Protecting Your Brand Against Threats
Your brand has a reputation and beware, because criminals want to ruin it through email. Yes, unfortunately, there are a lot of bad people sending email out there. We like to classify them into three categories: spammers, phishers (or scammers) and spoofers.
You’re already familiar with spammers, they send you unsolicited email. Phishers try to get you to divulge your personal information. Lastly, Spoofers impersonate your brand and send email as you to your customers in hopes of phishing, scamming or worse, bringing your business to its knees. Yikes! Sounds like a security nightmare, and it is.
When your email is spoofed, your reputation gets tarnished among ESPs, which means sending even legitimate email will be hard. This can be worse than having your company’s servers hacked.
Don’t fret because there are things you can do to prevent these types of security breaches from happening to your brand and they’re incredibly easy to set up.
In our upcoming webinar on February 7th, Bulletproof Your Email in 2017, join SparkPost CISO Steven Murray and ValiMail’s CEO and co-founder, Alex Garcia-Tobar, as they talk about the importance of email authentication, how impersonation attacks can slip through conventional defenses, and how to protect your brand against various security threats in 2017.
So, in this upcoming webinar we’ll review:
- Different types of security threats we’re seeing
- How this impacts your brand’s reputation
- How to combat these criminals and protect your email and your brand
You won’t want to miss this! Register today for the Bulletproof Your Email in 2017 Webinar on February 7, 2017 at 10am PT/1pm ET.
Bonus: Be one of the first 500 people to sign-up and have a virtual coffee on us!
In the meantime, you can keep yourself busy with Steve’s blog on Debunking the Myths of Moving Your Email to the Cloud or Alex’s post on Three DKIM Challenges You Might Not Know About. See you soon!
2017 State of Email: What we Can Expect in the New Year
Entering 2017, email continues to thrive while sustaining a long transformation that it has been undergoing for quite some times – literally decades. Throughout 2016, email solidified its place in a world where users use many communications app simultaneously. Email is and continues to be the record of identity for transactions. Apps use email to reset accounts and services send the most important notifications through email. Furthermore, email is the only widely used cross-platform communication protocol that is free from proprietary control. This open nature is why email continues to thrive. With 2017, we’ll likely see these major trends around email continue:
Move to Transactional.
Email has had a long life – 45 years and counting – and during that time, the nature of its primary role has changed. For a time, email was the dominant form of personal communication over the internet. As other messaging platforms have become more predominant in personal communications, email has transformed to being the system of record. Indeed it is an email address that often underlies the user’s authentication & account recovery methods of the newer communication mediums.
With email standing behind most new internet services & account types, email continues to be one of the best ways that apps and services can reach out to users to engage and activate them. With this, email continues to be the foundation of many growth programs.
Becoming Phishing Proof.
Since email is how apps and services authenticate users around account changes, it is absolutely important that email continue its development to becoming phishing proof. Public cases in 2017 have shown how sophisticated attackers have gotten using email and the damage they can do. Email providers like Google and Microsoft achieved major milestones around DMARC during 2016. When “DMARC reject policies” are finally deployed by these and other providers, email will have gone a long way from taking the onus off the user to know when to trust a message.
Today’s users have many communications apps or services. While email has a well earned place here, it is not the only way that apps and services communicate with users. Apps continue to experiment with and see what is the best mix of notification types. In 2017, we’ll see apps get even smarter about notifications, where beyond sending the right message at the right time, they’ll also send on the right medium at that time.
If 2017 is like the years before it, users will receive & send many more messages than they did in 2016. When these messages are done smartly, they provide users with options and control of their communications.
– Josh Aberant
Thoughts on the 2017 State of Email? Drop us a line below.
Do not go gentle into that new normal
At SparkPost’s recent Insight user conference, Steve Jones, executive director of DMARC.org, didn’t hold back. He began his talk on email authentication by bluntly observing that “spam and phishing are the new normal.” I sucked in my breath. Steve’s comment felt like a punch to the gut. I felt like I wanted to defend the honor of email. Yeah, bad guys—sometimes really bad guys—are out there, I thought to myself, but it’s the exception, not the rule! But I knew he was right. I settled down and nodded my head, knowing that Steve’s perspective squared with the experiences of people who manage the front-lines of defense at ISPs and corporate email hosts, as well as the findings of email industry organizations like M3AAWG.
