Airport email scam prevented by UK’s cyber defence agency

Web scammers tried to defraud more than 200,000 people by using a fake email address ‘spoofing’ an unnamed UK airport, a report revealed today.

The scam used a fake .gov.uk email address but national cyber experts prevented the messages from reaching the intended targets.

The incident, which occurred in August last year, was one of a range of cyber attacks prevented by the National Cyber Security Centre (NCSC) – the agency set up in 2016 by the UK’s famous monitoring station, GCHQ.

The emails never reached the intended recipients’ inboxes because the NCSC’s automated response was able to identify and prevent the suspicious domain name from carrying out the attack. The real email address used by the criminals was also taken down, according to the Active Cyber Defence – The Second Year report.

Under its ‘Active Cyber Defence’ programme, the NCSC has taken what it describes as an ‘interventionist’ approach, scouring the web to frustrate the efforts of criminals looking to penetrate UK cyber defences.

The agency states in the report that one of its main objectives is to disincentivise cyber criminals by making it prohibitively expensive to carry out online attacks in the UK.

ACD is just one function of NCSC and covers various service areas including a ‘Takedown Service’, Mail Check’, ‘Domain Discovery’, ‘Web Check’ and ‘Protective DNS’, all of which help remove harmful online content – through the likes of phishing email attacks – and equip organisations with the ability to understand their web footprints and vulnerabilities.

Unsurprisingly, many of the cyber attacks carried out against government estates relate to the agencies that deal with money. HMRC – the tax authority – is one of the most commonly attacked organisations, the report reveals.

A combination of ACD services helped HMRC’s own efforts in massively reducing the criminal use of their brand. HMRC was the 16thmost phished brand globally in 2016, but by the end of 2018 it was 146thin the world. Overall, ACD programmes helped HMRC reduce fraudsters spoofing the tax authority with campaigns down 46%, said the report.

In terms of phishing attempts against government IT in 2017, the report showed HMRC was number one in the top 10 most attacked (16,064 attacks), which includes the generic .gov.uk domain at number two (1,541 attacks), TV Licensing at number three (172) and DVLA at four (107).

Last year, the data showed HMRC still at number one but a dramatic reduction to 6,752 attacks, gov.uk at number two with an increase of 3,811 attacks, Government Gateway (previosuly number five on the list) up to three with 1,173 attacks and DVLA remaining at number four but also with an increased number of attacks (1,124).

Dr Ian Levy, the NCSC’s Technical Director and author of the ACD report, said: “These are just two examples of the value of ACD – they protected thousands of UK citizens and further reduced the criminal utility of UK brands. Concerted effort can dissuade criminals and protect UK citizens.

“While this and other successes are encouraging, we know there is more to do, and we would welcome partnerships with people and organisations who wish to contribute to the ACD ecosystem so that together we can further protect UK citizens.

“This second comprehensive analysis we have undertaken of the programme shows that this bold approach to preventing cyber attacks is continuing to deliver for the British public.”

The ACD technology, which is free at the point of use, intends to protect the majority of the UK from the majority of the harm from the majority of the attacks the majority of the time.

Other key findings for 2018 from the second ACD report include: 

  • In 2018 the NCSC took down 22,133 phishing campaigns hosted in UK delegated IP space, totalling 142,203 individual attacks; 
  • 14,124 UK Government-related phishing sites were removed; 
  • Thanks to ACD the number of phishing campaigns against HMRC continues to fall dramatically – with campaigns spoofing HMRC falling from 2,466 in 2017 to 1,332 in 2018. These figures relate to 16,064 spoof sites in 2017 and 6,752 sites in 2018; 
  • The total number of takedowns of fraudulent websites was 192,256, and across 2018, with 64% of them down in 24 hours;
  • The number of individual web checks run has increased almost 100-fold, and we issued a total of 111,853 advisories direct to users in 2018.

In addition to fake websites which look similar to the purported organisations, criminals can install malicious content on genuine sites – termed ‘web injected malware’. This makes it hard for the NCSC to ‘takedown’ the content and relies on the agency contacting the victim to remove it; the data showed in 2018 that 1,362 sites had been compromised with 1,287 (or 94.5%) of sites fixed. However, the agency identified web shells as a ‘new type’ of takedown it is carrying out against increasingly sophisticated actors who are able to reinstall malicious content after it has been removed.

Other new types of approach by cyber criminals have involved the use of cryptocurrencies such as Monero, which has been used as a way to monetise hacked websites – because financial transactions are untraceable and therefore an attractive and lucrative means of cyber crime. The agency is now actively looking for Monero code on UK hosted websites and contacts the webmaster and host to inform them of a ‘possible compromise’. ‘It’s an interesting trend that we should keep an eye on,’ says the report.

Shopping websites that use the ecommerce package Magento were also identified as at risk if they do not patch their software, with scammers able to skim the credit card details of customers via the checkout pages of websites that have not kept up to date with security upgrades.

Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office David Lidington said: “The UK is safer since the launch of our cyber strategy in 2016. Over the last three years, and backed by a £1.9 billion investment, we have revolutionised the UK’s fight against cyber threats as part of an ambitious programme of action.

“The statistics and examples in this report speak for themselves. They outline the tangible impact that Active Cyber Defence is having, and how it is a key building block in improving cyber security in the UK now, and in the future.”

The new report also looks to the future of ACD, highlighting a number of areas in development. These include:

• The work between the NCSC and Action Fraud to design and build a new automated system which allows the public to report suspicious emails easily. The NCSC aims to launch this system to the public later in 2019;
• The development of the NCSC Internet Weather Centre, which will aim to draw on multiple data sources to allow us to really understand the digital landscape of the UK;
• We’ll explore developing an Infrastructure Check service: a web-based tool to help public sector and critical national infrastructure providers scan their internet-connected infrastructure for vulnerabilities;
• NCSC researchers have begun exploring additional ways to use the data created as part of the normal operation of the public sector protective DNS service to help our users better understand and protect the technologies in use on their networks.