Fraud and DMARC Adoption Trends Second Half 2017

Transcription

1 Fraud and DMARC Adoption Trends Second Half 2017 POWERED BY DATA CONTRIBUTED BY THREAT CENTER

2 Despite the rise of social networks and other messaging platforms, customers still prefer that businesses communicate with them via . With the number of consumer s increasing at a rate of 4% per year, is still the most common communications channel with customers 1. , however, has an inherent flaw anyone can send using someone else s identity. This lack of built-in authentication has put the power of the world s most admired brands in criminal hands. With , criminals can use almost any brand to send spam, phishing, and otherwise fraudulent s, inflicting direct losses to customers and eroding the brand equity companies have spent years building up. Mailbox providers accordingly seek to protect their users to provide the best possible inbox experience, free of abuse and unwanted content. Enter DMARC, the open standard with which companies gain unprecedented visibility into legitimate and fraudulent mail sent using their domain names. The magic of DMARC is the ability to understand all the different mail streams being sent claiming to be from your organization - third parties, business units, threat actors. The overall impact to companies that have adopted DMARC is preservation of brand equity, elimination of customer support costs related to fraud, and renewed trust and engagement in the company s channel. In this inaugural report, we take a look at the state of DMARC, leveraging Agari s Threat Center, and its unique global and sector view into our customers DMARC traffic over the last 6 months of We also explore publicly available statistics and trends on DMARC usage. Finally, for a global view on domains not visible to the Threat Center, we incorporate intelligence from Farsight Security, the world s largest provider of historical and real-time passive DNS data. Farsight DNSDB provides an unmatched view into the diverse and often volatile DMARC policies located in global DNS records. DATA CONTRIBUTED BY 1 Statistics Report, , THE RADICATI GROUP, INC. 2

3 Executive Summary Key findings and takeaways from the most recent six-month analysis and data snapshot include: The Global View: Low DMARC Adoption According to data provided by Farsight Security, there was a very low observance of domains using DMARC policies. 1 At the peak, Farsight DNSDB showed just over 119,682 domains carrying DMARC policies. Even though Farsight s DNSDB doesn t see every single domain, this is still a minuscule percentage when compared to the total number of domains in existence. 2 90% of Leading Brand Domains Targeted by Malicious Within the Agari Threat Center view, almost every domain and brand is being targeted by malicious and unauthorized , with DMARC policies revealing that 9 out of 10 domains are under attack. All domains and brands should adopt DMARC as quickly as possible to protect their customers, clients, patients and business partners from this malicious and unauthorized stream of . Healthcare is Widely Targeted and Unprotected Healthcare is the most targeted industry in the Agari Threat Center, with three out of five messages being malicious or unauthorized. However, only 13% of healthcare domains are protected with reject or quarantine policies, which is the lowest rate among Threat Center verticals. From Farsight and Agari: Divergent Protection Trends In Government When domains tracked by Farsight DNSDB were mapped into the same categories used by the Threat Center, government domains had the highest level of enforcement rates among the 6 tracked vertical categories. Agari s government customers, by contrast, while highly targeted (86% of agency domains experiencing unauthenticated traffic), ranked 4th for protection overall during the 6-month period. In October, Agari US government customers protection rate rose to 90% after the the Department of Homeland Security s (DHS) issuance of a Binding Operational Directive (BOD 18-01), which included a requirement that all federal agencies adopt a DMARC policy by January % Fortune 500 Don t Use DMARC While early adopters of DMARC are moving to protect their clients and partners from malicious and unauthorized , the vast majority of organizations have not yet embraced DMARC. For example, 92% of the Fortune 500 do not yet use DMARC, and around 98% of domains aren t yet protected. Notes on DMARC Policies: DMARC is designed to be deployed in stages. The initial policy, p=none, monitors unauthenticated messages, but still allows them to be delivered to the inbox. Adjustments can be made to the policy based on feedback from a p=none configuration. A p=quarantine policy sends unauthenticated s to the recipient s spam folder, while p=reject blocks unauthenticated messages completely. When referring to domains with p=quarantine and p=reject DMARC policy states, this report uses the terms enforcement or protection (as opposed to monitoring or unprotected with the p=none policy). 1 Domains analyzed were effective 2nd level domains. 2 Verisign reported million domain names across all top-level domains (TLDs) in the 1st quarter of