Steve noted that 28 billion spam messages are sent every day. By some estimates, phishing is a $3.7-million annual cost for the average enterprise. And for publicly-traded companies, a disclosure of phishing leads to a loss of stock value of $411 million or more. As Steve put it, costs like these are fraudulent email’s “hit to reputation and brand, made tangible. And there’s no bottom to what bad actors will do to get your money.”
So, spam and phishing really are the new normal. Companies must incorporate a security posture that takes into account email as a major attack vector that’s exploitable through phishing, malware, and socially engineered content designed to defraud recipients of sensitive information and to steal credentials that grant access to systems.
And this new normal is why Steve’s organization does its work. DMARC, or “Domain-based Message Authentication, Reporting & Conformance,” is a technical specification that builds on earlier SPF and DKIM email authentication mechanisms. In his talk at Insight, Steve presented an overview of the current landscape of email authentication, including why DMARC is important, how it works, and recent developments.
ISPs are moving to an authentication-only world. So should you.
The biggest consumer mailbox providers prefer authenticated email. But that preference may be changing to a mandate. In 2015, Yahoo took the plunge and published a “p=Reject” DMARC record. By doing so, Yahoo essentially told receivers, “if you can’t verify an email came from Yahoo, throw it away. No exceptions.” There are reports that Google may take a similar step for Gmail in 2016.
There have been issues with this “strict” posture—in some cases, legitimate email has suffered because of this spam counter-measure. But, I remind you that false positives are nothing new. It’s frankly just a cost of doing business for senders (and a much smaller cost than those that result from successful phishing attacks). Legitimate senders long have been operating in the shadow of compromised hosts, spam, phishing and other abusive digital communications, and incurring short-term inconveniences to stem that tide is worth the effort. Truth be told, what disturbs me more is the fact that everyone hasn’t yet adopted SPF, DKIM and DMARC as a means of combating spam and protecting their own reputations!
It’s time to splice email authentication into corporate DNA.
The watch guards of enterprise security (especially CISOs) often talk about a company’s “security posture,” the plan and cultural shift that a business puts into place to protect its employees, customers, intellectual property, and systems from attack, both cyber and physical. We’re likely all familiar with defenses like firewalls, multi-factor authentication mechanisms, access and password policies, and more.
But what about email? It’s the lifeblood of every company doing business on the internet today. But at too many businesses, email security is limited to spam filters or malware scans. Those are fine front-line tools to help protect against brute force bad guys, but they do little for phishing (and spear-phishing) attacks.
The simple power of email is its ability to connect people and businesses the world over. But the simplicity and ubiquity that makes email the Internet’s “connective tissue” also allows the spread of viruses, fraud, phishing, and compromises to accelerate to pandemic speed as they move from one email box to another.
Every company that works with customer data, financials, or has a broad national or global presence is nothing short of a flame in the night that draws all sorts of malicious attacks. In the digital marketing industry, ESPs, marketing automation companies, anyone who purports to be a marketing system of record… are just some of the inevitable targets for phishing attacks.
Adopting email authentication standards like DMARC (and transport layer encryption standards such as STARTTLS) will go a long, long way to improving your digital messaging security posture. What are you waiting for? Do it.
Ready to learn more about DMARC and email authentication? Here are a few resources to get going.
- How DMARC Is Saving Email, a great ebook written by our deliverability team
- The Validator, the free, all-in-one DKIM validation, SPF checker, and DMARC validator app from SparkPost
- Understanding SPF and DKIM In Sixth Grade English
- Twitter’s Email Privacy Report, powered by SparkPost
Much thanks to Franck Martin at LinkedIn and Josh Aberant at Twitter for providing technical guidance on this post.
Most countries require visitors to have a passport and valid visa at the point of entry – whether at the border or airport. These requirements, however, do not always prevent people from entering illegally. Malicious individuals may impersonate someone by stealing their passport and claiming their identity in order to gain access at checkpoints and deceive the border police. As a result, immigration officers now implement more advanced security and background checks to secure the borders.
