My experience spans both sides of the phishing coin. As a Blue Team member, I’ve witnessed schools falling victim to ransomware, businesses disrupted by malware, and confidential data peddled on the dark web – all fallout from successful phishing campaigns that enticed users into clicking malicious links. And in my capacity on Red Teams, I’ve orchestrated phishing simulations to heighten organizational awareness and assess their resilience against these attacks. Alongside, I’ve validated technical defenses, seeking to plug the gaps in the deluge of phishing messages, and demonstrated the very social engineering tactics employed by phishers.
What has continually astonished me is how effortlessly I’ve replicated or sidestepped controls. A simple switch of letters or the use of obscure characters allowed me to dispatch emails appearing to be from legitimate entities. During testing, instances emerged where genuine email domains of prominent organizations were employed, only to realize that these messages went through unimpeded due to a lack of preventive measures against impersonation.
Tragically, this often swayed users into clicking on my meticulously crafted links, invariably leading to some form of compromise. It’s the year 2023, yet we continue to be ensnared by phishing, without grasping the lessons it offers. Why is this?
My pursuit of answers led me to scrutinize authentic emails from established organizations: social media platforms, payment solutions, pensions, and banks. The findings alarmed me. To avoid being blacklisted by third-party email services, these entities frequently use alternative domains for mass emails. The practice generally involves publishing these alternative domains on the corporate website, enabling recipients to verify the legitimacy of emails. However, my recent investigation revealed that among ten corporations, 50% lacked proper policies for dealing with phishing or email identity management. Two companies omitted listing the domains from which I received the emails. Two others redirected me to 404 pages with no domain validation. One company fell short on all counts and possessed a Sender Policy Framework (SPF) DNS record permitting any worldwide IPv4 address to send emails from their domain. Strikingly, the majority of failures were financial institutions.
On one occasion, it took me about 15 minutes to confirm the authenticity of an email. This involved tracing the IP address to its owner, an affiliate agency authorized to send emails on behalf of the organization. In this scenario, how is an everyday user expected to differentiate between genuine and malicious emails?
This issue isn’t merely a technical shortcoming; it’s a systemic failure. The industry at large has struggled to tackle the problem, both technically and in terms of policy and management. There’s no foolproof client-side solution. Many antivirus software companies have attempted, yielding a few commendable results in mitigating blatant phishing emails. Nevertheless, we consistently fall back on end-user education, which comes with inevitable pitfalls.
While technical remedies exist, they hinge on sender responsibility and prove effective only when meticulously implemented in tandem with other controls. These solutions have been available for years, but the adoption rate among large corporations remains disappointingly sluggish.
If you’re inquisitive about your IT messaging teams’ efforts, consider these questions:
- Do we possess a Sender Policy Framework (SPF) for ALL domains, and is it accurate?
- Do we authorize third-party affiliates to send emails on our behalf, and do they have an SPF?
- Have we instituted DKIM for ALL domains from which we send emails?
- Have we enforced DMARC for ALL domains involved in sending emails?
- Do we have an email messaging security policy, and is it effective?
- Have we furnished our user base (external users) with a resource to verify the authenticity of emails, and does it function as intended?
If your response to any of these queries is ‘No,’ then you’re inadvertently contributing to the problem. Fortunately, rectifying this is feasible. Numerous guides and resources are available to assist in designing and implementing SPF, DKIM, and DMARC.
Until corporations adopt these controls, phishing won’t fade into obscurity. Instead, we may witness an escalation in the complexity, frequency, and intensity of attacks and their aftermath. It’s a dilemma of our creation, one we can mitigate by deploying the control mechanisms that already exist. Often, the solution doesn’t necessitate proprietary or licensed products. An all-encompassing remedy centered on AI, machine learning, or blockchain won’t vanquish this issue, regardless of the promises vendors make.
Remember, if you’re uncertain about an email’s origin, leaving the link blue is a wise choice.
Helpful References:
Leave a Reply