As Email Security Expert at AnubisNetworks, I see a lot of IT Specialists in Security Service Providers, in large or small companies, with a dificult job in what concerns to Cybersecurity, specifically Email Security. As Spam and Phishing techniques have evolved in recent years, IT Security Professionals, need to be aware of new hacker scams targeting end users through email.
Words like spam, phishing, malware, are in our day-to-day language.
“Spam and Phishing techniques have evolved in recent years
and users need to be aware of new hacker scams”.*
The New Hacker Scams
Spam, phishing and malware are terms well known to the clear majority of end users. It is something that many have become routine to dealing with in their daily lives. However, the evolution in the fight against unwanted email in the last decade has been frenetic and, now, the maturity is quite high. Strange as it may seem, the high effectiveness of an anti-spam system ends up acting as your enemy and makes you forget about the end-user problem. With a decrease in receiving unwanted emails, there is a tendency to not be suspicious of anything that is sent to us by email.
In an analogous way, we can give the example of someone who buys a very sophisticated alarm to protect their home. After a few years, they were not the victim of a robbery, so they replaced the alarm with a watchdog, just to save a couple of euros. In the email security space, we can see that there are many solutions in the market that can block the clear majority of spam, leaving only one or two unwanted messages per day.
From a financial point of view, it may even seem like a good business to save a few euros for the work of erasing messages that arrive in our inbox. However, the paradigm has changed. In past years, we were bombarded by advertisements for different products and receiving them was just uncomfortable. Today, we are bombarded by emails that install viruses and malware, try to steal data, and infect other PCs, that go a far beyond a little "nuisance."
Spammers are adapting their form of acting in a very creative way and using many different techniques to get through the various defense barriers. If we look at a phishing campaign, it looks like we're watching an action movie.
Decoding the Phishing Strike
There are movies, from which we observe plans of super complex robberies. Each security barrier is disassembled step by step, using various techniques to reach the final goal. Decomposing the steps of an email campaign we can observe the following:
Email Origin:
- The message originated from an IP address, with some previous email traffic conferring some positive reputation.
- The Domain Name System (DNS) configuration associated with its address was correct and in accordance with good practices.
- The Sender Policy Framework (SPF) record for the server ID is correct.
Relationship with the bank domain:
- The SPF policy published by the bank is neutral, which allows you to send across the internet.
- The bank in question does not publish any policy Domain-based Message Authentication, Reporting and Conformance (DMARC).
- There is no clear way to know if the bank uses DomainKeys Identified Mail (DKIM) as digital signature.
Message format:
- The message does not display any invalid header and meets all minimum requirements.
- The headers order is consistent with some applications that send emails.
Message Content
- The message is written in with perfect grammar and spelling in your language.
- Uses a bank-compliant appearance.
- Uses a "click here" button that shows a Google page with the search result for a long and strange word.
- Do not use a website with a bad reputation, refer only to Google.
Result of "click here"
- Uses content promotion techniques, also used in Marketing, to target a website with a fake page. The trick is to promote a word on multiple sites, so that the search result for that same word redirects to a certain site.
Content of the "particular site"
- Uses a relatively unknown trick to hide the content of the page, making use of URI, of the sort data: text / html; http: //www.bank.com/users/; base64,77SDADAD ...
This last technique gives the idea to the user who was on the www.bank.com website when in fact it isn’t. Uses what is referenced in "77SDADAD ..." encoded in base64.
Summing up
Most of the clues we normally use to identify these campaigns have been eliminated, resulting in 99% of all other cases. It is also clear that the fight against fraud must start with institutions, mainly financial institutions. Whoever receives a message should have maximum guarantees from the origin of the message. The use of techniques such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication (DMARC) make this process more transparent, effective and secure.