The country where emails originate and the number of countries they are routed through on the way to their final destination offer important warning signs of phishing attacks.
Barracuda recently teamed up with researchers from Columbia University to analyze the geography of phishing emails and how they’re being routed. Examining geolocation and network infrastructure across more than 2 billion emails, including 218,000 phishing emails, sent in the month of January 2020, we found that phishing emails are more likely to originate from certain countries in parts of Eastern Europe, Central America, the Middle East, and Africa, and more likely to be routed through a higher number of locations than emails that are benign.
We also found that a surprisingly large number of attacks originate from large, legitimate cloud providers. We speculate this is because attackers are able to compromise legitimate servers and/or email accounts hosted by these providers.
Here’s a closer look at the impact geography and network infrastructure has on phishing attacks and solutions to help detect, block, and recover from them.
Highlighted Threat
Geolocation and network characteristics of phishing attacks — In phishing attacks, attackers use social engineering tactics to lure victims into providing personal information such as usernames, passwords, credit card numbers, or banking information. Phishing detection largely focuses on the content of phishing emails and the behavior of attackers. As the phishing attacks become more complex, though, those trying to defend against these attacks must use increasingly sophisticated methods.
Our research team examined the network-level characteristics of phishing emails because network-level features are more persistent and harder for attackers to manipulate. We extracted IP addresses from the “received” fields of email headers, which record information about the servers traversed in transit. Studying this data provided insights into the path a phishing email takes between its sender and recipients.
The Details
Our analysis uncovered three key findings:
1. Phishing emails are more likely to have routes that traverse multiple countries.
Over 80% of benign emails are routed through two or fewer countries, while just over 60% of phishing emails are routed through two or fewer countries. This indicates that a good feature for a phishing detection classifier could be to look at the number of distinct countries an email passes through.
2. Countries that have a higher probability of phishing are located in parts of Eastern Europe, Central America, the Middle East, and Africa.
We determined the phishing probability of the sender’s country by identifying the sender’s country with the geolocation data and calculating the phishing probability for each country as:
Some countries that have a high volume of phishing originating from them have an extremely low probability of phishing. For example, 129,369 phishing emails in the dataset were sent from the United States, but the U.S. only has 0.02% probability of phishing. In general, most countries had a phishing probability of 10% or less.
Senders that produce a higher volume of phishing emails (more than 1,000 emails in the dataset) with a higher probability of phishing originated from countries or territories including (in descending order):
Lithuania
Latvia
Serbia
Ukraine
Russia
Bahamas
Puerto Rico
Colombia
Iran
Palestine
Kazakhstan
While it is not reasonable to blocklist all email traffic coming from countries with a high probability of phishing, it may be good to flag emails from these countries for further analysis.
3. Many of the networks the attackers are using to send their attacks from are surprisingly large, legitimate cloud providers.
The networks with the very highest number of phishing attacks are surprisingly owned by large cloud providers. This is expected, as they also have the highest total volume of emails sent. For such networks, the probability of any given email being a phishing email is very low (Figure 3). It is likely that most of the attacks originating from these networks are coming from compromised email accounts or servers, which the attackers were able to obtain the credentials for.
Phishing Email Volume Rank
Network Owner
Probability of Phishing Email
1
Amazon
0.000224
2
Microsoft
0.000429
3
Amazon
0.000124
4
Twitter
0.00212
Figure 3: Top 4 networks by sending volume and their owner information, classification, and probability of any given email from the network being a phishing email.
We also found that some of the highest volume phishing attackers (by network) that also have a high phishing probability, are still from networks belonging to cloud service providers (Rackspace, Salesforce). These networks have orders of magnitude less total email traffic than the top couple of networks, but still send a significant amount of phishing email. Therefore, they have a much higher probability of any given email originating from them being malicious (Figure 4).
Phishing Email Volume Rank
Network Owner
Probability of Phishing Email
9
LayerHost
0.277
13
UnrealServers
0.334
17
REG.RU
0.836
18
Cherry Servers
0.760
20
Rackspace
0.328
Figure 4: Some examples of high phishing email volume & high phishing probability networks and their owner information, classification, and probability of any given email from the network being a phishing email.
Protecting against phishing attacks
Look for solutions that use artificial intelligence Cybercriminals are adjusting their tactics to bypass email gateways and spam filters, so it’s crucial to have a solution that detects and protects against spear-phishing attacks, including brand impersonation, business email compromise, and email account takeover. Deploy a solution that doesn’t rely entirely on looking for malicious links or attachments. A solution that uses machine learning to analyze normal communication patterns within your organization can spot anomalies that may indicate an attack.
Implement account-takeover protection Think beyond external email messages. Some of the most damaging and convincing spear-phishing attacks are sent from compromised internal accounts. Prevent attackers from using your organization as a base camp to launch spear-phishing campaigns. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts.
Improve security awareness through training Keep your users informed about the latest spear-phishing attacks and tactics. Provide up-to-date user awareness training and make sure staffers can recognize attacks and know how to report them to IT right away. Use phishing simulation for email, voicemail, and SMS to train users to identify cyberattacks, test the effectiveness of your training, and evaluate the most vulnerable users.
This Threat Spotlight was authored by Liane Young with research support from Elisa Luo, Professors Asaf Cidon and Ethan Katz-Bassett and advisor Grant Ho.