According to the Verizon 2012 Data Breach Investigations Report, more than 95% of the breaches Verizon investigated in recent years started with a phishing email. You know how it goes. A worker receives an email that looks perfectly legitimate. Maybe it appears to come from his bank, or from a shipping company he does business with. There’s a link in the email. He clicks on it and goes to a website that promptly delivers malware that gives a cyber criminal a pathway into the company’s network. From there it’s just a matter of the thief finding the desired intellectual property or sensitive data and commencing the exfiltration.
Phishing is a huge problem and it’s growing worse each year. The Anti-Phishing Working Group reports that a new high was reached in November 2012 when 430 brands (businesses) were the targets of phishers in that month alone. That means that these businesses’ brands were abused or spoofed to make email recipients believe the messages came from these legitimate companies. Payment services and financial services are the top two most targeted industries.
A monthly average of almost 25,000 unique phishing campaigns (messages) were reported to the APWG by consumers in the second quarter of 2013. And that’s just what was reported; imagine how many campaigns are never reported to APWG.
The APWG also reports that a monthly average of almost 40,000 unique phishing sites (attack destinations) were detected in Q2 of 2013. The U.S. holds the dubious distinction of leading the world (by a large margin) for hosting phishing sites.
It’s sad but true; sophisticated, targeted content continues to make email a highly effective vector for phishing, malware and spam.
The weapons exist to fight back
The good news is that there are now some pretty good technology-based weapons that can help legitimate senders of email take back their domains and virtually eliminate phishing, but it’s going to take a three-pronged approach to get there. I’ll talk about each of those points in a minute. First, let me outline the weapons.
I’ve written before about DMARC, the Domain-based Message Authentication, Reporting and Conformance global standard. See these previous posts for details:
- On Your DMARC, Get Set, Go! Putting Integrity into Your Email Security Policy, Part 1
- On Your DMARC, Get Set, Go! Putting Integrity into Your Email Security Policy, Part 2
If you don’t have time for all that reading right now, allow me to summarize DMARC and its related standards SPF and DKIM very quickly.
The fundamental challenge that the messaging industry wants to solve is authenticating email messages in some way. The recipient of a digital message must have the confidence to say, “This message purports to be from MyBank.com, and because of the fact that the message is authenticated, I can have confidence that it is legitimate and not a phish.”
There are two email authentication standards that have existed for quite some time. One is Sender Policy Framework (SPF), which is basically an IP-based path-based authentication mechanism. So companies like MyBank.com can say to receivers such as Microsoft, Gmail and Yahoo!, “These are the IP addresses or the third parties that are allowed to send mail on my behalf and these are the IP addresses that they are sending from. If you see something that is not coming from any of these IP addresses, then it doesn’t pass SPF and the mail can be rejected.” That way, the spoofed email never gets past the ISPs and to the intended recipients.
The second authentication method is DomainKeys Identified Mail (DKIM). This is a signature-based authentication. When a message is sent out, certain parts of that message are signed so that when the ISP receives it, they can validate to ensure that the pieces of the message that were signed did not change during the transmission of that message. This means that the person who receives the message can be sure that the content of the email when it is received is exactly the same as when it was sent.
As a relatively new standard, DMARC works off the backs of SPF and DKIM together to give brands like MyBank.com the ability to set a definitive policy to tell all ISPs, “All of my email is authenticating properly and if you see something that appears to be from my domain that is not authenticated, then it is not from me. I am telling you that I want you to either quarantine or reject that mail going forward.” This type of policy gives ISPs a definitive mechanism to always reject spoofed mail.
Everybody has a job to do
That said, the three prongs in the approach to combating illegitimate email messages are:
- Email service providers (e.g., Microsoft, Google, etc.) who look for the policies on messages to reject mail that doesn’t adhere to the DMARC standard.
- Any organization where email messages legitimately originate.
- Takedown vendors who can have malicious websites legally shut down.
The email service provider industry has already made great strides in following the DMARC standard. According to Bob Pratt, vice president of product management at the email security company Agari, the implementation statistics are now at about 85% to 88% and growing, but there will always be companies in the long tail of deployment. “There will be Fred’s ISP that has 50 email inboxes and is running NetWare 3.11 and doesn’t know DMARC from a hole in the ground,” says Pratt.
Fred’s ISP aside, the larger ESPs that handle the vast majority of consumer email have implemented DMARC, and this greatly reduces the amount of known spoofed messages that get through to recipients. But these email handlers can only reject spoofed mail if they are told to do so, and this is where the second prong of the approach comes in.