Subscribe to receive notifications of new posts:

Annual March Hackness 2021: The Not-So-Sweet 16 —The Pandemic’s Phishing Influence

2021-03-31

2 min read

This blog originally appeared in March 2021 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.

Dick Vitale impression returning in:

3…

2…

1…

OH MY, WHAT A TOURNAMENT IT HAS BEEN! SOME STUNNING UPSETS! MILLIONS OF BRACKETS BUSTED! IT’S AWESOME (and sometimes awful), BABY!

Whew… Got that out of the way.

So, what have we learned from the first two rounds of the Annual March Hackness phishing tournament?

The COVID-19 pandemic has definitely played into what attackers are using in their business.

The proof? Cinderella runs thus far for some of our (not-so-Sweet) 16 of top-impersonated newcomers: the World Health Organization (which we’ve seen daily in the news); Target (whose online sales surged by $10 billion last year); and DocuSign (whose revenue exploded by nearly 50%, thanks to post-COVID remote business). Reminiscent of Marquette’s 2013 run, in my opinion!

That said, our major players of Microsoft and Google are still accounted for — they remain attackers’ favorite brands year after year. (Case in point: our security research team recently uncovered a highly sophisticated Microsoft 365 phishing campaign targeting financial departments and unsuspecting assistants and CEOs).

But … who honestly could have predicted PayPal getting knocked out in the first round? Our 2019 March Hackness Champion goes home early! Congratulations to them for being Most Improved (aka, less spoofed)!

Remember folks, in our phishing bracket, a first round knockout is actually a badge of honor!

Which brings us into the Not-So-Sweet 16. Can the WHO continue its historic run? Can Twitter upset the Duke-esque status of Microsoft? Will Facebook survive a matchup against Amazon? Only time will tell!

The Madness is setting in!

Let’s check back with Dicky V for analysis of the perfect phishing bracket:

Some takeaways for the Sweet 16?

  • OH BABY! We’ve got quite a few Juggernaut matchups! Microsoft has that champion pedigree but Twitter is a strong contender!

  • Facebook vs Amazon! That’s a championship matchup in its own right … expect a lot of fireworks there!

  • I like Apple’s odds of making it to the finals!

  • I think our Cinderella, the WHO, might be making it to the ball!

Tune in on April 5th to see who will be crowned our OPHISHAL Champion for 2021! IT’S AWESOME BABY!

And Now Some Additional Analysis

By the way, in case you’re wondering: is email authentication (SPF, DKIM, DMARC) THE winning way to stop brand spoofing and impersonation-based phishing attacks from ever reaching inboxes?

The answer is: No. Over the past year, we’ve blocked 22 million of these types of phishing attacks — and while we know all three standards can help with preventing some forms of phishing, attackers can easily bypass email authentication.

The SPF, DKIM and DMARC standards are certainly useful for validating server and tenant origins, protecting message integrity and providing policy enforcement. However, security professionals should know that:

  1. Anyone can set up emails that pass email authentication.

  2. Email authentication does not inspect content.

  3. Email authentication does not protect against look-alike domains.

  4. Email authentication does not protect against compromised domains.

  5. The vast majority of organizations and domains do not use email authentication.

  6. Email authentication can be difficult to set up properly.

Below is a brief description of what each standard does, what types of threats it can protect against and what types of threats it cannot protect against.

DMARC
(Domain-based Message Authentication, Reporting and Conformance)
Purpose Providing policy enforcement and reporting for SPF and DKIM
Stipulating what policy to follow if an email doesn’t pass SPF or DKIM authentication (e.g. reject/delete, quarantine, no policy/send)
Reporting function allows domain owners to who is sending email on their behalf
Best for: Protecting against spoofing of your own domain and brand abuse
(Does not prevent spoofing of another brand’s domain.)
Limitations Does not prevent spoofing of another brand’s domain
Does not prevent look-alike email, domain or display name spoofing
Domain owners specify what percentage of mail DMARC policies applies to; application percentages of less than 100% are virtually meaningless
Does not protect against attacks using “validated” emails with embedded URLs, malicious payloads or attachments
Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Email SecurityCloud Email SecurityCloudflare Zero TrustSecuritySpoofing

Follow on X

Cloudflare|@cloudflare

Related posts

October 02, 2024 1:00 PM

How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack

Over the past couple of weeks, Cloudflare's DDoS protection systems have automatically and successfully mitigated multiple hyper-volumetric L3/4 DDoS attacks exceeding 3 billion packets per second (Bpps). Our systems also automatically mitigated multiple attacks exceeding 3 terabits per second (Tbps), with the largest ones exceeding 3.65 Tbps. The scale of these attacks is unprecedented....

September 27, 2024 1:00 PM

AI Everywhere with the WAF Rule Builder Assistant, Cloudflare Radar AI Insights, and updated AI bot protection

This year for Cloudflare’s birthday, we’ve extended our AI Assistant capabilities to help you build new WAF rules, added new AI bot & crawler traffic insights to Radar, and given customers new AI bot blocking capabilities...

September 27, 2024 1:00 PM

Advancing cybersecurity: Cloudflare implements a new bug bounty VIP program as part of CISA Pledge commitment

Cloudflare strengthens its commitment to cybersecurity by joining CISA's "Secure by Design" pledge. In line with this commitment, we're enhancing our vulnerability disclosure policy by launching a VIP bug bounty program, giving top researchers early access to our products. Keep an eye out for future updates regarding Cloudflare's CISA pledge as we work together to shape a safer digital future....