A little late to the game, I recently binge-watched season 7 of the Game of Thrones. One thing I noticed is that for all the thick walls, barred doors, and armed guards, most of the castles in the show were not taken through a direct attack on their outer defenses, but rather through infiltration. Invaders circumvented the castle’s defenses using backdoors and hidden tunnels. They even walked through the castle gate while impersonating a resident.

SaaS applications that send email—which is all SaaS applications—are similarly vulnerable. As an engineering leader, you may have followed security best practices: training, code reviews, third-party penetration testing, secured your infrastructure, and more. And yet all your efforts could come to naught if a bad actor steals a user’s credentials from that user.

A common approach bad guys take to stealing user credentials is to impersonate your email: a phishing attack. A malicious third party sends your users an email that looks like it came from your application. A link in the email takes users to a website resembling your own and requests their username and password to log in. The attackers now have access to your application, allowing them to walk right through your castle gate.

DocuSign phishing email courtesy of KnowBe4

An attack like this—impersonating your application—could result in customers losing trust in your service and present an existential threat to your business.

You may believe that you’re not liable for a customer’s internal security training and that there’s not much you can do to stop attacks like this. And you’re right in thinking you can’t easily stop these emails being sent. You can, however, strongly influence whether your users receive these emails.

Phishing is possible because, in the early days of email, the small group of organizations using it trusted one another. The Simple Mail Transfer Protocol (SMTP) lives up to the “simple” part of its name. A mail client can send a message by connecting to a remote Mail Transfer Agent (MTA), provide the To and From addresses of the message, and then the message body itself. The SMTP protocol does not specify a way to validate that the party sending the email has the right to send from any given address, allowing the sender to claim they are sending a message on behalf of anyone.

Fortunately, new standards are making it easier for companies to protect themselves and their users from phishing. These standards add the ability to authenticate the identity of a message sender. They allow mailbox providers such as Gmail and Microsoft, along with corporate email administrators and others, to filter messages that don’t pass validation and alert the company targeted by phishing to the impersonation attempt.

Apple phishing email courtesy of mailguard.

The first of these technologies is Sender Policy Framework, or SPF. SPF defines a way to validate that an email message was sent from an authorized mail server. SPF establishes a method for receiving mail servers to verify that incoming email was sent from a host IP authorized by the sender’s domain administrators. It piggybacks on the existing Domain Name System (DNS).

While SPF can define which servers are allowed to send messages on behalf of your domain, it doesn’t offer a mechanism to verify whether the message headers or body have been altered or forged. This is handled by DomainKeys Authenticated Mail, or DKIM. It works by using a private key to creating a unique digital signature for the email’s header and content and adding this to the existing headers of the message. The signature can then be validated against a public key in your DNS records.

Domain DNS verification section
SparkPost domain setup displaying DKIM configuration.

The third standard that serves to bring the first two together is Domain-based Message Authentication, Reporting, and Conformance, or DMARC. DMARC is another DNS-based technology that enables an organization to publish their authentication practices, advise receivers on how to treat messages that don’t validate against SPF and DKIM and to request that notifications be sent to the organization when non-authenticated messages are encountered.

With these combined standards, mailbox providers can identify messages that have been legitimately sent from your application and ensure that they are delivered to your user’s mailboxes. Those that aren’t may be sent to a spam folder or quarantined, with your team notified. The email purportedly sent from your application asking the user to change their password would likely not have been delivered to their inbox.

Your customer’s data may not be pilfered via a frontal assault on your application. Rather, using deception, a bad actor can fool your users into giving away the keys to your castle. There are, however, actions you can take to mitigate this risk and ensure that your customers remain safe.

—Steve Murray, SparkPost CISO

P.S. Want to learn more about preventing phishing and ensuring that your messages reach your user’s inbox? Our Email Deliverability Guide is a great resource. And if you’re implementing email authentication standards, check out our free tools for inspecting and validating your SPF and DKIM records.

 

Protecting Your Brand Against Threats

Your brand has a reputation and beware, because criminals want to ruin it through email. Yes, unfortunately, there are a lot of bad people sending email out there. We like to classify them into three categories: spammers, phishers (or scammers) and spoofers.

You’re already familiar with spammers, they send you unsolicited email. Phishers try to get you to divulge your personal information. Lastly, Spoofers impersonate your brand and send email as you to your customers in hopes of phishing, scamming or worse, bringing your business to its knees. Yikes! Sounds like a security nightmare, and it is.