Unfortunately, the Internet and the global email system have a lot in common with immigration and border security. While the main purpose of inventing the Internet in 1960s was open communication between universities, colleges and government agencies, cybercriminals have undermined that openness for the rest of us. Just like identity thieves, they subverted the system by using techniques like email spoofing and phishing, and as a result, the major Internet services providers (ISPs) have had to establish anti-abuse departments.
From botnets to malware, phishers to 419 scammers, malicious mail accounted for 85% of Internet traffic by 2012. In order to protect their members from these cybercriminals, major ISPs began to require stricter email security measures such as SPF and DKIM. Finally, DMARC was conceived in 2012.
DMARC or Domain-based Message Authentication, Reporting and Conformance is a security technique that fights cybercrime, including domain spoofing, phishing and spear phishing, that relies on SPF and DKIM authentication in order to guarantee message integrity. It’s a mutual reporting protocol whereby domain owners – email senders – can indicate to ISPs that their emails are protected by SPF and/or DKIM, and tell the receiver (the ISP) what to do if neither of those authentication methods passes. Through their DMARC policy, senders can request ISPs to reject non-compliant email outright, or to quarantine it for further review. In fact, there are three “report modes” for DMARC: report mode (p=none), reject (p=reject), and quarantine (p=quarantine) – more on this below.
DMARC is specifically designed to combat one of the most common types of phishing attacks, where the “from address” in an email is forged. We see this when cybercriminals create emails that appear to be from prominent Internet brands or financial services companies, and usually contain links to malicious websites. We also see this in spear phishing attacks where criminals impersonate close contacts of their intended victims. Email recipients who fall for these kinds of scams can inadvertently download and install malware, or hand over sensitive account login information or passwords, or become a victim of identity theft. Of course, the damage is most severe for the individual, but service providers and brands suffer as well.
DMARC is a powerful tool to combat this kind of activity, and the major ISPs have been steadily implementing it over the past two years. It should be pointed out that DMARC does two things, really, both a) protecting mailboxes from receiving phish and forgeries, and b) stopping criminals from using your domains. Because 85% of mailboxes in the USA are now protected by DMARC (60% worldwide), applying a DMARC policy on your domain is a very effective way to project your brand and make the email a more difficult channel for criminals to exploit.
Earlier this month, Yahoo took the bold step of changing their DMARC policy from report mode (p=none) to reject (p=reject). Yahoo’s SVP of Communications Products Jeff Bonforte explained the change in a Tumblr post:
“On Friday afternoon last week, Yahoo made a simple change to its DMARC policy from “report” to “reject”. In other words, we requested that all other mail services reject emails claiming to come from a Yahoo user, but not signed by Yahoo.
Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users.
And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.”
This policy now rejects and blocks traffic coming from yahoo.com email users who are on other networks, and not on Yahoo servers. The change will only affect traffic coming from Yahoo.com (not Yahoo hosted domains, it is up to each customer to decide whether or not to apply a DMARC policy on their hosted domain) based on the “From Address” that is not signed by Yahoo. This new policy has stopped millions of phishers already. This was a necessary move and no doubt there will be some education needed in the field to encourage small businesses to register and use their own domain if they haven’t already. But at the end of the day, these little challenges are a necessity, because email phishing has become one of the major channels for initiating cybercrime. After all, this was the reason DMARC was created, to give senders and receivers the power to define policies and protect the Internet from the criminals.
No doubt, Yahoo’s new policy is a disruption for small business owners and mailing list owners who send email on behalf of individuals. Yet DMARC has been embraced by many of the major Internet brands, and the effort to create a more secure messaging environment is likely to keep progressing. This is good for everyone who enjoys email and surfing the web. We encourage our ESP clients to only allow traffic from the domains they control to leave their network. We at Message Systems fully support Yahoo’s new DMARC policy and any effort to make the Internet a better and safer place. Our in-house expertise is available to assist any of our clients who use our core engine, Momentum, which provides for email authentication and is fully equipped to face any challenges in complying with Yahoo DMARC acceptance policies.
Find out more about DMARC email authentication in the The Benefits of Adopting DMARC Email Authentication in the joint webinar by Return Path, Groupon and Message Systems.
