The season to file your tax return has come once again, and as usual email scammers are jumping on the bandwagon hoping to catch an easily-snared victim.
Numerous efforts have been made by the UK Government to better educate and inform the public of what they should do if they spot such an email, and what a scam typically looks like. Also, standards like the email authentication protocol DMARC were launched around five years ago, and both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) remain in use.
These options work well, providing you know where your domains are. The Dutch Tax and Customs Administration has presented at recent conferences with the claim that it was able to roll out DMARC to 550 domains to better prevent email impersonation attempts.
Speaking at last summer’s Black Hat USA conference, Karl Lovink, technical lead for the Dutch Tax and Customs administration, and consultant Arnold Holzel from SMT, said the incentive was to find phishing campaigns as fast as possible, avoid disrupting business operations and to use existing standards.
The two men were in London recently to present at a SANS conference to repeat the talk, and Infosecurity met with Lovink to discuss the concept further. He explained that its technique is universally applicable, but a precondition is access to DNS logging and adding SPF, DKIM and DMARC DNS records, so you have better insight into where the phishing emails are sent from, and to whom they are sent.
“What we don’t understand is why companies don’t have SPF, DKIM and DMARC records. It is so simple to implement, and we still get phishing emails with their logo and with those implementations it would be gone,” he said. “It should be an obligation to do this, but you need to know where your mail servers are.”
As the Dutch Tax and Customs administration was able to fully implement the standards in a month, is there a trick to doing this efficiently? He said that the administration started with a lot of research before the implementation, but the main issue was knowing where the mail servers were. “You can reject everything that you do not know” he advised, saying that another option is to have a test period where you do not reject everything unknown, but determine where all your legitimate mail servers are located."
Lovink admitted that there is a grey area between total rejection and filtering, but a main problem is in additional mail servers used for contractors, which are often forgotten. However, he said that this can be overcome by adding a sub domain so that you can publish specific DNS records for their mail servers. "If you do it like this then you can lock down your own domain," Lovink said.
Is this the same issue as with forgotten or orphaned email servers? Lovink said that if you do not know where your mail servers are, you cannot add DNS records for them, and this needs to be the first step before you can add the SPF, DKIM and DMARC standards.
"In 10 years we have still got the same situation"
These standards were implemented, Lovink said, “otherwise in 10 years time we will still have the same situation.” This type of financial fraud is left to the likes of the tax authorities to educate. “We publish and implement these standards, but the recipient has to check these standards and check against those standards, and we urge you to ask your service provider to implement these,” he added.
Lovink said that Google and Microsoft are doing a really good job in checking and taking additional measures, but smaller ISPs need to implement this and then phishing emails will be reduced.
This form of financial fraud is a symptom of the growth of online activity, and security trying to keep up. Lovink said that all of the protocols have been invented and extra features have been included to make us more secure, and there was a belief that if we added SPF - and especially SPF with macros - we would be secure, and then we added DKIM to sign email, but there was no relationship between the two standards.
This led to DMARC being added to check that the other standards are OK, but Lovink warned the next issue is with forwarding and mailing lists, so a new standard called Authenticated Received Chain (ARC) was created to keep the authentication chain in place “so you can see that the email was sent from an authorized server.”
What did that period of research look like? He explained that a lot of work was done in production, and telling the company what you are doing and why you are doing it.
Ultimately, this leads to the ability to know who is doing what with your domain name. For that you need to implement SPF wih macros.
A response blog to the initial talk by Ironscales said: “protocols and standards do not prevent against phishing attacks when attackers purchase a domain” and they are not built to stop exact sender name and similar sender name impersonations; or lookalike (aka cousin domain spoofing) attacks, which impersonate not just an email but the actual domain itself.
Lovink did address the issue of typosquatting, saying that this is not overcome using protocols as this only works for domains you know. He admitted that further research is needed to gain visibility on typosquatting and punycode domains.
Ultimately, phishing and this type of financial fraud are almost as old as the internet, but it is positive that this experience was so positive for the Dutch Tax and Customs Administration. Lovink also explained that there was a financial incentive from the SIDN to implement these standards which givens you a discount on a .nl domain. “If you are a large provider with a lot of domains it can be a large amount of money,” he concluded.