email fraud Archives

Posts Tagged ‘email fraud’

Preventing Email Forgery Part Three: DMARC

Tuesday, December 19th, 2023

In our previous two posts in this series, we examined how SPF and DKIM can help limit forged email messages by looking at the IP address and validating if the message was sent from an approved source based on digitally signed messages. We found that while SPF and DKIM can effectively prevent email fraud and forgery, weak implementations can make them vulnerable to attackers.

That’s where DMARC comes in. When properly implemented, DMARC provides instructions for what email filters should do with messages that fail SPF or DMARC.

DMARC: A Simple Explanation

When using SPF and DKIM, email filters check if messages pass or fail SPF and DKIM. They use the DNS-published strictness settings to help them determine what to do next. How a particular filter is implemented determines what happens, leading to varied and inconsistent results.

So, what does DMARC do?

A DMARC policy allows a sender to indicate that both SPF and DKIM protect their emails and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes the guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent and harmful messages. DMARC also provides a way for the email receiver to report to the sender about messages that pass or fail DMARC evaluation.

In practical terms, with a DMARC policy published in DNS:

The message must pass either SPF or DKIM but does not need to pass both.
This resolves the deficiencies of SPF (forwarding) and DKIM (inadvertent message modification) by allowing compensation via the other mechanism.
Sender policies can specify what to do with messages not passing SPF and DKIM. There are three options: do nothing, quarantine them, or reject them. There is no longer any implementation-specific ambiguity on what filters should do and when.

Setting up DMARC

The domain owner must properly set up the DNS records to use DMARC (as with all anti-fraud solutions for email). If you cannot access the domain settings, you will be unable to update your DNS settings and will not be able to use DMARC.

DMARC is set up by adding special entries to the published DNS settings for the domain. You can use a tool, such as this DMARC Record Assistant, to create the DMARC DNS record for your domain.

We will not spend time on the details of the configuration or setup here. Instead, we will look at the utility of DMARC and its limitations.

The Benefits of DMARC

Once DMARC is set up, it helps reduce fraudulent emails from a domain. Simple forged spam and basic phishing attacks are curtailed more effectively with DMARC than with SPF and DKIM alone. Using DMARC combines them into a more comprehensive check with a consistent, well-defined failure state (e.g., reject or quarantine).

DMARC shines when implemented by domain owners using weak SPF and DKIM records. It allows email servers to accept that one of these validation schemes may fail while still requiring that the other one passes for the message to be considered legitimate. This is excellent progress.

DMARC is recommended for every domain owner and email filtering system. However, you must have control over all of the sources of messages from your domain name.

An interesting side effect is that, in some aspects, DMARC can make a domain more susceptible to determined forged emails!

The Limitations of DMARC

This is counterintuitive. Combining DKIM and SPF into a unified, complementary policy set that allows each to compensate for the other’s weakness is a fantastic idea and does a great job. However, a side effect of this technique in determining fraud is that it requires only one DKIM or SPF record to pass, NOT BOTH. In fact, there is no way to use DMARC to require that both must pass.

How Can Attackers Bypass DMARC?

An attacker only needs to find a way to pass one validation check to bypass DMARC. Note that this is only worse than separate use of SPF and DKIM if your SPF and DKIM rules are both strict (if it doesn’t pass — “drop it”). In most other cases, it’s the same or better than using both technologies separately.

Looking at our previous analyses of SPF and DKIM, an attacker could generate a forged email that passes DMARC if:

They can send from an IP address allowed under the forged sender domain’s SPF policy. This can be done using the same email provider as the sender.
They can send you a message from one of the servers authorized by the DKIM for the domain. If that server does not care who initiated the message but will sign any messages going through it with the proper DKIM keys, then the message will look legitimate. If the attacker signs up with the same email provider used by the forged domain and that provider’s servers do not restrict DKIM key usage, they can send an email from those same servers as the legitimate account and have their messages adequately signed.
The attacker can compromise any sender’s workstations, email servers, or vendor’s email servers.