The attacks keep getting bigger, and global spam levels, stable in 2012, are back on the rise, according to a McAfee study quoted at ZDNet and other outlets. How big a rise? There was a volume of 1.9 trillion email spams in March 2013 alone – double the number detected in December 2012. Ouch!
The number of websites and URL expressly created for spamming rose, too, though phishing URLs dropped – but only in comparison to their skyrocketing climb in 2012.
Where does it all originate, geographically-speaking? In terms of spam and phishing URL hosting, if you said the USA, you’re a winner – we’re still in the lead, as of Q1! But the powerhouse economies of the Asia-Pacific area – with their high-speed infrastructures – are coming on fast. According to a January report from Akamai, more than half of the world’s attack traffic originated from that region.
But there’s another challenger: the brand-spanking-new king for sheer volume of spam messages is Belarus, according to TechNewsDaily.com. In April, 448 million of these got sent from the U.S., but 559 million came from Belarus.
Their caviar is one thing. Some exports we can do without.
Keep your brand safe from phishing and online fraud. Watch our Don’t Deprioritize DMARC webinar replay to learn how!
The Social Security Administration has implemented online access to accounts via their mySocialSecurity portal. Naturally, the cons came out almost immediately, as phishers began spamming seniors to connive them into “creating mySocial Security accounts” on fraudulent sites.
The phishing isn’t restricted to email – scammers are making cold calls, claiming they need to obtain personal data as a way of updating Medicare accounts. Phishing has become the fourth most prevalent form of consumer fraud as of 2012, according to the Better Business Bureau and reporting sources.
Keep your brand safe from phishing and online fraud. Watch our Don’t Deprioritize DMARC webinar replay to learn how!
Weekly Email Marketing News Digest
Increasingly sophisticated scams have found their way to our inboxes in recent months. With scammers upping the ante when it comes to cybercrime, it’s important to stay vigilante and implement the latest tactics in email security including DMARC, DKIM and SPF. Don’t let scammers feast on your profits or whittle away the reputation of your brand.
Not quite an article but here’s an interesting find. Want to know if that email you got from your bank is genuine? FraudWatch, a privately owned internet security company, publishes a frequently updated list on phishing activity complete with fraudulent email examples.
If you work in the email industry, you’re no stranger to the terms phishing and spearphishing. But have you heard of the term “longlining”? Perhaps, if you’re an angler, you’ve heard of it being used in fishing, where lines that are miles long are embedded with thousands of individual hooks to catch fish.
Here’s an excerpt from the article on longlining phishing in the context of email scams:
“During a longlining phishing campaign, the attacker sends out email messages, or hooks, that are highly variable, in terms of content. These messages are individualized and appear to come from various IP addresses. They include a variety of subject lines and body content and dozens of unique URLs– all making it hard to track.
As with spear phishing, the malware is loaded by fooling the users into clicking on a URL embedded within these messages. To avoid user suspicion and web-security detection, these links don’t point directly to malicious sites but instead they point to trusted, legitimate websites that have been compromised by the attackers to host the malware. A single attack can employ dozens or even hundreds of compromised sites as malware hosts.”
In short? Longlining is a scam where emails with highly variable content are sent containing links to legitimate websites that have been compromised [Tweet This!].
Stephanie Colleton from Return Path points out examples of how some legitimate emails from brands can raise phishing alarms [Tweet This!]. Here’s one from Facebook that has a from address which looks suspicious: invite+Ac3RlcGhhbmllLmNvbGxldG9uQHJldHVybnBhdGgubmV0@facebookmail.com.
Stephanie also listed an example on how brands can sometimes send conflicting advice on phishing.
What are some other examples of confusing emails you have seen?
Al Iverson adds on to Stephanie’s article with four additional tips:
- Use DKIM authentication
- Utilize DMARC
- Think about from address and link domains
- Think about email content
Websense is a company that specializes in protecting organizations from the latest cyberattacks and data theft. They have a great article on spear phishing and a cool infographic on Top Phishing Findings [Tweet This!].