4 Global Trends from Agari and Farsight The Agari Threat Center provides real-time aggregate DMARC statistics from Agari customer data, which is the largest set of detailed DMARC data in the world based both on volume and domains. In effect, the Agari Threat Center analyzes all DMARC statistics from the domains of top U.S. banks, social networks, healthcare providers, major government agencies and hundreds of other organizations. It analyzed more than 1 trillion s in the second half of This section also incorporates DMARC adoption findings based on DNS intelligence from Farsight Security, the world s largest provider of real-time and historical DNS records. Farsight DNSDB provides DMARC-specific intelligence that enables us to observe DMARC adoption and enforcement trends outside of Agari s protected customer base. 4

5 Key Findings Global Sector and Marketshare Analysis DATA CONTRIBUTED BY While the Agari Threat Center is the largest single collection of DMARC data, its dataset represents only Agari customers--some of the largest organizations in the world. To view a wider dataset of global DMARC data, we turned to Farsight Security and its Passive DNS database. Farsight DNSDB is the world s largest real-time and historical database of DNS records. Farsight DNSDB, which has over 100 billion DNS records dating back to 2010, automatically collects information observed from DNS queries and responses, providing unique insight on DMARC data. Based on data Farsight Security captured over the last half of 2017, the accompanying chart depicts domains that had DMARC policies of either p=none, p=reject, or p=quarantine. To arrive at the values shown, we took Farsight DNSDB records containing DMARC, removed duplicate occurrences of domain names, and then reduced the fully qualified domain names to effective-2nd-level domains. On average, Farsight DNSDB identified 83,635 such domains each month. Volatility was the striking theme when considering this global view of DMARC usage over this period. For example, in July, Farsight DNSDB identified 47,120 effective-2nd-level domains as having a DMARC record at a given policy. The rate of DMARC policy observances rose steadily in September, October, and November, where they reached a peak, more than doubling the number for July, with 119,682 such domains. December, notably, featured a sharp overall drop off in DMARC records observed in the DNS data captured by Farsight DNSDB. The bulk of the change was observed in the first policy stage, p=none (or monitoring) depicted by the gray bar. DMARC, in contrast to more broadly deployed technologies, tends to be sensitive to sending patterns of specific groups of senders. This small denominator effect is likely amplified with the variety of organization domains tracked by Farsight DNSDB. In the Agari Threat Center, there was also a pronounced spike in DMARC volume during November and a subsequent decrease in December. After some research, this fluctuation was attributed to an increase in government and healthcare volume during open enrollment and flu season. Another notable observation was that the overall enforcement rate (measuring domains configured with a policy to quarantine or reject unauthenticated domains) saw its highest level in the month of December, with 27% of the domains at enforcement policies. In the final analysis, Farsight DNSDB s accounting of domains using DMARC demonstrates extremely low overall adoption when compared to the total number of domains in existence. During the period of this analysis, Verisign released its Domain Name Industry Brief, which indicated that the first quarter of 2017 closed with a base of million domain names across all top-level domains (TLDs). This would imply that, even in November, where Farsight DNSDB observed the largest number of DMARC-using domains, this peak represented only 0.036% of all domains. 5

6 Key Findings Global Sector and Marketshare Analysis DATA CONTRIBUTED BY The DMARC trends and policies inherent in Farsight DNSDB diverged significantly from the results in Agari s Threat Center, which comprises a subset of the domains included in Farsight s database. After using a third-party categorization service to map domains with DMARC records in Farsight s DNSDB database to those tracked in Threat Center (Retail, Technology, Finance, Government, Healthcare, and Other, ) we compared the respective enforcement levels for each vertical category. 1 While within the Threat Center rankings, retail was the top-ranked vertical for the percentage of domains at enforcement. From querying Farsight DNSDB, that distinction belongs to the sites categorized as government. Healthcare, however, has the lowest enforcement rate in both systems (setting aside the Other category). A key factor accounting for the difference in per-vertical adoption is the sheer size and scale of the domains/organizations ingested by the sensor array for Farsight DNSDB. The vast majority of these domains are not directly reporting aggregate DMARC data back to a recognized DMARC service vendor, such as Agari. These vendors can help organizations drive their -sending domains to the enforcement phase of the DMARC journey, particularly in the complex stage of aligning and authorizing third party senders. [1] For information on the categories we assigned based on the domain name, see the table in the Methodology section. 6

