Email scammer's plan to defraud 200,000 airport customers is foiled

The NCSC's Active Cyber Defence report outlines how the scheme has helped defend the UK from hackers - and outlines plans for continuing to do so in future.
Written by Danny Palmer, Senior Writer

A phishing scam targeting hundreds of thousands of airline customers was one of a number of cyberattacks UK intelligence services have helped prevent over the last year as part of the National Cyber Security Centre's Active Cyber Defence (ACD) programme.

Launched in 2016, the scheme sees the NCSC – the cyber arm of GCHQ – deploying the likes of web check and DMARC automated processes, as well as working with ISPs and cybersecurity firms to protect the UK public from hacking and cyberattacks. New examples of how it has operated have been detailed in the Active Cyber Defence – The Second Year report.

SEE: The secret to being a great spy agency in the 21st century: Incubating startups (cover story PDF)

DMARC – short for "Domain-based Message Authentication, Reporting & Conformance – is an email authentication protocol that allows domain owners to protect their domain from email spoofing and other unauthorised use.

Web Check is a service for public sector organisations to check and maintain the security of their web infrastructure. It scans websites for common vulnerabilities and provides information about what's found – as well as advice on how to mitigate security holes.

Using the strategy helped stop 140,000 separate phishing attacks and aided in the takedown of 190,000 fraudulent and malicious websites in 2018 – often within 24 hours of being discovered.

One of the major incidents the NCSC helped disrupt involved cybercriminals attempting to defraud over 200,000 people by sending phishing emails claiming to be an airport offering refunds in a scheme designed to steal financial information from victims. 

The scam emails purported to come from a .gov.uk government domain claiming to belong to an organisation in the aviation sector – but no such domain exists and neither an airport or an airline qualify for a .gov subdomain.

Because this domain was highly suspicious, the emails never reached the inboxes of the intended targets, because the NCSC's ACD system automatically detected them as fraudulent and never delivered them. Defending against the attack also saw the email address the criminals set up to communicate with victims taken down.

The NCSC hasn't revealed which airport the attackers were looking to impersonate in their unsuccessful phishing scam.

One regular trick used by cybercriminals is to send emails that claim to be from tax bodies, which saw HMRC ranked as the 16th most-phished brand throughout the world when the ACD scheme started in 2016.

Now, via the use of automated defence and takedowns, HMRC has become far less attractive for cybercriminals, having dropped to the 146th most-phished global brand as of December 2018.

"These are just two examples of the value of ACD – they protected thousands of UK citizens and further reduced the criminal utility of UK brands. Concerted effort can dissuade criminals and protect UK citizens," said Ian Levy, NCSC technical director and author of the ACD report.

However, he warned that the battle is far from over.

"While this and other successes are encouraging, we know there is more to do, and we would welcome partnerships with people and organisations who wish to contribute to the ACD ecosystem so that together we can further protect UK citizens," he said.

The report also lists future plans for bolstering cybersecurity. They include new iterations of 'Exercise in a Box', an NCSC tool launched earlier this year, which is designed to let organisations test their ability to deter hackers and cyberattacks.

Another upcoming scheme dubbed 'Logging Made Easy' is attempting to create a basic logging and analysis solution that's free, easy to understand and use in most small networks.

The report also details plans for the 'Internet Weather Centre' – an advice and guidance portal on securing some of the most common and popular software and infrastructure deployed in the UK. The idea is for it to be dynamic, providing new advice as new services grow in popularity. A prototype IWC is currently under construction.

The release of the report comes as part of GCHQ's effort to help protect the UK public from cyberattacks, while also attempting to step out of the shadows.

In a recent speech, GCHQ director Jeremy Fleming said traditionally secretive government intelligence services must be more transparent if they're to continue to function in the modern digital world and protect against cyber threats with the trust of citizens


Editorial standards