{"id":37467,"date":"2020-10-27T16:05:25","date_gmt":"2020-10-27T20:05:25","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=37467"},"modified":"2020-10-27T16:05:25","modified_gmt":"2020-10-27T20:05:25","slug":"phishing-via-esp","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/phishing-via-esp\/37467\/","title":{"rendered":"Phishing through e-mail marketing services"},"content":{"rendered":"

Scammers have used various tricks over the years<\/a> to bypass antiphishing technologies. Another scheme with a high success rate for delivering phishing links to targets is to use e-mail marketing services, also known as e-mail service providers (ESPs) \u2014 companies that specialize in delivering e-mail newsletters \u2014 to send messages. According to statistics we\u2019ve obtained from our solutions, the method is gaining momentum.<\/p>\n

Why ESP-based phishing works<\/h2>\n

Companies that are serious about e-mail threats thoroughly scan all e-mail \u2014 with antivirus, antiphishing, and antispam engines \u2014 before letting messages reach users\u2019 inboxes. The engines not only scan message content, headers, and links, but also check the reputation of the sender and any linked websites. Risk verdicts are based on a combination of those factors. For example, if a mass mailing comes from an unknown sender, it looks suspicious, sending up a red flag for security algorithms.<\/p>\n

Attackers have found a workaround, however: sending e-mails in the name of a trusted entity. E-mail marketing services, which provide end-to-end newsletter management, fill that role perfectly. They are known; many security solution vendors allow their IP addresses are by default by; and some even skip checks on letters sent through them.<\/p>\n

How ESPs are exploited<\/h2>\n

The main attack vector is obvious: It\u2019s phishing disguised as a legitimate mailing. Essentially, cybercriminals become clients of the target service, usually by purchasing the minimum subscription (anything more wouldn\u2019t make much sense, especially given that they can expect to be identified and blocked quickly).<\/p>\n

But there exists a more exotic option: using the ESP as a URL host. Under this scheme, the newsletter is sent out through the attackers\u2019 own infrastructure. For example, the cybercriminals can create a test campaign that contains a phishing URL, and send it to themselves as a preview. The ESP creates a proxy for that URL, and then the cybercriminals simply take the proxy URL for their phishing newsletter. Another option for scammers is to create a phishing site that appears to be a mailing template, and provide a direct link to it. But that happens less frequently.<\/p>\n

Either way, the new proxy URL now has a positive reputation, so it won\u2019t be blocked; and the ESP, which doesn\u2019t handle the mailing, sees nothing wrong and doesn\u2019t block its \u201cclient\u201d \u2014 at least, not until they start to receive complaints. Sometimes such schemes even play a role in spear-phishing.<\/p>\n

What do ESPs think?<\/h2>\n

Unsurprisingly, ESPs are not jumping for joy about being tools for cybercriminals.\u00a0 Most of them have their own security technologies that scan the message content and links that pass through their servers, and almost all provide guidance for anyone encountering phishing through their website.<\/p>\n

Therefore, attackers try to keep ESPs calm, too. For example, using a provider for proxies tends to delay<\/a> phishing links, so at the time of creation, \u00a0links in test messages appear legitimate; only later do they become malicious.<\/p>\n

What to do<\/h2>\n

In many cases, mass mailings are sent to company employees whose addresses are public \u2014 and even the most vigilant among us miss the occasional suspicious or malicious e-mail and click on something we shouldn\u2019t. To protect employees against potential phishing attacks coming from an e-mail marketing service, we recommend the following:<\/p>\n