When your email is spoofed, your reputation gets tarnished among ESPs, which means sending even legitimate email will be hard. This can be worse than having your company’s servers hacked.

Don’t fret because there are things you can do to prevent these types of security breaches from happening to your brand and they’re incredibly easy to set up.

In our upcoming webinar on February 7th, Bulletproof Your Email in 2017, join SparkPost CISO Steven Murray and ValiMail’s CEO and co-founder, Alex Garcia-Tobar, as they talk about the importance of email authentication, how impersonation attacks can slip through conventional defenses, and how to protect your brand against various security threats in 2017.

So, in this upcoming webinar we’ll review:

  • Different types of security threats we’re seeing
  • How this impacts your brand’s reputation
  • How to combat these criminals and protect your email and your brand

You won’t want to miss this! Register today for the Bulletproof Your Email in 2017 Webinar on February 7, 2017 at 10am PT/1pm ET.

Bonus: Be one of the first 500 people to sign-up and have a virtual coffee on us!

In the meantime, you can keep yourself busy with Steve’s blog on Debunking the Myths of Moving Your Email to the Cloud or Alex’s post on Three DKIM Challenges You Might Not Know About. See you soon!

~ Tracy

9 Things ISPs Really Want Email Marketers to Know

2017 State of Email: What we Can Expect in the New Year

2017 state of email

Entering 2017, email continues to thrive while sustaining a long transformation that it has been undergoing for quite some times – literally decades. Throughout 2016, email solidified its place in a world where users use many communications app simultaneously. Email is and continues to be the record of identity for transactions. Apps use email to reset accounts and services send the most important notifications through email. Furthermore, email is the only widely used cross-platform communication protocol that is free from proprietary control. This open nature is why email continues to thrive. With 2017, we’ll likely see these major trends around email continue:

Move to Transactional.

Email has had a long life – 45 years and counting – and during that time, the nature of its primary role has changed. For a time, email was the dominant form of personal communication over the internet. As other messaging platforms have become more predominant in personal communications, email has transformed to being the system of record. Indeed it is an email address that often underlies the user’s authentication & account recovery methods of the newer communication mediums.

Growth.

With email standing behind most new internet services & account types, email continues to be one of the best ways that apps and services can reach out to users to engage and activate them. With this, email continues to be the foundation of many growth programs.

Becoming Phishing Proof.

Since email is how apps and services authenticate users around account changes, it is absolutely important that email continue its development to becoming phishing proof. Public cases in 2017 have shown how sophisticated attackers have gotten using email and the damage they can do. Email providers like Google and Microsoft achieved major milestones around DMARC during 2016. When “DMARC reject policies” are finally deployed by these and other providers, email will have gone a long way from taking the onus off the user to know when to trust a message.

Smarter Notifications.

Today’s users have many communications apps or services. While email has a well earned place here, it is not the only way that apps and services communicate with users. Apps continue to experiment with and see what is the best mix of notification types. In 2017, we’ll see apps get even smarter about notifications, where beyond sending the right message at the right time, they’ll also send on the right medium at that time.

If 2017 is like the years before it, users will receive & send many more messages than they did in 2016. When these messages are done smartly, they provide users with options and control of their communications.

– Josh Aberant

Thoughts on the 2017 State of Email? Drop us a line below.

Do not go gentle into that new normal

At SparkPost’s recent Insight user conference, Steve Jones, executive director of DMARC.org, didn’t hold back. He began his talk on email authentication by bluntly observing that “spam and phishing are the new normal.” I sucked in my breath. Steve’s comment felt like a punch to the gut. I felt like I wanted to defend the honor of email. Yeah, bad guys—sometimes really bad guys—are out there, I thought to myself, but it’s the exception, not the rule! But I knew he was right. I settled down and nodded my head, knowing that Steve’s perspective squared with the experiences of people who manage the front-lines of defense at ISPs and corporate email hosts, as well as the findings of email industry organizations like M3AAWG.

m3aawg-spamchart
Source: M3AAWG Email Metrics Report

Steve noted that 28 billion spam messages are sent every day. By some estimates, phishing is a $3.7-million annual cost for the average enterprise. And for publicly-traded companies, a disclosure of phishing leads to a loss of stock value of $411 million or more. As Steve put it, costs like these are fraudulent email’s “hit to reputation and brand, made tangible. And there’s no bottom to what bad actors will do to get your money.”

So, spam and phishing really are the new normal. Companies must incorporate a security posture that takes into account email as a major attack vector that’s exploitable through phishing, malware, and socially engineered content designed to defraud recipients of sensitive information and to steal credentials that grant access to systems.