We’re incredibly excited to announce our partnership with Return Path in the fight against email phishing in financial services today. Each year, email phishing costs an estimated $6 billion annually for US businesses. In a recent webinar, a Groupon security expert spoke of the increasing sophistication of phishing emails masquerading as legitimate brands. We’ve been told over and over again that prevention is better than a cure, and it is to this end that Message Systems and Return Path have renewed a partnership that we originally initiated several years ago.
Our overriding belief, that tackling the widespread problem of phishing begins with prevention, forms the basis of an all new security solution for financial services. The solution combines Momentum, the most powerful email delivery platform in existence with Domain Secure, the market-leading anti-phishing solution. This combined offering provides a two-fold benefit. On one front, Domain Secure combines visibility into potentially fraudulent email activity with email authentication to block phishing before it reaches the customer. On the other front, Momentum will provide best-in-class reliability, deliverability and visibility with unsurpassed sending speeds.
With the industry leader in digital messaging software and the global leader in email intelligence working hand-in-hand, Message Systems and Return Path are set to reduce financial fraud one email at a time.
Find out more about how the DMARC standard is fighting phishing when you watch our Don’t Deprioritize DMARC webinar!
Email systems have grown increasingly complex since they first appeared in the early 1970s. The growth of the Internet (as measured by users of internet-enabled services) is largely responsible for this complexity. Spam, phishing, and forgery attacks have plagued email users across the world in recent years.
The fundamental problem with modern email systems is that, although we ascribe identity to individual email addresses, that identity is generally not enforced. To this day, it is common to find poorly configured email servers and web email forms that allow malicious users to forge emails.
To understand how this is possible and why it is a problem, we need to understand how email works in the first place.
How does email work?
The internet protocol describing email (called SMTP: Simple Mail Transfer Protocol) functions very similarly to what we now know as “snail mail”. (It turns out that this similarity is very unfortunate). In snail mail, we have two major components: the envelope, and the letter.
The envelope contains addressing information: Who is this letter to? Who did the letter come from? The postal service uses the “To” address, printed on the front-center of the envelope, to get the letter to the right place. Sometimes, something is wrong with this address, and the “From” address (usually printed on the top-left or rear of the envelope) allows the postal service to return the letter to the sender.
If neither of these addresses make any sense, the letter will eventually be destroyed as it can neither be delivered or returned.
A letter from a company to a legal office may not mention names of individuals on the envelope. However, the letter will usually have information embedded in it describing who the letter is individually to, and who individually is responsible for the contents of the letter.
What Could Possibly Go Wrong?
The protocol for delivering letters via a postal service requires a large amount of trust. The example letter above is rather inflammatory, and we might have some doubts as to its validity. Consider the following questions:
- Who is B. Baz?
- Does B. Baz exist?
- Did B. Baz write this letter?
- Did Mr. Foo receive the mail, or did someone else?
- Was the letter altered?
We could probably come up with many other questions related to this as well. Fundamentally, these questions boil down to trust. The postal service does not provide us any way to verify that the sender is who they claim to be. It does not provide us with any way to verify that the sender actually wrote the contents of the letter.
For years, people have sought solutions to these problems. We have invented opaque envelopes to prevent people from reading contents. We use better adhesives to prevent tampering (or at least make it obvious if the letter was tampered with).
With hundreds of years of experiencing mail forgery, delivery tampering, and the like, email must have considered these cases, right? Wrong. Email does not solve any of these problems. Why are they problems? Malicious individuals can exploit these issues of trust to send computer viruses or unwanted marketing email (spam). People exploit these issues of trust to send diseases like anthrax, and unwanted marketing mail (coupon books, credit offers, etc.)
Email and snail mail are not so different. But in email, we can do better.
Trusting An Identity Crisis
We have established two problems with email:
- The identity of the sender and recipient of a mail are unknown.
- The contents of the message are not known to be correct.
So, if we are the recipient of a letter (or of an email, for that matter), how do we know who sent it? How do we know what we are reading is what the sender actually wrote?
With regular mail, we rely heavily on context and signatures. Humans are generally pretty good at recognizing visual patterns (and discrepancies in those patterns). If we receive a letter from someone we know, we can make an educated guess as to whether they sent it based on factors like writing style, handwriting, signature, and address information.