So, it requires a determined attacker with some knowledge of the sender’s infrastructure and some ingenuity to get past DMARC.

In addition, there is another way they can easily get past DMARC:

If the sender’s domain has DMARC, SPF, and DKIM DNS records, if the recipient’s spam filters do not pay attention to DMARC (or the others), then these settings will be all for naught, and the forged message will still appear legitimate.

A determined attacker will gain knowledge both of the anti-fraud settings of the sender’s domain and of the capabilities of the recipient’s systems. The weaker the filters, the easier the attacker’s job can be.

What Else Can We Do to Prevent Email Forgery and Fraud?

Technologies are getting better and better at preventing email fraud, but none of them are foolproof. SPF and DKIM are implemented inconsistently, and DMARC is not well-supported across email filters. DMARC records are also not published for a majority of domains. Many that publish them have “no nothing” records designed to test the waters and gain telemetry on what messages they sent would fail DMARC.

Beyond using these technologies and being vigilant, some additional techniques can be used to lock down the identities of message senders. In the last article in this series, we shall see what some of these are.

Tags: dkim, DMARC, dns, Domain-based Message Authentication, email fraud, email security, Reporting and Conformance, spam, spf
Posted in LuxSci Library: The Technical Side of Email
No comments »

Preventing Email Forgery Part One: SPF

Tuesday, December 19th, 2023

Some of the most dangerous cybersecurity threats originate with email, costing businesses millions of dollars annually. How can you increase your email security and prevent email fraud?

In this series, we will look at how to use DNS records to prevent email forgery. The first and simplest method is SPF – Sender Policy Framework. Below, we shall look at what it does, how it works, how to set it up, and what some of its deficiencies are. In future articles, we will look at the other techniques.

Sender Policy Framework: A Simple Explanation

Simply put, SPF is a way for a domain owner to publish information indicating what servers (internet addresses) are authorized to send email from that domain. Recipients can check the email source against this authorization list. If the server is on the list, the message is likely legitimate. If it is not on the list, the message could be forged.

Setting up SPF

With SPF (as with all anti-fraud solutions for email), it is up to the domain owner to set up the SPF authorization list. Identifying who manages the domain is often the most significant barrier to implementing SPF. Without access to the DNS settings, creating the SPF authorization list is impossible.

To set up SPF, the domain administrator adds a special entry to the published DNS settings. If you want to set up SPF for your domains, use the SPF Wizard. You can also ask your email provider for assistance.

We will not spend time on the details of the configuration or setup here. Instead, we will look at the actual utility of SPF, where it falls on its face, and how attackers can get around it.

The Benefits of Sender Policy Framework

Once SPF has been set up, it does an excellent job of helping identify forged emails. It verifies that the sending server is authorized to send. The use of SPF is highly recommended for every domain owner. However, as we shall see next, SPF is insufficient to prevent all email fraud.

SPF Limitations

Sender Policy Framework has some significant limitations in stamping out email forgery. Below, we discuss some of the ways it falls short.

Identifying Authorized Sending Server Addresses

Identifying all your email-sending servers may not be an issue if you are a small or well-controlled organization. However, it can be more difficult for larger organizations because of their size and use of partners and vendors to send emails on their behalf. In that case, making a complete SPF authorization list is practically impossible.

A related issue is that sometimes, we cannot specify all the authorized servers in SPF. For example, you can only have 10 DNS lookups in an SPF check. If your SPF record must be more complicated than that due to all of the possible organizations that send emails for you, then you must either refrain from using SPF or leave some legitimate sending servers off the list.

In cases where you cannot make a complete list, you can configure the SPF record as “weak.” This means that if SPF matches, then the message is legitimate. But if the weak SPF check fails because it comes from an unauthorized server, it might or might not be legitimate.

