Phishing emails more likely to originate from Eastern Europe, Central America, the Middle East, and Africa, according to a report by cybersecurity firm Barracuda Networks.
Barracuda researchers teamed up with Columbia University researchers recently examine the geolocation and network infrastructure across more than 2 billion emails, including 218,000 phishing emails sent in the month of January 2020.
As per the research, “phishing emails are more likely to originate from certain countries in parts of Eastern Europe, Central America, the Middle East, and Africa, and more likely to be routed through a higher number of locations than emails that are benign.”
Cybercriminals use social engineering tactics to lure victims through phishing emails into providing personal information such as usernames, passwords, credit card numbers, or banking information.
It is important to focus on the content of such emails and attacker behaviour to detect the same.
Barracuda researchers analysed the geography of phishing emails and how they’re being routed. They identified that over 80 per cent of benign emails are routed through two or fewer countries, while more than 60 per cent of phishing emails are routed through two or fewer countries.
“Senders that produce a higher volume of phishing emails (more than 1,000 emails in the dataset) with a higher probability of phishing originated from countries or territories including (in descending order): Lithuania, Latvia, Serbia, Ukraine, Russia, Bahamas, Puerto Rico, Colombia, Iran, Palestine and Kazakhstan are some of the territories from where senders produce a higher volume of phishing emails with a higher probability of phishing,” the report said.
However, some countries have a high volume of phishing originating from them but still have an extremely low probability of phishing. For instance, 129,369 phishing emails in the dataset were sent from the United States, but the US only has a 0.02 per cent probability of phishing. In general, most countries had a phishing probability of 10 per cent or less.
Notably, many networks used by the attackers to send their attacks from were large, legitimate cloud service providers like Amazon, Microsoft, and Twitter.
“It is likely that most of the attacks originating from these networks are coming from compromised email accounts or servers, which the attackers were able to obtain the credentials for,” the report said.
The networks with the highest volume of phishing attackers along with a high phishing probability belonged to cloud service providers like LayerHost (0.277), UnrealServers (0.334), REG.RU (0.836), Cherry Servers (0.760) and Rackspace (0.328).
“These networks have orders of magnitude less total email traffic than the top couple of networks, but still send a significant amount of phishing email. Therefore, they have a much higher probability of any given email originating from them being malicious,” as per the report.
Murali Urs, Country Manager of Barracuda India said, “With phishing attacks expected to play a dominant role in the digital threat landscape and cybercriminals adjusting their tactics to bypass email gateways and spam filters, it’s crucial to have a solution that detects and protects against spear-phishing attacks, including brand impersonation, business email compromise, and email account takeover.”
“Deploy a solution that doesn’t rely on malicious links or attachments but uses machine learning to analyse normal communication patterns within an organisation to spot anomalies that may indicate an attack. Further, organisations should install technology that uses artificial intelligence to identify compromised accounts, alert users in real-time and remove malicious emails sent from compromised accounts,” Urs added.