Imagine receiving a letter from a friend. This letter is asking you for money. You know your friend is on vacation in the Galapagos Islands, and the signature looks funny. You are probably going to request additional information before you send money to your friend.
Email does not enjoy these same protections. There are no signatures — just addresses. And most people are not technologically inclined. So when King Mubotu emails from Nigeria telling you to send him $50 so he can send you $50,000,000, you do it. I mean, it is King Mubotu, right?! Right!!?
So many people are still unaware of this attack, that it is still successful. Again, the fundamental problem is that identity has not been established, and our normal contextual clues for establishing it are gone. So we fall back to trust. If you follow one rule on the Internet, it should be not to trust anyone unless you have any technical knowledge that would make you think otherwise.
DKIM (pronounced “DEE-kim”) allows organizations to claim responsibility for messages they send and guarantee the contents of the messages they send. Senders may also guarantee the identity of the individual responsible for sending the message (although this is not yet widely used).
How does the guarantee work?
In a word: math. DKIM relies on what is called “asymmetric cryptography” (also known as “public-key cryptography”). After a message is received, and before that message is delivered to its destination, DKIM uses a “private key” to create a signature for both the contents of the message, as well as some key headers of the message. This signature is attached to the message.
When the message is delivered to the destination, the destination server asks the sender for a public key to verify that the signature is correct. If the public key allows the destination server to decrypt the supplied signature to the same value it computes as the signature, it can assume the sender is indeed who they claim to be.
(Note that we can only assume that the sender is not lying about who originated the email. If the malicious party is the sender in the first place, we have to trust that they are not lying to us!)
As an analogy, consider a message sent between two corporate offices. The message includes a reference number and a phone number. The receiving office can call the sending office, provide the reference number, and read the message. The sending office can verify that this is in fact correct.
What if someone else answers the phone?
In the hypothetical scenario of a letter sent between two offices with a reference number and a phone number to verify, it is logical to assume that a malicious person could attack the security of the system. The attacker would have to:
- modify the message,
- hijack the phone line,
- impersonate the sending office, and
- lie about the validity of the message.
This is a difficult attack to pull off. But can we pull off the same attack against a DKIM-signed message? Not really.
When DKIM asks for the public key, it either receives the public key or it receives something that is not the public key. If it receives the wrong key, decryption will fail, and the message will appear invalid. If the message appears invalid, we can assume some aspect of the system has been tampered with, and we can try more strict verification of the message (such as an in-person discussion). This case does not break the guarantee made by the DKIM signature, because it can still be validated with the proper key.
If the attacker responds with the valid public key, all they have done is prove that the message was sent unmodified.
But people have hacked DKIM!
To mount an attack against DKIM, you have to own or reconstruct the private key. This has happened before in, for example, the attack against Google in late 2012. In this case, Google used an insecure key size for their private key and the attacker was able to reconstruct the key. The solution? Use a bigger key! Although this seems like a weak argument, the justification for why this works is outside the scope of this article. I do not wish to attempt to explain the complexity of integer factorization in simple terms. (At least not in this article.)
For the time being, this is a fine solution.
If a key is compromised (either because someone obtains the key by “hacking” the sender or because they were able to reconstruct it by brute force), one can simply change the key. The problem with doing this is that once a key is known to have been compromised, it is impossible to guarantee with certainty that a message has not been tampered with. There are two reasons for this:
- Inherently, once the key is compromised, someone can forge messages that would have validated with the key. With some clever tricks, it might be possible for an attacker to even forge dates to make it look like the message was sent when the key was valid.
- The public key is generally no longer available. Once the private key has changed, the public key must change as well. If both the public and private keys are subsequently lost or forgotten, it is nearly impossible to reconstruct them.
When doing forensics work with DKIM, if the original key was compromised, it is usually not difficult to prove that messages were not forged. Most people lack the skill to forge keys and emails, and the ability to forge dates requires access to both the sending and receiving machines.
Hopefully this is a useful, lucid, and digestable explanation about the security weaknesses inherent to email (and snail mail, for that matter). If you have additional questions, feel free to contact me either via comments or via email.
If you choose email, I hope you are using DKIM!