And this new normal is why Steve’s organization does its work. DMARC, or “Domain-based Message Authentication, Reporting & Conformance,” is a technical specification that builds on earlier SPF and DKIM email authentication mechanisms. In his talk at Insight, Steve presented an overview of the current landscape of email authentication, including why DMARC is important, how it works, and recent developments.

ISPs are moving to an authentication-only world. So should you.

authenticate dmarc

The biggest consumer mailbox providers prefer authenticated email. But that preference may be changing to a mandate. In 2015, Yahoo took the plunge and published a “p=Reject” DMARC record. By doing so, Yahoo essentially told receivers, “if you can’t verify an email came from Yahoo, throw it away. No exceptions.” There are reports that Google may take a similar step for Gmail in 2016.

There have been issues with this “strict” posture—in some cases, legitimate email has suffered because of this spam counter-measure. But, I remind you that false positives are nothing new. It’s frankly just a cost of doing business for senders (and a much smaller cost than those that result from successful phishing attacks). Legitimate senders long have been operating in the shadow of compromised hosts, spam, phishing and other abusive digital communications, and incurring short-term inconveniences to stem that tide is worth the effort. Truth be told, what disturbs me more is the fact that everyone hasn’t yet adopted SPF, DKIM and DMARC as a means of combating spam and protecting their own reputations!

It’s time to splice email authentication into corporate DNA.

The watch guards of enterprise security (especially CISOs) often talk about a company’s “security posture,” the plan and cultural shift that a business puts into place to protect its employees, customers, intellectual property, and systems from attack, both cyber and physical. We’re likely all familiar with defenses like firewalls, multi-factor authentication mechanisms, access and password policies, and more.

But what about email? It’s the lifeblood of every company doing business on the internet today. But at too many businesses, email security is limited to spam filters or malware scans. Those are fine front-line tools to help protect against brute force bad guys, but they do little for phishing (and spear-phishing) attacks.

The simple power of email is its ability to connect people and businesses the world over. But the simplicity and ubiquity that makes email the Internet’s “connective tissue” also allows the spread of viruses, fraud, phishing, and compromises to accelerate to pandemic speed as they move from one email box to another.

Every company that works with customer data, financials, or has a broad national or global presence is nothing short of a flame in the night that draws all sorts of malicious attacks. In the digital marketing industry, ESPs, marketing automation companies, anyone who purports to be a marketing system of record… are just some of the inevitable targets for phishing attacks.

Adopting email authentication standards like DMARC (and transport layer encryption standards such as STARTTLS) will go a long, long way to improving your digital messaging security posture. What are you waiting for? Do it.

Learn more.

Ready to learn more about DMARC and email authentication? Here are a few resources to get going.

 

Email Security Cloud Blog Footer

Much thanks to Franck Martin at LinkedIn and Josh Aberant at Twitter for providing technical guidance on this post.

Most countries require visitors to have a passport and valid visa at the point of entry – whether at the border or airport. These requirements, however, do not always prevent people from entering illegally. Malicious individuals may impersonate someone by stealing their passport and claiming their identity in order to gain access at checkpoints and deceive the border police. As a result, immigration officers now implement more advanced security and background checks to secure the borders.

Unfortunately, the Internet and the global email system have a lot in common with immigration and border security. While the main purpose of inventing the Internet in 1960s was open communication between universities, colleges and government agencies, cybercriminals have undermined that openness for the rest of us. Just like identity thieves, they subverted the system by using techniques like email spoofing and phishing, and as a result, the major Internet services providers (ISPs) have had to establish anti-abuse departments.

From botnets to malware, phishers to 419 scammers, malicious mail accounted for 85% of Internet traffic by 2012. In order to protect their members from these cybercriminals, major ISPs began to require stricter email security measures such as SPF and DKIM. Finally, DMARC was conceived in 2012.

DMARCDMARC or Domain-based Message Authentication, Reporting and Conformance is a security technique that fights cybercrime, including domain spoofing, phishing and spear phishing, that relies on SPF and DKIM authentication in order to guarantee message integrity. It’s a mutual reporting protocol whereby domain owners – email senders – can indicate to ISPs that their emails are protected by SPF and/or DKIM, and tell the receiver (the ISP) what to do if neither of those authentication methods passes. Through their DMARC policy, senders can request ISPs to reject non-compliant email outright, or to quarantine it for further review. In fact, there are three “report modes” for DMARC: report mode (p=none), reject (p=reject), and quarantine (p=quarantine) – more on this below.

