Stop the New Messaging Threats
Large-scale phishing email blasts still make the news, but today’s most dangerous digital attacks use spearphishing messages aimed directly at particular individuals or organizations. Both the Online Trust Alliance and Symantec accorded 2013 the dubious honor of being the year of data breaches. According to Symantec’s 2014 Internet Security Threat Report, the total number of breaches in 2013 was 62 percent greater than in 2012 with 253 total breaches. Eight of the breaches in 2013 exposed more than 10 million identities each. In 2012 only one breach exposed over 10 million identities.
Spearphishing exploits begin with targeted, personalized messages that seem legitimate, yet lure recipients to open malware, or hand over passwords or login information. Such attacks have an alarming success rate. When successful, they can result not only in the loss of critical data, but also the unauthorized use of email deployment systems or other critical infrastructure. Moreover, these attacks can jeopardize your sender reputation and your brand.
Target’s well-publicized data breach earlier this year cost the company deeply in terms of brand reputation and revenue and was traced back to a single phishing email. This is why all enterprises — and the email service providers (ESPs) that work with them — must safeguard not just inbound message streams, but outbound streams as well.
A More Intelligent Approach to Message Security
In a recent report released by the Online Trust Alliance scoring the email integrity of businesses, it was noted that:
Unfortunately, in many enterprises the email infrastructure does not natively support outbound signing or inbound checking for SPF, DKIM or DMARC. Equally as concerning is the lack of support for inbound authentication from leading MTAs (Mail Transfer Agents), the hosting community and email technology providers.”
– 2014 Email Integrity Audit report
Out of the 800 companies and brands that were audited, Message Systems was among the 12% of companies that measured up to the stringent security standards of OTA. Unlike commodity MTAs, Message Systems takes the issue of email security very seriously. Our email infrastructure platform, Momentum, (available in on-premise and managed cloud versions) is designed to support both inbound and outbound email authentication. A two-way approach is critical because threats change constantly, points of vulnerability are too numerous to list conclusively, and realistically not all messaging attacks can be prevented. You may think your security systems are functioning correctly, only to see a sudden spike in complaints, bounces or blocks in your outbound stream, exposing an attack in progress and a compromised email deployment system.
Respond Immediately and Prevent Recurrence
With Message Systems solutions, prevention and mitigation processes are inter-connected. Our customers gain the ability to apply a full range of default and custom policies for screening out abusive mail at the network and protocol layers. And they can integrate best-of-breed third-party solutions for optimal scanning at the content layer. With this approach, organizations can instantly take user feedback into account, pinpoint suspicious activity and take action before damage is done. Additionally, by facilitating responsive action and self-learning, Message Systems helps companies to not only stop malicious activities as quickly as possible, but prevent them from happening again in the future. In fact, Message Systems’ commitment to ensuring that our customer’s emails are safe from phishing attacks, is one of the many reasons why the world’s largest senders choose us to send 20% of global legitimate email.
Learn more about how DMARC is helping to save the world’s email in the How DMARC Is Saving Email eBook today!
Much thanks to Franck Martin at LinkedIn and Josh Aberant at Twitter for providing technical guidance on this post.
Most countries require visitors to have a passport and valid visa at the point of entry – whether at the border or airport. These requirements, however, do not always prevent people from entering illegally. Malicious individuals may impersonate someone by stealing their passport and claiming their identity in order to gain access at checkpoints and deceive the border police. As a result, immigration officers now implement more advanced security and background checks to secure the borders.
Unfortunately, the Internet and the global email system have a lot in common with immigration and border security. While the main purpose of inventing the Internet in 1960s was open communication between universities, colleges and government agencies, cybercriminals have undermined that openness for the rest of us. Just like identity thieves, they subverted the system by using techniques like email spoofing and phishing, and as a result, the major Internet services providers (ISPs) have had to establish anti-abuse departments.
From botnets to malware, phishers to 419 scammers, malicious mail accounted for 85% of Internet traffic by 2012. In order to protect their members from these cybercriminals, major ISPs began to require stricter email security measures such as SPF and DKIM. Finally, DMARC was conceived in 2012.
DMARC or Domain-based Message Authentication, Reporting and Conformance is a security technique that fights cybercrime, including domain spoofing, phishing and spear phishing, that relies on SPF and DKIM authentication in order to guarantee message integrity. It’s a mutual reporting protocol whereby domain owners – email senders – can indicate to ISPs that their emails are protected by SPF and/or DKIM, and tell the receiver (the ISP) what to do if neither of those authentication methods passes. Through their DMARC policy, senders can request ISPs to reject non-compliant email outright, or to quarantine it for further review. In fact, there are three “report modes” for DMARC: report mode (p=none), reject (p=reject), and quarantine (p=quarantine) – more on this below.
DMARC is specifically designed to combat one of the most common types of phishing attacks, where the “from address” in an email is forged. We see this when cybercriminals create emails that appear to be from prominent Internet brands or financial services companies, and usually contain links to malicious websites. We also see this in spear phishing attacks where criminals impersonate close contacts of their intended victims. Email recipients who fall for these kinds of scams can inadvertently download and install malware, or hand over sensitive account login information or passwords, or become a victim of identity theft. Of course, the damage is most severe for the individual, but service providers and brands suffer as well.
