccine to steal money and personal information.

A recent study analysed the geography of phishing emails and their passage of circulation. By examining the geo-location channels and network infrastructure of over 2 billion emails, it was discovered that a majority of phishing emails had their origin in certain countries from Eastern Europe, Central America, the Middle East, and Africa. It was also concluded that phishing emails were more likely to be dispelled through a greater number of geographic locations as compared to emails that are harmless.

More interestingly, the research team also found that an unexpectedly high quantity of phishing attacks have emanated from big and genuine cloud service providers. The contingency of such a reality is highly probable as it has been verified that attackers possess sophisticated means to infiltrate and compromise legitimate servers or email accounts surfeited by these providers.

Let's take a closer inspection at how the geographic location and network infrastructure play a role in phishing strikes and also assess how state-of-the-art solutions can aid in identifying, restricting, and controlling phishing attacks.

The phishing threat whirlwind

To conduct phishing attacks, cybercriminals are using social engineering tactics to entice the victims into revealing personal information such as usernames, passwords, credit card numbers, or banking information. Phishing detection largely focuses on the content of phishing emails and the behavior of attackers. With phishing attacks becoming more complex, sophisticated methods are required to defend against these attacks. Through an in-depth analysis of the Geo-location and network aspects of phishing attacks, it is possible to prevent such strikes from happening in the first place. A research team of Barracuda Networks extracted IP addresses from the ‘received' fields of email headers that recorded the data about various servers traversed during the email's passage and generated valuable insights into the paths taken by phishing emails between the sender and the addressees.

Phishing emails are liable to feature routes that navigate numerous countries

It has been ascertained that while an 80% of benign emails are transmitted via two or fewer countries, about 40% of phishing emails are routed through two or more countries. Therefore, it is possible to imply that the number of different countries an email traverses can feature as a sound aspect for a phishing detection classifier.

Countries displaying a greater likelihood of being phishing avenues are positioned in parts of Eastern Europe, Central America, the Middle East, and Africa.

Senders that produced more than 1,000 emails in the dataset with a higher probability of phishing originated from countries or territories including (in descending order): Lithuania, Latvia, Serbia, Ukraine, Russia, Bahamas, Puerto Rico, Colombia, Iran, Palestine, and Kazakhstan are some of the territories from where senders produce a higher volume of phishing emails with a higher probability of phishing.

However, some countries have a high volume of phishing originating from them but still have an extremely low probability of phishing. For example, 129,369 phishing emails in the dataset were sent from the United States, but the U.S. only has a 0.02% probability of phishing. In general, most countries had a phishing probability of 10% or less.

Attackers utilise large and legitimate cloud servers for orchestrating their strikes

The networks that displayed the greatest volume of phishing strikes are operated by legitimate cloud service providers like Amazon, Microsoft, and Twitter. However, the networks with the highest volume phishing attackers along with a high phishing probability, still belong to cloud service providers like LayerHost (0.277), UnrealServers (0.334), REG.RU (0.836), Cherry Servers (0.760), and Rackspace (0.328). It is possible because the attackers can compromise legitimate servers and/or email accounts hosted by these providers.

Defense against phishing attacks

As cybercriminals continue to evolve their tactics and means to breach email gateways and spam filters, it is imperative to optimise solutions that are capable of identifying and safeguarding against spear-phishing attacks such as, brand impersonation, business email compromise, and email account takeover. It is essential to utilise a solution that does not solely rely on detecting malicious links or attachments but also leverages machine learning to assess general communication patterns within a company's formal business network to identify potential anomalies that may be suggestive of any impending attack or phishing strike.

Imagining beyond extrinsic emails is also significant as some of the most credible and disastrous spear-phishing campaigns are disseminated from compromised internal accounts. After all, the attackers must be averted from exploiting an enterprise as their would-be base camp for commencing spear-phishing strikes. For the sake of business safety and data security, it is necessary to optimise state-of-the-art artificial intelligence to identify when the accounts have been breached. This assists in launching corrective processes in real-time by informing users and eliminating malicious emails sent from infected accounts.

Users also need to stay vigilant about the newest spear-phishing attacks, tactics, and methodologies that are more powerful in the evolving threat matrix. To ensure that, business enterprises can extend the latest user awareness training programs to their employees so that they can detect potential attack trajectories and also report such occurrences to their IT security team. They can further optimise phishing simulations for email, voicemail, and SMS to instruct users about detecting cyberstrikes, conducting the efficacy test of their training, and assessing the most susceptible and attack-prone users.

Spear phishing campaigns and phishing attacks have significantly skyrocketed since the pandemic struck. Attackers from a plethora of East European, Middle Eastern, and African nations have jumped on this opportunity to initiate sophisticated strikes on unguarded remote workers and home operatives that can cause damages worth billions. Thus, it is of the utmost importance to safeguard the data and private credentials by deploying the latest range of advanced cybersecurity solution stacks along with learning the best security practices to ensure enhanced business security in the transformed new normal.

This article has been written by Murali Urs, Country Manager, India, Barracuda Networks