Archives for : REPORTS PAPERS

More than 3Billion fake emails sent daily as phishing attacks continue to persist

Some 140,000 more domains are using DMARC records since the start of 2019, though DMARC-based enforcement remains complex to implement.

Phishing is as much a technical attack as it is a social engineering method—for any phishing attempt to be successful, a phishing email must pass through software filters, and be acted upon by the recipient, exposing sensitive data. That may sound like slim odds for success, though the Valimail Spring 2019 Email Fraud Landscape report released Tuesday indicates at least 3.4 billion fake emails are sent each day—making phishing attacks resemble something of a “spray and pray” strategy.

The original specifications for email were written without particular regard to security. While that may have been an acceptable course of action decades ago—when internet use was restricted to government and academic users—deploying a mail server in 2019 without any security protection at all is inadvisable.

Domain-based Message Authentication, Reporting and Conformance, or DMARC, is an open standard (published as RFC 7489) that can be used to prevent inauthentic email from reaching the inboxes of end users. DMARC is gaining widespread adoption, with Valimail reporting that DMARC is used on “almost 80% of all the inboxes in the world.” A survey of public DNS records revealed nearly 740,000 domains with DMARC records as of May 2019, an increase of 140,000 since the beginning of the year.

DMARC is complex to implement, however, and partial implementations—namely, DMARC records versus DMARC enforcement—can limit the efficacy of these deployments. “For domains that are actually used to send email, it takes a lot of tedious work to figure out which sending services need to be whitelisted. The fear of blocking good (legitimate) email keeps a lot of domains from switching to enforcement, and thus they remain vulnerable to bad (fake) email,” the report states.

A few industries are rising above 20% enforcement rates, with the US federal government leading the way, due largely to mandates requiring the protection. Conversely, the least-protected industry is media organizations.

“It remains clear that fake emails from hackers, phishers and other cybercriminals constitute the major source of cyberattacks,” Alexander García-Tobar, CEO and co-founder of Valimail, said in a press release. “As more companies recognize and respond to email vulnerabilities, we expect to see organizations continue to deploy authentication technologies to protect against untrusted and fraudulent senders. The fact is that too many attackers are using impersonation to get through existing email defenses. A robust approach to sender identification and authentication is needed to make email more trustworthy, once and for all.”

For more, check out “Oh Canada: Why half of phishing attacks target the Great White North,” and “Your data, stolen twice: Pirated phishing kit contains hidden backdoor


Henry Sapiecha

Losses from reported Australian hacking victims quadrupled in 2016: ACCC


The Australian Competition and Consumer Commission (ACCC) has reported a four-fold increase in hacking scams, with AU$2.9 million lost to such activity in 2016, up from AU$700,000 in 2015.

According to Targeting scams: Report of the ACCC on scams activity 2016, businesses bore the brunt of these scams, with over half — AU$1.7 million — being attributed to businesses.

“While the digital economy presents many opportunities and efficiencies for businesses, it also presents significant risks,” ACCC deputy chair Delia Rickard says in the report’s foreword.

“Scams targeting businesses are becoming increasingly sophisticated using modern technology to make fake emails, invoices and websites appear legitimate to even the astute business person.”

While the digital age is hitting businesses in Australia, the report [PDF] highlights that consumers are also being affected by scammers, with digitisation providing the opportunity for scammers to try new tricks.

Online scams — those executed via the internet, email, social networks, and mobile apps — outnumbered phone-based scams in 2016, with an increase of 130 percent over 2015.

Elsewhere in the report, losses to online scams accounted for 58 percent — AU$48.4 million — of total losses, while social media was a particularly busy platform used by scammers to lure victims, netting losses of AU$9.5 million in 2016 compared with AU$3.8 million in 2015.

Of the social media scams, the most prevalent were related to online dating and sextortion, a form of blackmail in which compromising images of the victim are used to extort money.

Tougher action needed in the fight against scientific fraud


What is there to stop someone publishing scientific research that is based on no actual research or uses fake evidence to support their claims?

If the risk to reputation and all that follows isn’t enough to deter someone from such scientific fraud, then what other steps can science take to maintain the integrity of any published research?

The criminal prosecution of Dr Caroline Barwood should serve as a warning to researchers who might be tempted to engage in such actions. She was convicted last month of fraudulently applying for research grants.

The criminal charges for fraud and attempted fraud that were brought against Barwood were based mainly on her attempts to obtain funding for research investigating a treatment for Parkinson’s disease.

The research was allegedly conducted with Professor Bruce Murdoch through the Centre for Neurogenic Communication Disorders Research at the University of Queensland.

Whistleblower prompts investigation

In 2012, an unidentified whistleblower contacted the University of Queensland about Murdoch and Barwood’s Parkinson’s study. After an internal investigation the university discovered multiple irregularities, no primary data from the research and no evidence that the research had actually been conducted.

