DMARC doesn't fix Phishing

Not a new thing, but a nice example just popped up in my inbox on my phone.

 
But FedEx solved their entire phishing problem when they published a strict p=reject DMARC record, right?
This didn’t come from fedex.com. It came from another domain that looks vaguely like fedex.com – what that domain is doesn’t matter, as the domain it’s sent from isn’t displayed to the user on my phone mail client. Nor is it displayed to the user by Mail.app on my desktop, unless you turn off Mail → Preferences … → Viewing → Use Smart Addresses.

That lookalike domain could pass SPF, it could be used as d= in DKIM signing, it could even be set up with DMARC p=reject. And the mail is pixel identical to real mail from fedex.com.
On my desktop client I can hover over the link and notice it looks suspicious – but it’s no more suspicious looking than a typical ESP link-tracking URL. And on mobile I don’t even get to do that.
SPF and DKIM and DMARC can temporarily inconvenience phishers to the extent that they have to change the domain they’re sending from, but it’ll have no effect on the vulnerability of most of your audience to being phished using your brand.

Related Posts

ARC: Authenticated Received Chain

On Friday I talked a little about DMARC being a negative assertion rather than an authentication method, and also about how and when it could be deployed without causing problems. Today, how DMARC went wrong and a partial fix for it that is coming down the standards pipeline.
What breaks?

DMARC (with p=reject) risks causing problems any time mail with the protected domain in the From: field is either sent from a mailserver that is not under the control of the protected domain, or forwarded by a mailserver not under the control of the protected domain (and modified, however trivially, as it’s forwarded). “Problems” meaning the email is silently discarded.
This table summarizes some of the mail forwarding situations and what they break – but only from the original sender’s perspective. (If forwarding mail from a users mailbox on provider A to their mailbox on provider-Y breaks because of a DMARC policy on provider-A that’s the user’s problem, or maybe provider-A or provider-Y, but not the original sender’s.)

Read More

Anatomy of a successful phishing attempt

Earlier this year the Exploratorium was the victim of a phishing attack. They’ve posted an article on what happened and how they discovered and dealt with the issue.
But they didn’t just report on the attack, they dissected it. And, as is appropriate for a organization with a mission of education, they mapped out what they discovered during the investigation.

There are a couple of things that stand out to me about this attack. One is that of the more interesting pieces to me is that there was a delay between the compromise and the start of the attack. The Exploratorium calls it “the pivot” and describes it as the hacker deciding what to do next. The second is that the phisher actively interacted with the victim’s account. All new mail was sent to the trash automatically so she wouldn’t see incoming mail. Some mail was actively replied to so more people would click on the message. The phisher took steps to retain access to the account for as long as possible.
One thing that the Exploratorium didn’t see was any actual access to Exploratorium files or information. That may be because the Exploratorium itself wasn’t the target. Once a phisher / hacker has access to the email account, they have access to almost everything in your online life: calendars, bank accounts, credit accounts, the list goes on. Email addresses are our online identity and getting access to the address can open access to so much more.
Quite frankly it can happen to any of us. Earlier this week we received a phishing message that looked very plausible. It came from a law firm, mentioned a subpoena and even had an attachment personalized to our company. The attachment wasn’t opened so we were fine, but I can see how that kind of email might trick someone into getting infected.
We all need to be careful online. Email is a wonderful thing, but it’s insecure. It’s a great way for criminals to get into our space and wreck havoc on our computers and our lives.
 

Read More

Phishing increasingly sophisticated

Phishing is an online threat that’s been around for more than 20 years. I initially heard of it in relation to spammers taking over an AOL account to send out spam. These days phis is more dangerous and more sophisticated. Phishing is not just used to send spam. It’s used to take over elections; it’s used to steal millions of dollars. Experts estimate that globally phishing costs companies over 9 billion dollars a year.
Even in the last two weeks we’ve seen 2 major phishing incidents. One targeted Google Docs, one targeted Docusign. Reading the news reports these are different than many of the more common phishing attacks and, to me, represent an evolution in standard phishing techniques.

The Google attack in early May was an evolution in getting access to a Google account. Instead of directing users to a fake Gmail login page, the phish asked users to allow “Google Docs” (actually an app controlled by the phisher) to access to their Google account.
I’m sure all of you have used an app or website that lets you login with Facebook or Gmail or Twitter. This is all done with a protocol called OAuth. OAuth is also how you give access to mailbox management tools like I discussed a few weeks ago.  Basically, OAuth lets users grant access and permission to a site or application using a second site without revealing their username and password. (It’s more complicated than I want to discuss, but if you’re looking for some information check out some of the sites I’ve found: wikipedia, Varonis blog, Digital Ocean knowledge base, or just search google for oauth.)
The switch from asking for a password to asking for access is, to my mind, a significant change. Now we have to be aware of what we’re authorizing and make sure that app isn’t malicious.
The Docusign phish is another evolution.  As I was looking at the phish I received yesterday I realized that it was sent to a tagged address. A tagged address only Docusign had. None of my other, heavily phished, addresses received the phish. None of Steve’s addresses received the phish. This wasn’t a widespread spray and pray phishing attack. The phishers targeted Docusign users. Yesterday afternoon, Docusign confirmed that someone stole user addresses.
This is a switch from just randomly looking for victims to targeting users of a specific service.
Phishing attacks look for the weakest links to gain access to computers, information, and money. The weakest links are always humans. Phishers have adapted to security measures for the last 20 years. There is zero reason that they won’t continue to adapt.
 
 
 

Read More