Forwarded Messages Appear Illegitimate

When a message is forwarded, the from address does not change, but the sending server does. For example, if you receive a message from Bank of America and then forward it to your friend, it is now your email server sending a message that purports to be from bankofamerica.com.

If bankofamerica.com’s SPF records were set as strict, then your friend’s email server would identify the forwarded message as forged and mark it as spam or fraud. In most cases, that is not desirable. While there is a technology that allows forwarding to get around this (SRS – Sender Rewriting Scheme), it has yet to be widely adopted.

For this reason, most domain owners set up their SPF records as weak (indicating that if the SPF check fails, the message could still be legitimate).

Inter-Domain Email Forgery

Because SPF checks only the domain name and the server, two different people in the same organization, Fred and Jane, can send emails legitimately from their @domain.com address using the same authorized servers for domain email.

However, if Fred@domain.com uses his account to send a message forged from Jane@domain.com, the SPF will check out as okay, even if the SPF is set as strict.

SPF does not protect against inter-domain forgery at all.

Same Email Provider: Shared Email Servers Forgery

If two people using different domain names have the same email provider, they may also have the same SPF records. Email providers usually have their customers use a standard SPF record indicating that messages from any of the provider’s servers are okay. In this case, it may be possible for any user of that email provider to send a forged message purporting to be from another user in an unrelated domain and have the SPF check pass.

One way to avoid this issue is to use dedicated servers to send email from your domain. If your email provider allows it, you can accurately update your SPF list to indicate only the servers assigned to your account. Then, the SPF record would only reflect your sending and could not be corrupted by other customers of the email provider.

Sender Policy Framework does not protect against spam

This is not a limitation of SPF, but it’s worth mentioning in the context of email security. All SPF does is help you identify if a message is forged or not. Most spammers are savvy. They use their own domain names and create valid SPF (and DKIM and DMARC) records so that their email messages look more legitimate.

In truth, this does not make them look less spammy; it just says that the messages are not forged. Of course, if the spammer is trying to evade your filters by forging the sender address so that the sender is you or someone you know, then SPF can absolutely help.

How Attackers Subvert SPF

So, in the war of escalation where an attacker is trying to get a forged email message into your inbox, what tricks do they use to get around sender identity validation by SPF?

As we have seen, most domains set up SPF weakly so that messages that fail SPF are not automatically flagged as invalid. From an attacker’s perspective, it all comes down to what sender’s email address (and domain) they are forging. Can they pick an address to construct an email that will make it past SPF?

If the sender’s address does not have SPF configured, it’s easy for the attacker to impersonate.
The message will look legitimate if the attacker can send a message from a server authorized by the SPF for the domain. If the attacker signs up with the same email provider used by the forged domain, they may be able to send an email from the authorized servers for the forged domain. This makes the attacker’s email look legitimate even if the forged domain’s SPF records are strict.
If the forged domain’s SPF records are weak and the attacker can’t use an authorized server to make the message look valid, it doesn’t matter, as SPF failure won’t make their message look forged.

If the attacker has a choice of addresses to forge to achieve their ends, then it is likely that they can pick one that meets one of these three options.

How to Fix Sender Policy Framework?

SPF is helpful but not the sole solution for email fraud prevention. What else can you do?

A responsible domain owner who wants to protect their domain from forgeries and identify forged inbound emails takes additional steps, which we shall discuss in future articles. These include DKIM, DMARC, and other message signature and isolation techniques.

Tags: dkim, DMARC, dns, email forgery, email fraud, forged email, fraud, identity, sender policy framework, spam, spf, SRS
Posted in LuxSci Library: The Technical Side of Email
No comments »

How to Avoid Business Email Compromise Attacks

Tuesday, July 5th, 2022

Business email compromise (BEC) attacks are on the rise and are poised to eclipse ransomware as the biggest threat to cybersecurity. Since 2016, $43 billion has been stolen through BEC. Even more concerning, there has been a 65% increase in BEC from 2019 to 2021. This article explores what business email compromise scams are and what steps organizations can take to avoid them.