7 Key Findings Global Sector and Marketshare Analysis DATA CONTRIBUTED BY The extensive dataset from Farsight Security provides a unique view into the prevalence of DMARC implementation service vendors. As a shorthand to determining a market share figure, we tabulated the number of times a specific vendor appeared as a recipient of reporting feedback via DMARC. The rua field that accepts an address to receive aggregate DMARC data reports is a good proxy for this calculation. With this address, the DMARC implementation services vendor typically accepts, parses, and visualizes the data on behalf of the customer. The following table shows the basic ranking, corresponding to the number of domains that specify DMARC implementation services vendors in the RUA field. This next chart indicates the percentage of domains at enforcement (with the p=reject policy) for the corresponding vendor note in the previous chart. 7

8 Agari Threat Center Key Findings Volumes and Attack Rate Over 1 Trillion Volume The total global volume protected by Agari was almost 1.1 trillion messages over the past six months High Protection Rates Lead to Low Threat Rates For Agari customers, the overall threat rate was low at 3% on an volume basis since the protection rate (p=reject) was high at 92%. When phishing s don t reach their targets, attackers quickly move on to other domains. Volume Threats Over 6 months Source: Agari Threat Center 90 Percent of Leading Brand Domains Targeted by Malicious From the vantage point of the Agari Threat Center, almost every domain is being used for unauthorized . Almost 90% of domains associated with leading brands were implicated in DMARC authentication failures, meaning that almost every brand being associated with a malicious or unauthorized stream of messages, undermining brand trust and brand value. Much less data is captured for domains and brands in EMEA and APAC, but one fact remains essentially the same across each of the three regions of the world: almost 9 out of 10 domains are being used in unauthorized ways for sending messages, undermining brand trust and value. 8

9 Agari Threat Center Key Findings Leaders and Laggards Retails Leads the Way with DMARC Enforcement The retail industry could be the poster child for DMARC implementation. When looking at volume, the retail industry ranks highest with a 99% reject rate over the last six months, offering a strong security that customers and business partners can rely on. Given the personal and sensitive information on customers held by organizations in these sectors that could be used for identity theft and direct fraud as a consequence of a successful malicious campaign, it makes good business sense to ensure only valid messages get delivered. However, targeted domains ranked at almost 90%, which is similar to the global average across all industries. Top Attack Target is Healthcare Healthcare is the most highly attacked industry with malicious and unauthorized s making up over 58% of traffic over the last six months. This means that healthcare customers are more likely to receive a fraudulent from their provider than a valid one. Recent research by Agari found that 77% of healthcare organizations don t use DMARC at all and of the remaining 23% only 2% have implemented a policy of quarantine or reject. As a comparison to other sectors visible to the Threat Center, healthcare is suffering four times the rate of attack compared to the government sector. Finance: A Dominant Target But Well Protected The finance industry continues to be a dominant target for phishing attacks. When Agari analyzed over 21 billion finance industry s and over 6,700 finance industry domains, it was discovered that 3.6% of s sent on finance domains were unauthenticated, with 87% of domains being the target of at least one spoofing attempt. However, along with retail and technology, the finance industry is also one of the leading adopters of DMARC. Agari data shows that 89% of finance industry institutions have achieved a DMARC policy of Reject consistently protecting their customers experience. 9