DMARC is a powerful tool to combat this kind of activity, and the major ISPs have been steadily implementing it over the past two years. It should be pointed out that DMARC does two things, really, both a) protecting mailboxes from receiving phish and forgeries, and b) stopping criminals from using your domains. Because 85% of mailboxes in the USA are now protected by DMARC (60% worldwide), applying a DMARC policy on your domain is a very effective way to project your brand and make the email a more difficult channel for criminals to exploit.
Earlier this month, Yahoo took the bold step of changing their DMARC policy from report mode (p=none) to reject (p=reject). Yahoo’s SVP of Communications Products Jeff Bonforte explained the change in a Tumblr post:
“On Friday afternoon last week, Yahoo made a simple change to its DMARC policy from “report” to “reject”. In other words, we requested that all other mail services reject emails claiming to come from a Yahoo user, but not signed by Yahoo.
Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users.
And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.”
This policy now rejects and blocks traffic coming from yahoo.com email users who are on other networks, and not on Yahoo servers. The change will only affect traffic coming from Yahoo.com (not Yahoo hosted domains, it is up to each customer to decide whether or not to apply a DMARC policy on their hosted domain) based on the “From Address” that is not signed by Yahoo. This new policy has stopped millions of phishers already. This was a necessary move and no doubt there will be some education needed in the field to encourage small businesses to register and use their own domain if they haven’t already. But at the end of the day, these little challenges are a necessity, because email phishing has become one of the major channels for initiating cybercrime. After all, this was the reason DMARC was created, to give senders and receivers the power to define policies and protect the Internet from the criminals.
No doubt, Yahoo’s new policy is a disruption for small business owners and mailing list owners who send email on behalf of individuals. Yet DMARC has been embraced by many of the major Internet brands, and the effort to create a more secure messaging environment is likely to keep progressing. This is good for everyone who enjoys email and surfing the web. We encourage our ESP clients to only allow traffic from the domains they control to leave their network. We at Message Systems fully support Yahoo’s new DMARC policy and any effort to make the Internet a better and safer place. Our in-house expertise is available to assist any of our clients who use our core engine, Momentum, which provides for email authentication and is fully equipped to face any challenges in complying with Yahoo DMARC acceptance policies.
Find out more about DMARC email authentication in the The Benefits of Adopting DMARC Email Authentication in the joint webinar by Return Path, Groupon and Message Systems.
Weekly Email Marketing News Digest
Increasingly sophisticated scams have found their way to our inboxes in recent months. With scammers upping the ante when it comes to cybercrime, it’s important to stay vigilante and implement the latest tactics in email security including DMARC, DKIM and SPF. Don’t let scammers feast on your profits or whittle away the reputation of your brand.
Not quite an article but here’s an interesting find. Want to know if that email you got from your bank is genuine? FraudWatch, a privately owned internet security company, publishes a frequently updated list on phishing activity complete with fraudulent email examples.
If you work in the email industry, you’re no stranger to the terms phishing and spearphishing. But have you heard of the term “longlining”? Perhaps, if you’re an angler, you’ve heard of it being used in fishing, where lines that are miles long are embedded with thousands of individual hooks to catch fish.
Here’s an excerpt from the article on longlining phishing in the context of email scams:
“During a longlining phishing campaign, the attacker sends out email messages, or hooks, that are highly variable, in terms of content. These messages are individualized and appear to come from various IP addresses. They include a variety of subject lines and body content and dozens of unique URLs– all making it hard to track.
As with spear phishing, the malware is loaded by fooling the users into clicking on a URL embedded within these messages. To avoid user suspicion and web-security detection, these links don’t point directly to malicious sites but instead they point to trusted, legitimate websites that have been compromised by the attackers to host the malware. A single attack can employ dozens or even hundreds of compromised sites as malware hosts.”
In short? Longlining is a scam where emails with highly variable content are sent containing links to legitimate websites that have been compromised [Tweet This!].
Stephanie Colleton from Return Path points out examples of how some legitimate emails from brands can raise phishing alarms [Tweet This!]. Here’s one from Facebook that has a from address which looks suspicious: invite+Ac3RlcGhhbmllLmNvbGxldG9uQHJldHVybnBhdGgubmV0@facebookmail.com.
Stephanie also listed an example on how brands can sometimes send conflicting advice on phishing.
What are some other examples of confusing emails you have seen?
Al Iverson adds on to Stephanie’s article with four additional tips:
- Use DKIM authentication
- Utilize DMARC
- Think about from address and link domains
- Think about email content
Websense is a company that specializes in protecting organizations from the latest cyberattacks and data theft. They have a great article on spear phishing and a cool infographic on Top Phishing Findings [Tweet This!].
In light of the recent security breaches making the headlines, our own CMO Dave Lewis has posed eight points for consideration for CMOs, and what the possibility of a breach could mean for them and their own marketing activities.
Says Lewis: “This isn’t a pretty picture relative to the preservation of trust, but uglier still are the potential consequences—customers being unwilling to share the data that makes digital communication and commerce work because they no longer trust companies to keep it safe. Equally devastating would be a breakdown in the trust relationships we have with each other and an inability to effectively work together as partners in this ecosystem. These are the things that worry me if the breaches continue. They jeopardize our ability to generate revenue and build customer relationships as CMOs, putting our individual and collective success at serious risk.
So what can we do about it?”
Read the whole thing here at the CMO Council’s Marketing Magnified.