Did you know that phishing attacks are by far the most popular way for attackers to steal information from and defraud small- and medium-sized businesses? Many of the most damaging attacks start with unsolicited emails. When it comes to whether something is legitimate or a scam, it’s worth staying up-to-date on the kinds of scams that are out there so that you can stay one step ahead. Of course, reaching out to your IT team is also a good idea whenever you’re in doubt. Users have some control over the messages in their quarantine, but messages that don’t pass the DMARC tests have to be released by an administrator. Assessing a few current examples of spam might help let you know what to look for, and that might save your company from becoming a statistic. Today, we’ll take a look at anti-spoofing measures for blocking fraud or phishing emails and look at a couple of recent examples of things that get through them.
Security at Scale
Behind the scenes, there are just a whole lot of bad emails (and text messages) out there. The openness and decentralization of email makes it easy to use as a nefarious marketing tool or to defraud users who might be a little too trusting. Luckily, security defenders see a whole lot of email, which gives them insight into the patterns that show an email may be fraudulent.
Our clients often notice and alert us to emails that mention security or authentication but are fraudulent. Here’s a screenshot from a recent phishing email that was making the rounds. Since they are (after all) bad guys, they unscrupulously use trusted companies’ branding to convince you that you need to log in to the product:
This type of message is designed to make you think that you’ve already been hacked, trying to get you to act instinctively to remedy the problem. The main part of this message is a giant QR code that looks like it’s for use with an authenticator app, but could be a link to any malicious server.
Another very common tactic is the recent campaign telling people that their account is going to run out of storage and that you need to request an increase in your storage. That campaign is just a numbers game though, betting that a lot of people have full inboxes and are close to their storage limit (which is true).
As your security partners, we see a lot of email scams and can draw on what we see across our clients to help us understand the threats. Of course, an email security platform like Proofpoint has far more email to scan and analyze, so they’re able to understand the patterns behind the threats in a more quantitative fashion—through the use of algorithms and security protocols.
A Brief Look at DMARC and Anti-Spoofing
DMARC is the latest standard for stopping spoofing, a tactic used by fraudsters to send mail that looks like it comes from someone else’s address. It combines two checks of the domain that sends the email, trying to authenticate that the email came from the domain that it says that it did. It can either do this by a) demonstrating that it came from a sender that the domain acknowledges as its own user on its own server, or b) by demonstrating that it has a cryptographic signature that was placed by the server.
Without going deep into the details: if it can pass one or the other test (SPF or DKIM), the spam filter will let it through, but if it can’t pass both, the spam filter will block or quarantine the message. If these checks aren’t in place, the receiver of the email basically trusts that the email came from where it says that it came from.
Then How Does Spam Still Get Through?
Despite these advances in authentication, attackers always find a way to exploit an unmoderated platform. Asking a server if it really sent the email, or looking up that the person who sent it really is with the company is a pretty solid way of authenticating that the email isn’t impersonating a sender. Of course, there are other ways to impersonate someone, like compromising a typical user’s account.
In the case of the Microsoft-branded phishing email above, there’s something more problematic going on, because the sender was just a normal user at a property management company. Presumably, the account owner isn’t secretly a phisher or criminal, but their account has already been compromised. Chaining these attacks together are a way that the bad guys evade detection because, as a normal, everyday user, that email account does not (yet) have a bad reputation and is more likely to make it through spam filters. This means that it’ll pass a DMARC’s tests, and will get past content scanning because most of the text is part of an image file, instead of plain text. While there are other security measures in place, every measure taken will have some kind of flaw that lets some bad ones through.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team