10 Key Findings Adoption Trends for Large Organizations As we kicked off the analysis period for this report, we looked at publicly available adoption data for large global organizations, including those outside the purview of the Agari Threat Center. Based on this additional research, we have confirmed that the largest corporations around the world have by-and-large not implemented the DMARC standard, leaving their customers, business partners and brand vulnerable to digital deception and the losses associated with fraud. Fortune 500 DMARC adoption Two-thirds (67 percent) of the Fortune 500 have not published any DMARC policy. Only four Fortune 500 industry sectors have a majority DMARC adoption rate: business services (60 percent), financials (57 percent), technology (55 percent) and transportation (53 percent). Quarantine Policy Only three percent have implemented a Quarantine policy (Spam folder) Reject Policy Only five percent have implemented a Reject policy (Blocked). FTSE 100 DMARC adoption Two-thirds (67 percent) of the Financial Times Stock Exchange 100 have not published any DMARC policy. Quarantine Policy Only one percent have implemented a Quarantine policy (Spam folder) Reject Policy Only six percent have implemented a Reject policy (Blocked). ASX 100 DMARC adoption Almost three-quarters (73 percent) of the Australian Securities Exchange (ASX 100) have not published any DMARC policy. Quarantine Policy Only one percent have implemented a Quarantine policy (Spam folder) Reject Policy Only three percent have implemented a Reject policy (Blocked). The Radicati Group estimates 269 billion s messages are sent every day around the world. This means only 2.2% of messages are protected by a DMARC policy, or that 98% of domains and brands have not taken appropriate steps to reduce or eliminate malicious and unauthorized messages by implementing DMARC. 10

11 Threat Center Spotlight: Government The government sector is the second most attacked industry, and agencies within the government sector usually have the ability to require data from citizens aligned with agency mandates. This ability to force data collection from citizens - and often payments too - makes it essential that government agencies protect the citizens they serve through strong security. 11

12 Key Findings US Government Examining the Agari Threat Center data for our US government customers over the past six months, we note: 12% Threat Rate A threat rate of 12%, meaning that one out of every 8 messages are malicious or unauthorized. This is significantly higher than the global rate of 3% (or one out of every 33 messages). Given this high threat rate, government agencies should do all in their power to eliminate these malicious and unauthorized message streams. 87% Domains Targeted A domain targeted rate of 87%, which is essentially consistent with the global finding that around 9 out of 10 domains are being used in unauthorized ways for sending messages. Interestingly, the government rate of domain targeting is the lowest overall out of all tracked industries. One reason for this could be that while government agencies hold data on citizens, agencies are not normally active in contacting citizens frequently by , and when they do so, it is for very specific agency-aligned tasks. Clearly some government domains have frequent interaction with citizens (e.g., IRS.gov), while others are largely hidden or invisible to the general public and are thus unattractive to bad actors. DMARC Adoption Nears 50% US government DMARC adoption over the last half of 2017 increased dramatically, particularly those domains subject to the Department of Homeland Security Binding Operational Directive (BOD) 18-01, which included mandates for DMARC adoption. Initial Agari research in October showed that only 18 percent of federal domains subject to the mandate had implemented DMARC. By mid-december, the adoption level increased to 47%. Significant Protection Rate Improvements Government ranks fourth on the list of best protected industries, with 60% of the volume that is visible to the Agari Threat Network being protected by a DMARC policy of quarantine or reject. However, towards the end of December, there was an unprecedented rate of protection increase for Agari government customers as a whole, with the sector achieving a 96% protection rate. 12

13 Attack Trends for US Government The general trend within the government sector over the past six months has been a reduction in the percentage of malicious and unauthorized messages, from just under 30% of volume in early June to around 2-3% of volume in early December. While there has been some variation week by week, the trend line is fairly clear. Attack Trends for Federal Government September 11 November 13 Threat Snapshot Week of September 11 The level of malicious spiked the week of September 11 to 50%, the highest level seen in the sixmonth reporting period for the government sector. That means half of all sent using government domains was malicious or unauthorized. The week before it was 16%, and the week after it dropped again to 12%; this was an abnormal event. The root cause of this spike was a massive attack on a government agency, with over 8 million messages failing the DMARC authenticity test. Thankfully, the government agency in question had DMARC set up properly, thereby preventing the 8 million messages from getting delivered to clients, customers, and business partners. Week of November 13 The attack rate for government jumped from 3% the week of November 6 to 13.6% the week of November 13, and then fell again to 3% the week of November 20. This spike was caused by a massive attack against a large federal agency, where 9 million malicious s were sent using one of the agency s domains, but all were rejected due to the DMARC reject policy being in place. Of the total 10.7 million malicious s across all industries and the world for that week, 84% were due to this single attack. The agency s use of DMARC with a reject policy protected millions of citizens from receiving malicious messages. 13