DMARC is specifically designed to combat one of the most common types of phishing attacks, where the “from address” in an email is forged. We see this when cybercriminals create emails that appear to be from prominent Internet brands or financial services companies, and usually contain links to malicious websites.  We also see this in spear phishing attacks where criminals impersonate close contacts of their intended victims. Email recipients who fall for these kinds of scams can inadvertently download and install malware, or hand over sensitive account login information or passwords, or become a victim of identity theft. Of course, the damage is most severe for the individual, but service providers and brands suffer as well.

DMARC is a powerful tool to combat this kind of activity, and the major ISPs have been steadily implementing it over the past two years. It should be pointed out that DMARC does two things, really, both a) protecting mailboxes from receiving phish and forgeries, and b) stopping criminals from using your domains. Because 85% of mailboxes in the USA are now protected by DMARC (60% worldwide), applying a DMARC policy on your domain is a very effective way to project your brand and make the email a more difficult channel for criminals to exploit.

Earlier this month, Yahoo took the bold step of changing their DMARC policy from report mode (p=none) to reject (p=reject). Yahoo’s SVP of Communications Products Jeff Bonforte explained the change in a Tumblr post:

“On Friday afternoon last week, Yahoo made a simple change to its DMARC policy from “report” to “reject”. In other words, we requested that all other mail services reject emails claiming to come from a Yahoo user, but not signed by Yahoo.

Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users.

And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.”

This policy now rejects and blocks traffic coming from yahoo.com email users who are on other networks, and not on Yahoo servers. The change will only affect traffic coming from Yahoo.com (not Yahoo hosted domains, it is up to each customer to decide whether or not to apply a DMARC policy on their hosted domain) based on the “From Address” that is not signed by Yahoo. This new policy has stopped millions of phishers already. This was a necessary move and no doubt there will be some education needed in the field to encourage small businesses to register and use their own domain if they haven’t already. But at the end of the day, these little challenges are a necessity, because email phishing has become one of the major channels for initiating cybercrime. After all, this was the reason DMARC was created, to give senders and receivers the power to define policies and protect the Internet from the criminals.

Yahoo Purple LogoNo doubt, Yahoo’s new policy is a disruption for small business owners and mailing list owners who send email on behalf of individuals. Yet DMARC has been embraced by many of the major Internet brands, and the effort to create a more secure messaging environment is likely to keep progressing. This is good for everyone who enjoys email and surfing the web. We encourage our ESP clients to only allow traffic from the domains they control to leave their network. We at Message Systems fully support Yahoo’s new DMARC policy and any effort to make the Internet a better and safer place. Our in-house expertise is available to assist any of our clients who use our core engine, Momentum, which provides for email authentication and is fully equipped to face any challenges in complying with Yahoo DMARC acceptance policies.

 

Find out more about DMARC email authentication in the The Benefits of Adopting DMARC Email Authentication in the joint webinar by Return Path, Groupon and Message Systems.

Blog_Post-Ads_Webinar_BenefitsofAdoptingDMARC_041814

The attacks keep getting bigger, and global spam levels, stable in 2012, are back on the rise, according to a McAfee study quoted at ZDNet and other outlets.  How big a rise?  There was a volume of 1.9 trillion email spams in March 2013 alone – double the number detected in December 2012.  Ouch!

The number of websites and URL expressly created for spamming rose, too, though phishing URLs dropped – but only in comparison to their skyrocketing climb in 2012.

Where does it all originate, geographically-speaking?  In terms of spam and phishing URL hosting, if you said the USA, you’re a winner – we’re still in the lead, as of Q1!  But the powerhouse economies of the Asia-Pacific area – with their high-speed infrastructures – are coming on fast.  According to a January report from Akamai, more than half of the world’s attack traffic originated from that region.

But there’s another challenger: the brand-spanking-new king for sheer volume of spam messages is Belarus, according to TechNewsDaily.com.  In April, 448 million of these got sent from the U.S., but 559 million came from Belarus.

Their caviar is one thing.  Some exports we can do without.

Keep your brand safe from phishing and online fraud. Watch our Don’t Deprioritize DMARC webinar replay to learn how!

Don't Deprioritize DMARC webinar

The Social Security Administration has implemented online access to accounts via their mySocialSecurity portal. Naturally, the cons came out almost immediately, as phishers began spamming seniors to connive them into “creating mySocial Security accounts” on fraudulent sites.

