Deception is rapidly on the rise on the Internet, and email is the attack vector of choice for a broad array of attacks, including ransomware distribution, enterprise-facing cons, and mass-deployed phishing attacks. It is widely believed that this is due to the ubiquity of email and the limited extent to which relevant email security measures have been rolled out. One of the most troubling types of attack is the targeted attack, in which the attacker poses as somebody the intended victim knows.
There are three common ways used by attackers to masquerade as somebody trusted: spoofing, look-alike domain attacks, and display name attacks (collectively referred as impersonation attacks). In a spoofing attack, an email is injected in the mail stream (commonly at an open relay controlled by the adversary) with manipulated headers indicating that the email was sent by a party known to the recipient. Look-alike domain attacks (also referred to as cousin-name attacks) involve the attackers registering deceptive domains and sending emails from these. An example look-alike domain is bankofarnerica.com (notice the use of “rn” instead of “m” in the name). In a display name attack, the adversary simply sets the display name of an account he controls (commonly a throw-away webmail account) to match the display name of the party the attacker wishes to impersonate. To make it concrete, a typical email of this type may be sent from “Bank of America <janeroe104@gmail.com>”, where the display name is “Bank of America” and the associated email address is <janeroe104@gmail.com>. Since the display name is commonly the only indication of the identity of the sender that is displayed to the recipient (and almost always the only one that the recipient pays attention to), this attack is very effective.
Therefore, there exists a need for effective ways to detect and handle impersonation attacks.