14 Protection Trends for US Government Government, which ranks as the fourth most protected industry based on DMARC authentication, had an tumultuous protection rate trend over the past six months. For the first four months of that period, government posted fairly steady protection rates, hovering between 30% and 40%. However, in the last two months of the year, the government domains visible to the Threat Center soared from 22% to 96%. This marked the first since Agari has been tracking and ranking customer sectors by their authentication status that the government sector surpassed 90% of its domains protected with an enforcement policy. In fact, towards the end the measurement period, the government sector was riding the heels of the Retail and Technology sectors, the perennial authentication champ, as determined by the Agari Threat Center. The rise was coincident with the general timeframe of the US Department of Homeland Security s binding operational directive (BOD 18-01) that mandates the implementation of DMARC for federal agencies. Other contributing factors the start of the Open Enrollment season for health insurance coverage in the United States, with huge volumes of DMARC-protected being sent to citizens. Protection Trends for Federal Government 14

15 What s Coming for next for US Government As mentioned elsewhere in this report, the US Department of Homeland Security s BOD was a promising initiative to improve hygiene through the use DMARC. The first milestone for BOD passed on January 14th, which was the deadline for agencies to deploy the basic DMARC monitoring policy of p=none. According to a domain snapshot taken by Agari on January 14th, 63% of federal agencies had deployed DMARC. The next key date is October 14, one year from the initial mandate--when federal domains are also required to publish a p=reject policy. As of January 14, 2018, 18% of the required domains had a p=reject policy. As this report and other research by Agari shows, there is still a lot of work to be done to meet this deadline is going to be a big year for DMARC adoption, so Agari will continue to monitor these trends. 15

16 Threat Center Spotlight: Healthcare The healthcare industry is the most highly attacked industry with malicious and unauthorized s making up almost 60% of traffic over the past six months. This high proportion of fraudulent or otherwise unauthenticated threatens to overwhelm the healthcare industry, undermining any remaining trust in messages to patients, insurance companies, and partner medical providers. 16

17 Key Findings Healthcare Examining the date of healthcare customers monitored by Threat Center as well as in global DNS records, we note: 58% Threat Rate A threat rate of 58%, which means that 3 out of every 5 messages are malicious or unauthorized; there are more malicious or unauthorized s than authorized and valid ones. With the global average currently sitting at 3% (1 in every 33 messages), the healthcare industry needs to improve its security posture in line with other industries. This relentless and overwhelming flood of parasite is extremely dangerous for all participants in the healthcare industry, and all healthcare organizations need to undergo immediate corrective surgery to reduce the threats being foisted upon unsuspecting and vulnerable patients. 92% Domains Targeted 92% of healthcare domain names are being used to send parasite , which is slightly above the global average for all industries and regions of 90%. This is, however, the second highest domain targeting rate of any industry, with only the technology industry sitting slightly ahead at 92.2%. With the healthcare industry being the worst protected industry, it is no surprise that attackers view healthcare as an easy target. 77% No DMARC Record Recent research by Agari found that 77% of healthcare organizations don t use DMARC at all, which is one of the worst health indicators of in any industry. Of the remaining 23% of healthcare organizations, only 2% use DMARC with a policy of quarantine or reject. There are, however, promising development from a DMARC adoption perspective for the healthcare sector, based on activities spearheaded by the National Health Information Sharing and Analysis Center (NH-ISAC). Following the US Department of Homeland Security (DHS) issuance of BOD 18-01, the NH-ISAC responded by asking its members to pledge to adopt DMARC. By December 2018, more than 57 percent of NH-ISAC members had pledged to implement DMARC or to research DMARC for implementation. 17

