Subscribe to receive notifications of new posts:

Area 1 Security Announces the Most Spoofed Brand of 2021: WHO is Back Again?

2022-03-31

4 min read

This blog originally appeared in March 2022 on the Area 1 Security website, and was issued in advance of Cloudflare's acquisition of Area 1 Security on April 1, 2022. Learn more.

Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest game in college basketball history, we are here to crown the 2022 March Hackness winner!

Also known as: the organization most impersonated by attackers in phishing campaigns in 2021.

Despite the shiny crop of newcomers to the Top 64 impersonated organizations (which included Notion.so, Binance, and grocery stores from Costco to Kwik Shop), our March Hackness “Final Four” ended up mirroring the 2022’s NCAA Men’s Final Four: with the blue blood brands, that is.

That’s right, folks: on the heels of passing enduring the second year of the COVID-19 pandemic, the World Health Organization beat out Amazon, Microsoft and T-Mobile to become the back-to-back winner of Area 1’s “ophishal” March Hackness title!

From Jan. 2021 to Jan. 2022, a whopping 15% (over 8.5 million) of the 56 million brand phishing emails blocked by Area 1 impersonated the WHO.

This timeframe (not coincidentally) matches the WHO remaining top of mind for global businesses closely monitoring the rollout of new vaccines and booster shots, as well as the rise of the Delta and Omicron variants.

There’s Always Next Year’s Tournament…

The pandemic also influenced brand phishing in other ways. The “blue blood” of online retail and the cloud — and our March Hackness runner-up — Amazon, was impersonated in over 3.2 million phishing emails blocked by Area 1.

The focus of Amazon scams vary. However, as Area 1’s principal threat researcher, Juliette Cash, explains, common ones include phishing emails claiming that accounts have been ‘placed on hold,’ payments have been declined or that Prime memberships have ‘expired.’

These types of attacks utilize Amazon branding to impersonate official emails and entice victims to click links to update their credit card information. Once the link is clicked, the user’s browser will upload malicious content and direct them to verify their identity and input their payment details.

While these messages can be sent at any time, we’ve found that they are commonly tied to events, such as Amazon Prime Day, that trigger individuals to take action in fear of missing out.

By the way, although Amazon vs. the WHO isn’t exactly the epic and storied rivalry of Duke vs. UNC, Amazon has been in our list of top 64 most impersonated brands ever since March Hackness’ inception … so, we’ll count this matchup as an important piece of cybersecurity history!

Now, we have no idea what it’s like pretending to be a Blue Devil or Tar Heel (or Jayhawk or Wildcat) for a basketball season, but we do know some things about bad actors’ impersonation tactics.

Identity deception using tactics like spoofing, domain impersonation and display name impersonation showcase the ease at which people can deceive the user through brand phishing to gain access to their goals.

In many cases, it’s as simple as a display name change. However, there are (of course) much more complex phishing techniques that will evade standard defenses.

For example, in this 2021 vaccine phishing campaign (which originally bypassed Microsoft Office 365’s native defenses before it was blocked by Area 1), attackers pretending to be the CDC:

  • Used Display Name Spoofing to fake the visible FROM header

  • Inserted an SMTP HELO command to spoof the Envelope From domain

  • Chose to spoof a domain that did not have email authentication protocols configured and that no longer resolved to an IP address

  • Compromised a legitimate host with a benign IP, and used it to launch their phishing attack

That’s what you call a playbook.

And speaking of Microsoft, it made our “Final Four” of most-phished brands for the fourth consecutive year.

Attackers not only frequently impersonate individual Microsoft tools, they also often use Microsoft’s own tools and branding to bypass legacy defenses and email authentication. (Just one example: this credential harvesting campaign specifically leveraged Microsoft SharePoint and Microsoft Planner).

So, How Do You Guard Your Inbox?

The bottom line is this: Attackers know how to deliver brand phishing campaigns with techniques that evade native email defenses, email authentication and sender reputation tools (i.e., DMARC, SPF and DKIM).

But – they’re not particularly clever or unique about whom they impersonate. As you can see from our March Hackness findings, just 25 organizations were used in the majority (57%) of these phishing emails.

There are three main reasons brand phishing continues to reach many organizations’ inboxes, year after year:

  • It’s easy for attackers to establish new phishing domains that exploit trusted infrastructure.

  • It’s fast for attackers to set up DMARC, SPF and DKIM policies for new phishing domains to reach inboxes.

  • People trust emails from known organizations, business partners and internal employee accounts – accounts that they won’t identify as compromised unless they have more [advanced email security](more advanced email security in place) in place.

You can learn more about what the common email authentication standards (SPF, DKIM and DMARC) can and cannot do when it comes to correctly verifying the origins of emails (and who they claim to be from), here.

But what does work better than email authentication for preventing these kinds of phishing attacks? Advanced detection techniques.

For example, Area 1’s preemptive technology uses massive-scale web crawling to reveal emergent campaign infrastructure. Our small pattern analytics also identify phishing attack infrastructure, patterns of attack formation and threats within datasets that help us spot cyber campaigns as they’re being built.

To see which brand phishing emails are landing in your organization’s inbox (whether it’s from one of the March Hackness ‘players,’ or one of the 800-plus other brands hackers spoof), request a free Phishing Risk Assessment here.

And, in the  meantime, we hope you all enjoy the last of 2022 March Madness. We know we at Area 1 will!

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Email SecurityPhishingSpoofingCloud Email Security

Follow on X

Cloudflare|@cloudflare

Related posts

May 30, 2024 1:00 PM

Disrupting FlyingYeti's campaign targeting Ukraine

In April and May 2024, Cloudforce One employed proactive defense measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine...