The National Portrait Gallery in London Received 350k Spam Emails in Q4 2019

• The London Portrait Gallery published data about the volume of spam they received last year.
• In three months alone, they were targeted 347602 times by phishing, malware, and spamming actors.
• In half of the cases, the purpose of the senders was to perform Directory Harvest Attacks (DHA).

From October 1 to December 31, 2019, the National Portrait Gallery in London has received 347,602 malicious email messages. The number came as an answer to a relevant request by the “Freedom of Information” (FOI) and is indicative of the size of the problem that entities like the gallery have to face and deal with. The number corresponds to approximately 3862 spam emails arriving in the inbox of the gallery every single day, with many of them being phishing attempts, or carrying spyware and ransomware-fetching attachments.

Over half of these emails were identified as DHA (Directory Harvest Attacks). This is a method that wants hackers sending a large number of emails to randomly generated addresses, with the purpose being to discover if any of these exist in the target domain. It’s practically a “brute force” spamming attack, and that’s why it always involves large numbers of messages. Once the attackers have a list with existing addresses, they’ll only need to find the matching password for it, through social engineering, or via dictionary attacks or by brute-forcing it too.

The gallery says that they managed to block 61710 of these emails by setting up filters that work by consulting a “threat intelligence blacklist”. Another 85793 email messages were successfully identified as “spam”, and they were blocked too. Finally, they can confirm that 418 messages contained malware or virus files, which is the worst-case scenario. The gallery is trying to implement a “zero-trust” approach, even scrutinizing the contents of internal communication and ensuring that everything passes through vigorous tests and multiple checking layers. Neither the management nor the lower-end employees can be trusted, as the email address of anyone could have been compromised.

The reason why crooks are targeting art galleries is to trick clients into paying them for the acquisition of works of art that are for sale. They send an email sharing a bank account that supposedly belongs to the gallery, but it’s actually theirs. The buyer sends the money to the actor's pocket, thinking they're buying a piece of art from the gallery. Of course, they monitor the relevant correspondence between the galleries and their clients and wait for the right time to strike. According to the latest stats from Google’s Password Checkup platform, about 1.5% of all sign-in attempts are using stolen user credentials that are already known from published data breaches.