18 Attack Trends for Healthcare The general trend within the government sector over the past six months has been a reduction in the percentage of malicious and unauthorized messages, from just under 30% of volume in early June to around 2-3% of volume in early December. While there has been some variation week by week, the trend line is fairly clear. Attack Trends for Healthcare September 4 Threat Snapshot Week of September 4 The level of unauthenticated jumped to 68%, the highest level across the six-month reporting period for the healthcare industry. One contributing factor was a cross-industry malicious attack by a bad actor trying to use the domain and brand of a large healthcare industry participant in the United States to send over half a million messages. Thanks to the use of DMARC by the organization under attack, these messages failed the DMARC authentication test and were not delivered, thus saving up to half a million patients and consumers from receiving malicious messages. A second contributing factor was a series of attacks against multiple healthcare organizations, with messages designed to look like Facebook updates. Hundreds of different IP addresses were used to deliver messages with personalized subject lines, some of which included urgent language to drive a quick response from the recipient. 18

19 Protection Trends for Healthcare Healthcare is consistently in last place for best protected industries. Less than 20% of visible to the Agari Threat Network is protected by a quarantine or reject DMARC policy. Interestingly, while 70% of tracked domains in the healthcare industry have a DMARC policy of quarantine or reject, this covers only 13% of the volume visible to the Agari Threat network. The 30% of tracked domains that have a policy of p=none are being used to create 86% of the industry s volume. Protection Trends for Healthcare While the industry is currently the worst protected industry, its indicators are moving in the right direction. Two promising trends on the adoption of DMARC are: From May to November 2017, an increased number of domains moved to a DMARC policy of quarantine or reject. Based on Agari research, while the actual number of domains at both stages are still low, there was a 200% increase in the number of domains at quarantine, and a 33% increase in the number of domains at reject. More is needed to ensure the health of in the sector, but the trend is promising. The National Health Information Sharing & Analysis Center (NH-ISAC) used the momentum of the BOD security mandate from the Department of Homeland Security to introduce its own pledge asking NH-ISAC members to embrace DMARC during The pledge embraces the same timeline as the DHS mandate, asking all NH-ISAC members to have a DMARC policy in place by January , and all members to have a DMARC reject policy by mid-october

20 Healthcare in the broader Security Context While the healthcare industry is the least protected industry from a DMARC perspective, this is hardly surprising given its poor performance for cybersecurity in general. For example: HIMSS Analytics and Symantec found that 80% of healthcare providers spend less than 6% of their IT budget on security, and more than half spend less than 3%. In comparison, the US Federal Government spends 16% of its IT budget on cybersecurity. The healthcare medical devices and medical systems landscape is complex, with specialist medical devices running older and difficult-to-patch operating systems. The threat vector in healthcare is significant. Many healthcare providers are building systems for electronic healthcare records (EHRs), which decreases the already small pool of qualified IT staff available for cybersecurity initiatives. The WannaCry ransomware attack in May 2017 was particularly damaging to healthcare providers around the world, who could not afford to have life critical systems offline. Hospitals are some of the most commonly cited examples of organizations actually paying the ransom to unlock systems, because patient health depends on it. The IBM X-Force Cyber Security Intelligence Index found that healthcare was the most cyber attacked industry in 2016, with more than 100 million patient records breached globally the year before. is one of the most frequently used threat vectors to attack the healthcare industry. Strong security, including DMARC with a reject policy, will protect both healthcare providers and their patients. 20

