A scam designed to defraud thousands of UK citizens using a fake e-mail address spoofing a UK airport was one of a wide range of cyber attacks successfully prevented by the National Cyber Security Centre (NCSC), a new report has revealed. That criminal campaign is just one Case Study among many outlined in ‘Active Cyber Defence – The Second Year’, the latest comprehensive analysis of the NCSC’s programme to protect the UK from cyber attacks.
Last year’s thwarting of the airport scam was one example of how Active Cyber Defence (ACD) protects the public – in this case preventing potentially thousands of people ending up out of pocket. The incident occurred last August when criminals tried to send in excess of 200,000 e-mails purporting to be from a UK airport and using a non-existent gov.uk address in a bid to defraud people.
However, the e-mails never reached the intended recipients’ Inboxes because the NCSC’s ACD system automatically detected the suspicious domain name and the recipient’s mail providers never delivered the spoof messages. The real e-mail account used by the criminals to communicate with victims was also taken down.
A combination of ACD services has helped HMRC’s own efforts in massively reducing the attempted criminal use of its brand. HMRC was the 16th most phished brand globally in 2016, but by the end of 2018 it was 146th in the world.
Dr Ian Levy, the NCSC’s technical director and author of the ACD report, said: “These are just two examples of the value of ACD that protected thousands of UK citizens and further reduced the criminal utility of UK brands. Concerted effort can dissuade criminals and protect UK citizens. While this and other successes are encouraging, we know there’s more to do. We would welcome partnerships with people and organisations who wish to contribute to the ACD ecosystem so that, together, we can further protect UK citizens. This second comprehensive analysis we’ve undertaken of the programme shows that this bold approach towards preventing cyber attacks is continuing to deliver for the British public.”
Bold and interventionist approach
Introduced by the NCSC back in 2016, ACD is a bold and interventionist approach that stops millions of cyber attacks from ever happening. It includes the pioneering programmes Web Check, DMARC, Public Sector DNS and a takedown service.
The ACD technology, which is free at the point of use, intends to protect the majority of the UK from the majority of the harm from the majority of the attacks the majority of the time.
Other key findings for 2018 detailed in the second ACD report include the following:
*In 2018, the NCSC took down 22,133 phishing campaigns hosted in UK delegated IP space totalling 142,203 individual attacks
*14,124 UK Government-related phishing sites were removed
*Thanks to ACD, the number of phishing campaigns against HMRC continues to fall dramatically with campaigns spoofing HMRC falling from 2,466 in 2017 to 1,332 in 2018. These figures relate to 16,064 spoof sites in 2017 and 6,752 sites in 2018
*The total number of takedowns of fraudulent websites was 192,256, with 64% of them down in 24 hours
*The number of individual web checks run has increased almost 100-fold, with the NCSC issuing a total of 111,853 advisories direct to users last year
Among the key findings from the report include the threat from Domain Fraud actors. Adenike Cosgrove, cyber security strategist at Proofpoint, observed: “Knowing how vital it is for citizens to trust Government websites and portals, it’s promising to see from the NCSC’s report that the number of public sector organisations taking action to protect their customers and employees from e-mail fraud by implementing an e-mail authentication policy in the form of DMARC has tripled from December 2017 to December 2018. HMRC’s efforts in significantly reducing phishing from its domains is a great example, given the effectiveness of tax-themed phishing e-mails in recent months. In fact, HMRC has led the charge in the UK for public sector websites, as back in 2017 it implemented DMARC and achieved a 99% success rate in terms of blocking malicious spam.”
In addition, Cosgrove outlined: “Although progress is being made, e-mail fraud from domain spoofing is still an issue and both businesses and consumers are not safe from this increasing threat. In fact, recent Proofpoint research shows that fraudulent domains grew by 11% globally over the past year, with more than 90% of these domains currently live and active. The NCSC has made a good start at looking at Government-owned domains, but cyber criminals will continue to pivot to using malicious lookalike domains in order to send more fraudulent e-mails to organisations’ customers and employees. To protect their customers from phishing e-mails and other spoofed correspondence as well as their reputation, organisations have a duty to follow the example set by the public sector to deploy authentication protocols such as DMARC and lookalike domain defences.”
Revolutionising the fight
David Lidington, Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office, said: “The UK is safer since the launch of our cyber strategy in 2016. Over the last three years, and backed by a £1.9 billion investment, we have revolutionised the UK’s fight against cyber threats as part of an ambitious programme of action. The statistics and examples in this report speak for themselves. They outline the tangible impact that Active Cyber Defence is having, and how it’s a key building block in improving cyber security in the UK both now and into the future.”
The new report also looks to the future of ACD, highlighting a number of areas in development. These include:
*The work between the NCSC and Action Fraud to design and build a new automated system which allows the public to report suspicious e-mails easily. The NCSC aims to launch this system to the public later in 2019
*The development of the NCSC Internet Weather Centre, which will aim to draw on multiple data sources to allow us to really understand the digital landscape of the UK
*Exploring the development of an ‘Infrastructure Check’ service: a web-based tool to help public sector and Critical National Infrastructure providers scan their Internet-connected infrastructures for vulnerabilities
*NCSC researchers have begun exploring additional ways in which to use the data created as part of the normal operation of the public sector protective DNS service to help our users better understand and protect the technologies in use on their networks.