Publications based on the research had appeared in several prominent journals. The university informed the journals and four papers have now been retracted.

Both Barwood and Murdoch resigned from the university. But the university referred the matter to Queensland’s Crime and Corruption Commission. After a lengthy investigation, the Commission recommended that criminal charges be laid against both researchers.

In March 2016 Murdoch pleaded guilty to 17 fraud-related charges. He was given a two year suspended sentence. The sentencing magistrate found that there was no evidence Murdoch had conducted the clinical trials on which his findings, and some of his publications, were allegedly based.

A critical feature of the prosecution was that both public and private research money had funded the research.

Barwood’s conviction followed later in 2016. She was convicted of five charges and sentenced to two years imprisonment, also suspended. She may face a further trial because the jury couldn’t reach agreement on another two charges.

These cases may be rare but mark a willingness to use criminal prosecutions to deal with researchers who engage in fraud.

Scientific fraud! Call the police

But is hitting researchers for fraud over their applications for funds enough to deter the scientific fraud itself?

In a hard-hitting editorial in 2013, the journal Nature said:

Science likes to shelter its crooks with euphemisms. The prefix ‘research’ softens fraud, and to deliberately obtain public money through deception gets labelled misconduct, among other things. This reflects the fact that the crime is viewed as being against professional standards rather than against the laws of wider society.

Several prominent commentators, including a former editor of the British Medical Journal have joined the call for scientific fraud to be recognised as a criminal offence.

The re-framing of some forms of scientific misconduct as criminal fraud recognises that scientific fraud involving the fabrication of research and/or results in circumstances where private or public funding has been sought or obtained is similar to other forms of fraud.

It involves dishonesty and deception for the purpose of obtaining money or other financial advantage. It is immaterial that the benefit may not have been for the direct, personal benefit of the researcher.

It also recognises that like other forms of fraud, scientific fraud requires careful, detailed investigation and the obtaining of evidence. Police and other prosecuting authorities (such as the Crime and Corruption Commission) are best able to conduct this sort of investigation and gather this information.

Overseas examples

The first prosecution for scientific fraud appears to have been in the United States in 2006. Eric Poehlman was found guilty of fraud and sentenced to prison for a year and a day after he falsified results from his obesity research. Poehlman had received significant amounts of research funding.

Perhaps the most famous case in recent years involved Dong-Pyou Han, a biomedical scientist at Iowa State University. Han falsified the results of several experiments involving the development of a vaccine for HIV.

He eventually pleaded guilty to making false statements to obtain research grants. He was sentenced to 57 months in prison and ordered to pay back US$7.2 million in grant funds that he had fraudulently obtained.

All these cases involved intentional deception. They were not simply lapses in scientific standards or based on disputes about appropriate methodology or analysis.

A further troubling feature is that many cases involved eminent or promising researchers from leading institutions and universities, including now the University of Queensland.

Run them out of town

Criminal prosecutions for academic fraud are rare. A researcher who is found to have engaged in fraud will more likely lose their job, suffer reputational damage, be de-registered (if they are a registered health care professional), have publications retracted and find it difficult to obtain further research funding.

But these traditional strategies for dealing with scientific fraud have significant limitations.

The potential lack of institutional integrity is foremost. Universities and other institutions are sometimes more concerned with protecting their own reputations rather than properly investigating potential fraud.

That said, the decisive action taken by the University of Queensland demonstrates a commitment to high research standards.

The retraction of published papers based on fraudulent research is fraught with problems. In an editorial published in 2013 the journal Nature Medicine noted a lack of co-operation by the researcher’s institution in investigating cases of alleged fraud and threats of legal action by the suspect researcher made retractions difficult. It said:

[…] our experience on this front has been largely disappointing.

There are now promising alternatives to criminal prosecution and traditional sanctions. They have potentially broader impact because they are not restricted to research which has been funded and they come from within the scientific community itself.

These initiatives include some journals now requiring authors to submit their raw data before publication is considered, and the website Retraction Watch which monitors fraud by identifying scientific articles that have been retracted.

Also, a reproducibility initiative by Science Exchange encourages researchers to submit their experiments and results and have them replicated by independent researchers. This provides another means for ensuring research integrity.

Do criminal prosecutions work?

Criminal prosecutions are certainly an appropriate strategy for dealing with some forms of scientific fraud. But they are not a panacea.

At best, they function as an additional mechanism for pursuing egregious cases where researchers have obtained, or tried to obtain, research funding based on non-existent studies or results that has been altered.

In these cases the scientific fraud clearly constitutes criminal conduct and should be prosecuted as such.

But in many instances the traditional regulatory mechanisms and sanctions, in conjunction with newer initiatives to more closely monitor research, will still be the primary mechanisms for ensuring the integrity of scientific research.

This article was edited at the request of the author to correct the institution of Dong-Pyou Han to Iowa State University, and not the University of Iowa as previously stated.


Henry Sapiecha