Posted November 1, 2016
Guest Blogger: Markus Jakobsson, Chief Scientist, Agari
In the late 2000s, email phishing rose from obscurity to front page news in a matter of months, alongside password guessing and viruses, as a main security concern for organizations and individuals alike. Phishing relied on social engineering and the absence of an authentication method for email, the latter allowing criminals to claim any identity they wanted and send emails appearing to come from their selected identity.
In the early days of phishing, most computer security specialists expressing an opinion about these attacks either argued that phishing would go away once a few newspaper articles made users aware of the problem, or that it would be impossible to teach end users to be careful. Neither view turned out to be true, but unfortunately, the latter is much closer to reality. It is possible to raise awareness — and people are much less likely these days to fall for phishing attempts in which emails appearing to come from their financial institution urge them to log in within 24 hours — but efforts to make users aware of a wider array of pitches have not been successful. Criminals get around awareness efforts simply by devising new stories — whether surveys, limited email quotas, or pending messages requiring log-ins to read. For example, when hackers attacked the Democratic National Committee (DNC), they used phishing emails claiming to be from Google, warning the recipients that their passwords had been compromised and asking that they be updated.
While phishing has largely changed from primarily being a tool used to steal financial credentials of consumers to being a tool used to infiltrate organizations (after which more powerful attacks can be mounted), it has not gone away. If anything, it has become more troublesome and more common as has online crime in general. Verizon found that 30 percent of targeted recipients open phishing messages and 12 percent click on malicious email attachments.
The technical community has not been idly observing the rise of phishing or other forms of Internet crime, but has developed a wealth of countermeasures. One of the most basic methods addresses the spoofing of emails. Email spoofing is much like using fake return addresses for physical mail in that it is straightforward to send a message with a fake return address. Spoofing can be detected using cryptographic methods. By requiring that each sender digitally signs each outgoing message, recipients can identify spoofs by verifying that these unforgeable signatures are valid. The Domain Message Authentication Reporting & Conformance (DMARC) email authentication standard is a framework for senders to use such cryptographic methods, and for recipients to stop being victims of spoofing.
Which begs the question, why does phishing still exist?
One reason is that not all organizations use DMARC — in spite of it being an open standard and the fact that digital signatures are free for anybody wishing to use them. This, in my view, is very much like not using seat belts.
Another reason is that phishers — as well as other criminals attempting to impersonate trusted entities — are also increasingly attempting to trick intended victims by using deceptive display names. For example, they may register a free webmail account, such as firstname.lastname@example.org, and then set the display name to “PayPal”, to the name of a large and trusted bank, or to the name of the CEO of a company they want to target with an attack. This is not addressed by DMARC, since the email is not spoofed and it truly comes from the email address it claims to come from. The problem is that the display name conveys another identity.
This, of course, is no reason not to use DMARC, but it is a reminder that as long as there is a financial opportunity, criminals will grab it. Security companies understand this, and lots of promising security technologies are being built and rolled out — whether to defend against spoofing or other forms of deceit.
At the end of the day, the question that still remains is: Are enterprises and government organizations aware of what is at stake, of where they have vulnerabilities, and of what can be done to address them? Often they are not — until it is too late. This is another awareness issue — entirely different from the awareness of end users — but one that is equally worrisome. And it is one that both Agari and LookingGlass are committed to address.