What are Business Email Compromise Attacks?

In business email compromise scams, attackers infiltrate or impersonate a legitimate corporate email account. They then send phony invoices or initiate contract payments that trick unsuspecting businesses into wiring money to criminals.

These scams rely on humans making the wrong choices. Some examples of business email compromise scams include:

A criminal impersonates a vendor and sends a fake invoice to the accounting department.
Someone who appears to be the company CEO asks an assistant to make a wire transfer to an unknown account.

Some of the tactics used include:

Domain name spoofing: Domain name spoofing involves changing the sender’s “From” address to match the recipient’s domain in the message envelope. Criminals can also use a legitimate domain as the “From” address and a spoofed “Reply-To” domain in the message header.
Display name spoofing: The attacker registers a free email account to impersonate a vendor or employee. The attacker would configure the display name to match the employee’s name and then send phishing messages from this account. This technique is effective because recipients often only look at the display name, not the email address. In fact, many email clients will only show the display name when viewing the message, making it easier to hide the sender’s real identity.
Lookalike domain spoofing: The attacker may register fake domain names that contain characters that look similar to those in the actual domain name. For example, replacing the lowercase “l” in luxsci.com with an uppercase “I.” The criminal will send phishing emails from this domain to trick the recipient into thinking the message is legitimate.
Email Account Compromise: Another common tactic is taking over legitimate email accounts that have been compromised through malware or social engineering to steal data or funds.

How to Prevent Business Email Compromise Attacks

One of the reasons that business email compromise attacks are increasing is because they are often successful. Email filters and content scanning can do little to stop sophisticated social engineering attacks. Nevertheless, there are steps that organizations can take to stop BEC scams.

SPF, DKIM, and DMARC

Implementing technical controls can help prevent BEC scams from succeeding. As discussed above, many attacks use display or domain name spoofing to impersonate company accounts or individuals.

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) are anti-spoofing email authentication techniques that use DNS records to validate the sender of an email. Ensure the organization’s domain has valid SPF, DKIM, and DMARC records. Make sure the email provider analyzes all inbound email traffic using these tools.

Viewing the headers of a suspicious message is also an excellent way to detect fraudulent domains. See Gmail, Outlook, Apple Mail, and More: How to View Headers in Email to learn how to see these in the most popular email clients. This can help reveal the actual sender of someone using a spoofed domain or display name.

In addition, implementing email filtering and scanning tools can help flag suspicious links and protect against phishing attacks.

Employee Training

Helping employees recognize business email compromise scams is essential to avoiding them. All employees, not just those with access to sensitive data or financial information, should understand the tactics used by cybercriminals in BEC scams.

Employees should be aware that attackers can use the information they share online via social media against them. Birthdates, pets’ names, nicknames, and information about time off can be used to impersonate others and trick individuals.

Ensure employees are implementing strong passwords and using multifactor authentication to prevent account compromise and stop them from changing account credentials.

Policy and Procedures

Creating clear policies and procedures can help alleviate confusion and prevent individuals from taking action without thinking. For example, organizations should have clearly defined procedures for how and when vendors will send invoices and be paid. That way, when an unexpected email comes in from a “vendor,” employees will know what to do. It’s also essential to keep up-to-date contact information for vendors and employees. Many BEC schemes ask recipients to call a phone number with account credentials or payment information. If the number differs from the contact information on file, it’s wise to pause and call the contact through established channels to confirm the message’s accuracy before proceeding.

By creating clearly defined and enforced policies and procedures, it will be very obvious when deviations occur. Empowering employees with the tools they need to identify business email compromise scams will help protect your company and keep financial information secure.

Tags: bec, business email compromise, cyberattack, cybercrime, cybersecurity, dkim, DMARC, email fraud, email headers, email scams, phishing, spear phishing, spf
Posted in Email, LuxSci Library: Security and Privacy
Comments Off on How to Avoid Business Email Compromise Attacks