NCSC claims big drop in government email scams

Report on Active Cyber Defence programme in 2017 shows results of protective measures – and points to HMRC as largest target of spoof websites

The National Cyber Security Centre (NCSC) has claimed a big drop in the number of scam emails using government addresses thanks to its DMARC (domain based message authentication, reporting and conformance) anti-spoofing service.

It has highlighted the results in a report on its findings from the first year of its Active Cyber Defence (ACD) programme - part of the National Cyber Security Strategy - also pointing to HM Revenue & Customs (HMRC) as the subject of the most spoof websites and attack groups of cyber criminals.

The report says that DMARC, which helps email domain owners control how their email is processed, produced a consistent fall during 2017 in the number of messages spoofed from a @gov.uk address.

An average of 44.1 million messages per month have failed verification – the highest number being 78.8 million in June – and an average of 4.5 million have not been delivered to end users. The peak of the latter was also in June at 30.3 million.

This suggests that criminals are moving away from using @gov.uk address as fewer of them are delivered to end users, the report says.

By the end of last year 555 government domains – about 10% of the total – were reporting to the NCSC Mail Check platform, which assesses the security of email.

Public sector push

Over the coming months there will be a push for more public sector bodies to set their domain policies to ensure spoofed emails are rejected by receivers.

The report also outlines results from its three other main services for the public sector:

  • The Takedown Service, which involves asking hosting providers to remove malicious content pretending to be related to UK government, was used for the removal of 18,067 unique phishing sites across 2,929 attack groups around the world. This cut the average time they were available from 42 to 10 hours. It also led to the NCSC working with the owners of 1,719 compromised websites used to host 5,111 attacks.
  • Web Check, that takes in simple tests to identify security issues, covered 7.2 million individual tests and produced 4,108 advisories for customers covering 6,218 different issues. Most of these were fixed by the service owner within two days of being reported.
  • Public Sector DNS, which blocks bad domains for public sector subscribers, reached a peak of 1.23 billion requests per week in December. One in six organisations using the service identified some security issue that needed remediation.

Ian LevyDr Ian Levy (pictured), technical director of NCSC and author of the report, said: “This report shows that simple things, done at scale, can have a positive and measurable effect and the UK public should be safer as a result of these measures.

“As these measures are scaled up, people should be asked less often to do impossible things, like judge whether an email or website is good or bad, less often.

“The NCSC has committed to being transparent and publishing data. We think the results here show that the first year of our Active Cyber Defence programme have been successful – and the following years will be really interesting.”

Among the other main points to emerge was that HM Revenue & Customs (HMRC) was the brand most widely used for criminals in attacks, accounting for a staggering 16,064 spoof websites and 2,466 attack groups detected under ACD.

The figures were more than 10 times those for the second biggest target, gov.uk with 1,541 spoof sites and 241 attack groups.  Other organisations which were targeted for spoof sites in large numbers included the TV Licensing Authority (172), the Driver and Vehicle Licensing Agency (107), Government Gateway (46) and the Crown Prosecution Service (43).

Council achievements

Some local authorities proved adept at defending themselves from spoofs by implementing ACD. They include Northumberland County Council, which fought off (59,405 attacks in August), Cardiff Council (31,728 in December) and Denbighshire County Council (25,627 in May).

Included in the broader findings of the report is that the UK share of visible global phishing attacks dropped from 5.3% in June 2016 to 3.1% in November 2017.

Levy added: “The results we have published today are positive, but there is a lot more work to be done. The successes we have had in our first year will cause attackers to change their behaviour and we will need to adapt.

“Our measures seem to already be having a great security benefit - we now need to incentivise others to do similar things to scale up the benefits to best protect the UK from commodity cyber attacks in a measurable way.”

Image from NCSC, Open Government Licence v3.0