It is no secret that phishing attacks are growing in scope and the reason is quite simple: they are still effective. For the past several years, we have seen a marked increase in the number of email driven phishing scams that coincide with the holidays. Below you’ll find an email-driven phishing scam which shows a notification from FedEx—we’ve seen this with other brand-recognized delivery couriers like UPS and DHL. You can view the US-CERT advisory here. In this instance, the notification indicates that FedEx was unable to deliver a package because there was nobody available to sign for it. Once the recipient clicks on the invoice, the phishing attack is launched. With this kind of attack, the company purported to be sending the message is also a victim as the brands themselves become associated with fraudulent activities.
What’s interesting about this fake notification is that the message was spoofed from “secure.com” instead of “fedex.com.” This is probably because FedEx is an early adopter of DMARC, and is most likely already in a p=reject mode (more details on that here: http://newblog.easysol.net/guide-to-leverage-dmarc/). This means it’s virtually impossible to spoof the fedex.com domain, leading phishers to utilize other domains instead.
While DMARC is effective in this case in ensuring no one can spoof the company’s domain, one issue that DMARC doesn't solve is the fact that cybercriminals can create domain names that are similar to the target they are attempting to leverage in an attack, using so-called “sister” or “cousin” domains. But because they are not attempting to spoof the full original name of the organization, DMARC won’t catch them.
It’s important to recognize that DMARC as a standalone tool is not a complete solution to the problem of email-based fraud and phishing attacks. While DMARC compliance is a good first step towards eradicating email fraud, it’s simply one layer, and should be supplemented with other technologies to help identify and remove threats from the web. Otherwise, once the phishing email is on an inbox, your end-users and employees are just one click away from allowing their devices to be infected and becoming a victim of fraud, perpetrated both against them and your brand.