21 About this Report Data Collection This report contains metrics from data collected and analyzed by the following sources: Agari Threat Center: The Agari Threat Center continually aggregates anonymized DMARC reporting data that we track over our customer domains in several industry sectors. Over the period of this report, over 1.08 trillion s were visible to the Agari Threat Center, traversing over 18,000 top level and subdomains. Go to agari.com/ -threat-center/ and click the icon on specific chart for more information about how the charts used in this report were generated. To maintain complete confidentiality, the Threat Center database does not store company-specific information of any kind. This report is primarily representative of business to customer (B2C) for the countries and industries in which we have significant market penetration. Farsight DNSDB: For critical insight into traffic beyond Agari s customer base, we turned to our friends at Farsight Security and leveraged Farsight DNSDB, which is a real-time and historical database of DNS records observed worldwide. Farsight DNSDB is a real-time snapshot of the changing Internet dating back to 2010 and contains DNS records in a single indexed database so that security analysts can gain critical information about past and current use of domains and IP addresses used by cybercriminals. The database captures relevant data on DMARC records contained within DNS records. Mapping data from Farsight DNSDB into Agari Threat Center Verticals In order to compare and contrast the DMARC insights provided by Farsight DNSDB with the data tracked by Agari, we grouped (where possible) the Farsight DNSDB data into corresponding vertical categories represented in the Agari Threat Center. Acknowledging that such a translation will not be exact, we ran the dataset of DMARC hits we received from Farsight DNSDB for each month, which consisted of entries such as: example.com.au. IN TXT v=dmarc1; p=none; rua=mailto:admin@example.com.au through a third-party threat intelligence service (the McAfee GTI Protocol API) that categorized web sites based on its content. Below is the process we used to create the chart on page 6: 1 Using McAfee s Global Threat Intelligence website categorizer, Agari first mapped these domain names provided by Farsight into the following six categories: 2 We then mapped the six categories to the following Agari Threat Center verticals: Health, Pharmaceuticals Online Shopping, Shopping, Auctions/Classifieds Computing/Internet, Interactive Web Applications, Technical/Business Forums, Visual Search Engine, Games, Spyware/Adware/Keyloggers, Dating/Social Networking, Information Security New, Web Mail, Portal Sites, Job Search, Information Security, Forum/Bulletin Boards, Search Engines, Personal Network Storage, Mobile Phone, Shareware/Freeware, Internet Radio/TV, Web Ads, Anonymizers, Chat, Media Downloads, Streaming Media, P2P/File Sharing, Instant Messaging, Messaging, Remote Access, Anonymizing Utilities, Web Phone Public Information, Government/Military Business, Finance/Banking, Stock Trading Violence, For Kids, Game/Cartoon Violence, Phishing, Resource Sharing, Text/Spoken Only, Potential Hacking/Computer Crime, Gruesome Content, Discrimination, Spam URLs, Malicious Sites, Education/ Reference, Entertainment, Personal Pages, Travel, General News, Sports, Non-Profit/Advocacy/NGO, Religion/Ideology, Art/Culture/Heritage, Politics/Opinion, Gambling, Alcohol, Weapons, Humor/Comics, Gambling Related, Tobacco, School Cheating Information, Drugs Healthcare Retail Technology Government Finance Other* *Due to the nature of many sites in this category, the overall mapping of the Other vertical is of limited value. On average, the dataset from Farsight DNSDB contained 162,386 domains with associated DMARC records per month. On average, 19% of the domains could not be mapped with the categorizer. We did not include these unclassified domains in our comparison. 21

22 About Us About Agari Agari, a leading cybersecurity company, is trusted by leading Fortune 1000 companies to protect their enterprise, partners and customers from advanced phishing attacks. The Agari Trust Platform is the industry s only solution that understands the true sender of s, leveraging the company s proprietary, global telemetry network and patent-pending, predictive Agari Trust Analytics to identify and stop phishing attacks. The platform powers Agari Enterprise Protect, which help organizations protect themselves from advanced spear phishing attacks, and Agari Customer Protect, which protects consumers from attacks that spoof enterprise brands. Agari, a recipient of the JPMorgan Chase Hall of Innovation Award and recognized as a Gartner Cool Vendor in Security, is backed by Alloy Ventures, Battery Ventures, First Round Capital, Greylock Partners, Norwest Venture Partners and Scale Venture Partners. Learn more at and follow us on About Farsight Security Farsight Security is the world s largest provider of historical and real-time DNS record data. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security DNS solutions at and on DATA CONTRIBUTED BY 22

23 Visit the Threat Center To see up-to-date global and sector-based DMARC trends across the Agari customer base, go to: agari.com/ -threat-center Learn more about DMARC and protecting your brand For case studies, getting started guides, and other resources, go to: agari.com/resources/topic/dmarc Start with an Free Assessment of Your Environment Get a free, personalized audit of your organization s authentication posture including: DMARC authentication trends Identification of phishing using your domains Discovery of services sending on your behalf Recommendations to improve deliverability and security Sign up for a Free DMARC Assessment Go to agari.com/fix Copyright 2018