There’s some good news on the cyber crime front. The number of incidents, at least in the UK, has declined, according to Active Cyber Defense, The Second Year, a paper by The National Cyber Security Centre (NCSC), an agency set up in 2016 to fight attacks.
Take the number of malicious sites.
The NCSC has a takedown service that finds those sites and sends notifications to the hoster to have them removed from the internet. Last year, it performed 192,256 takedowns, compared with 219,992 in 2017.
Moreover, in 2018 these were distributed across 24,320 unique IP addresses and 51,569 campaigns (those of interest to the NCSC), down from 72,975 unique IP addresses and linked to 99,543 campaigns.
“While there is a small reduction in the number of overall takedowns, there is a significant reduction in the number of related campaigns and the IP addresses hosting the malicious content,” the paper notes.
It adds: “This suggests that criminals are using less infrastructure and hosting more individual attacks on each instance as part of a campaign.”
Then there is the matter of DMARC adoption. Of the public sector domains monitored by the NCSC’s Mail Check service, 1,369 had adopted DMARC by December 2018, up from 412 at the end of 2017.
On the email front, NCSC reports a 46% reduction in spoofing of HMBC, a government financial institution, from year to year. It adds that “the higher the rank, the less phishing attacks we are seeing.”
There is one complication to all this. In studying phishing attacks, the NCSC includes only headers in its reports. But it determined that “concerns about the privacy impact of even redacted emails alongside the introduction of GDPR have put a real dampener on failure reporting.”
So GDPR is getting in the way.
Who are the attackers spoofing, if not big institutions? Attorneys are increasingly being spoofed in malicious campaigns.
“If someone is partially hooked by an email, searching for the law firm or other entities in the mail and finding they’re real is probably enough to push them over the edge,” the study notes.
Here’s one excerpted example, which also spoofs the name of an actual priest. (The names are obfuscated).
Greetings in the name of our Lord Jesus,
I have tried reaching you through a wrong email address on several occasions without knowing it was wrong. I just discovered your correct address, which is why my notification is coming late.
I’m pleased to inform you that you were made a beneficiary in the Will of late Mr. Javier de la Rosa. Please contact the executor of the Will, Barrister Stephen Bxxxxxxx for more information on how to claim your inheritance.
There’s nothing new under the sun after all. Return with us to the year 1855 when a young legal clerk named “George” stopped not only studying the law but also obeying it.
George needed money. So he turned to The Law Register, a directory of every attorney in the United States. Then, like a modern-day data compiler (without the algorithms), he checked off the names of rural lawyers, and those who had no business with his firm, and copied these names. To this list he sent neatly written copies of the following letter:
Sir: I have received a package of papers for you from Liverpool, England, with six shillings charges thereon — on receipt of which amount the parcel will be sent to you by such conveyance as you may direct. Yours, respectfully, William H. Jolliet.
What was the scam? At that time, many Americans shared the fantasy that a rich relative in England had died and left them money. Same thing.
But most lawyers probably saw through the ruse. One wrote, “let me know if you remain jolly yet.” And George was caught and became an early day enforcement statistic.