The phishing isn’t restricted to email – scammers are making cold calls, claiming they need to obtain personal data as a way of updating Medicare accounts. Phishing has become the fourth most prevalent form of consumer fraud as of 2012, according to the Better Business Bureau and reporting sources.

Keep your brand safe from phishing and online fraud. Watch our Don’t Deprioritize DMARC webinar replay to learn how!

Don't Deprioritize DMARC webinar

Weekly Email Marketing News Digest

Increasingly sophisticated scams have found their way to our inboxes in recent months. With scammers upping the ante when it comes to cybercrime, it’s important to stay vigilante and implement the latest tactics in email security including DMARC, DKIM and SPF. Don’t let scammers feast on your profits or whittle away the reputation of your brand.

FraudWatch International Phishing Alerts

Not quite an article but here’s an interesting find. Want to know if that email you got from your bank is genuine? FraudWatch, a privately owned internet security company, publishes a frequently updated list on phishing activity complete with fraudulent email examples.

 

PhishingAlert

Massive-scale phishing attacks loom as new threat

If you work in the email industry, you’re no stranger to the terms phishing and spearphishing. But have you heard of the term “longlining”? Perhaps, if you’re an angler, you’ve heard of it being used in fishing, where lines that are miles long are embedded with thousands of individual hooks to catch fish.

Here’s an excerpt from the article on longlining phishing in the context of email scams:

“During a longlining phishing campaign, the attacker sends out email messages, or hooks, that are highly variable, in terms of content. These messages are individualized and appear to come from various IP addresses. They include a variety of subject lines and body content and dozens of unique URLs– all making it hard to track.

As with spear phishing, the malware is loaded by fooling the users into clicking on a URL embedded within these messages. To avoid user suspicion and web-security detection, these links don’t point directly to malicious sites but instead they point to trusted, legitimate websites that have been compromised by the attackers to host the malware. A single attack can employ dozens or even hundreds of compromised sites as malware hosts.”

In short? Longlining is a scam where emails with highly variable content are sent containing links to legitimate websites that have been compromised [Tweet This!].

Email + Phishing: Separating Scams from the Real Thing Can be Tough

Stephanie Colleton from Return Path points out examples of how some legitimate emails from brands can raise phishing alarms [Tweet This!]. Here’s one from Facebook that has a from address which looks suspicious: invite+Ac3RlcGhhbmllLmNvbGxldG9uQHJldHVybnBhdGgubmV0@facebookmail.com.

Facebook

Stephanie also listed an example on how brands can sometimes send conflicting advice on phishing.

EvernoteFirstEmail

 

EvernoteSecondEmail

What are some other examples of confusing emails you have seen?

Spams, Scams, and Senders

Al Iverson adds on to Stephanie’s article with four additional tips:

  • Use DKIM authentication
  • Utilize DMARC
  • Think about from address and link domains
  • Think about email content

What is Scaring Businesses the Most? Spear-phishing.

Websense is a company that specializes in protecting organizations from the latest cyberattacks and data theft. They have a great article on spear phishing and a cool infographic on Top Phishing Findings [Tweet This!].

Websensephishinginfographic

 

Feeling alarmed about phishing? Read other blog posts on email authentication. Or check out our webinar on DMARC!

Don't Deprioritize DMARC webinar

 

We’re incredibly excited to announce our partnership with Return Path in the fight against email phishing in financial services today. Each year, email phishing costs an estimated $6 billion annually for US businesses. In a recent webinar, a Groupon security expert spoke of the increasing sophistication of phishing emails masquerading as legitimate brands. We’ve been told over and over again that prevention is better than a cure, and it is to this end that Message Systems and Return Path have renewed a partnership that we originally initiated several years ago.

Our overriding belief, that tackling the widespread problem of phishing begins with prevention, forms the basis of an all new security solution for financial services. The solution combines Momentum, the most powerful email delivery platform in existence with Domain Secure, the market-leading anti-phishing solution. This combined offering provides a two-fold benefit. On one front, Domain Secure combines visibility into potentially fraudulent email activity with email authentication to block phishing before it reaches the customer. On the other front, Momentum will provide best-in-class reliability, deliverability and visibility with unsurpassed sending speeds.

With the industry leader in digital messaging software and the global leader in email intelligence working hand-in-hand, Message Systems and Return Path are set to reduce financial fraud one email at a time.

Find out more about how the DMARC standard is fighting phishing when you watch our Don’t Deprioritize DMARC webinar!

Don't Deprioritize DMARC webinar