DMARC Goes Live

January 31, 2012

Yesterday, dmarc.org released the new DMARC standard for email.  Contributors to the DMARC standard include Agari, American Greetings, AOL, Bank of America, Cloudmark, Comcast, Facebook, Fidelity Investments, Google, LinkedIn, Microsoft, PayPal, Return Path, TDP, and Yahoo!.

DMARC stands for “Domain-based Message Authentication, Reporting & Conformance.”  DMARC provides important extensions to the existing email authentication standards by providing automated and standardized methods to process messages that fail email authentication. DMARC explains the significance of this enhancement:

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

Let’s look at an example. If a phisher spoofs “paypal.com”, the real email address of PayPal, the bad guy cannot send email from PayPal’s email servers. Because the bad guy can’t use the real email servers, the fake paypal.com email will fail authentication. Before DMARC, webmail services such as Hotmail, Yahoo! Mail, AOL, Mail and Gmail lacked a systematic way for senders to tell them what to do with emails that failed authentication. This is where DMARC comes into play. If PayPal is using DMARC, webmail providers will know that PayPal wants them to reject the fake “paypal.com” email.

Let’s look at another example. What does DMARC do if a phisher uses a deceptive email address instead of “paypal.com”?  Consider the example of paypa1.com, where the last letter is really the number one instead of the letter el. Because the deceptive domain is not paypal.com, the deceptive domain is not governed by the authentication records of the paypal.com or the DMARC instructions for paypal.com. The authentication records and DMARC instructions for paypal.com govern only paypal.com and not the other hundreds of millions of domains that exist and will be created. DMARC will have no impact on paypa1.com emails.

While DMARC can deny bad guys the use of the actual domains of trusted senders, DMARC cannot stop bad guys from using domains that are not the actual domains of trusted senders. DMARC will not stop pay-pal.com, fasebook.com, or the myriad of other deceptive domains that bad guys will dream up. DMARC is useful because it:

  • allows senders to specify handling policies about messages that fail authentication, and
  • provides feedback that can help senders improve their authentication accuracy,

but it only addresses one of many doors that phishers use to get into the inbox.

To deal with all the doors leading to your inbox , you need more. You need a service that can distinguish real from fake for leading consumer brands, regardless of the methods that phishers use. You need eMail ID from Iconix.

Know Who. No Doubt. Use eMail ID.

Advertisements

Hackers For Hire

January 26, 2012

When we think of hacking passwords, the image that comes to mind is that of technically savvy geniuses who use super high-tech tools, fancy computers, and whiz-bang software to crack the password.  Like Tim and Abby from the popular CBS television show NCIS:

How do real hackers crack passwords?  In “Hackers for Hire Are Easy to Find“, The Wall Street Journal reports:

[T]he IHG  [hacking] service worked like this: It requested the target person’s email address, the names of friends or colleagues, and examples of topics that interest them. The hackers would then send an email to the target that sounded as if it came from an acquaintance, but which actually installed malicious software on the target’s computer. The software would let the hackers capture the target’s email password.

Real hackers don’t use super smart technology to crack the code. They use social engineering to create highly relevant emails from apparently trusted sources — spearphishing.  Attacking systems is hard.  Attacking people is easy. That is why bad guys Target the Human.

How long does it take to hack passwords using this method? How much does it cost?  Who does this work?  The Wall Street Journal reports:

One such site, hiretohack.net, advertises online services including being able to “crack” passwords for major email services in less than 48 hours. It says it charges a minimum of $150, depending on the email provider, the password’s complexity and the urgency of the job. The site describes itself as a group of technology students based in Europe, U.S. and Asia.

Apparently there is a lot of demand for hacking-for-hire services. New York magazine reports that the IHG hackers cited by The Wall Street Journal made more than $200,000 in thirteen months.


Zappos Hacked: Customers Beware Phishing Scams

January 16, 2012

It is being widely reported in the press that an estimated 24 million Zappos user accounts have been compromised.

Mashable reports:

Robert Siciliano, a McAfee consultant and identity theft expert, says he expects whoever hacked Zappos’s site will now sell the data to people who run phishing scams. “They’ll sell it 10,000 accounts at a time, short money, like $100,” he says. While hackers don’t have complete credit card numbers, Siciliano says there’s enough information for a hacker to approach affected users as either Zappos or the credit card company and then ask them for more data — the classic phishing scam — which might be supplemented with a voicemail “vishing” attack as well.

The bad guys now have very useful information with which to  craft very convincing fake email.  What they cannot do is use the real Zappos’s email servers.  You can easily identify real email really coming from Zappos by using a tool to identify real email.  You need eMail ID from Iconix.

Know Who.  No Doubt.  Use eMail ID.


U.S. Government Agencies Targeted By Malware

January 16, 2012

Mashable has posted a video describing the latest twist on the Sykipot targeted attack.

As an added layer of IT  defense, the U.S. Government has adopted smart cards control access to data systems.  In this attack, the hackers attack the users by sending spearphishing emails that install malware which hijacks the smart cards.  Once activated, the malware by-passes the smart card protection.

The technical details are reported by AlienVault.  AlienVault concludes:

As defenses get better, attackers will continue to change their tactics to adapt, and as seen here, will hijack the very systems designed to provide more security, if necessary. An interesting by-product of this malware’s necessity of having the card physically present is that attackers can only leverage it for secure authentication to target systems, during times that the user them is physically present at the workstation, making unauthorized activity that much more difficult to discern from legitimate usage. Although smart cards are designed to provide a two factor system of ‘chip and pin’, again we see that true two-factor authentication is not possible without a physical component that is not accessible digitally.

Employees must be empowered to defend against cyberattacks. When the cyberattacks target the human, the human must be hardened. A tool that hardens the human  is available now from Iconix. That tool is SP Guard from Iconix.

SP Guard Inbox

SP Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix.  For further information, contact us at 408-727-6342, ext 3 or use our online form.


IRS Email Warns Of Phishing — Is the Warning Phishing?

January 12, 2012

Today the IRS issued its Tax Tip 2012-08 warning about phishing scams aimed at US taxpayers.   Subscribers to IRS information services received an email about the warning.

This is a screen shot of the email:

Is this a real IRS email?  Did you notice these odd things about it?

Why would I open such an obviously fake email?  Because it isn’t fake — it is real.  I know it is real because I use the products of Iconix.  This is what my display looks like with SP Guard turned on:

The IRS really made spelling errors and the IRS really sends emails from the domain govdelivery.com.

Know Who.  No Doubt.   Use Email ID and SP Guard.


IRS Issues Phishing Warning

January 12, 2012

Today the IRS issued Tax Tip 2012-08 warning about phishing attacks.  We reproduce it here as a public service.

Don’t be Scammed by Cyber Criminals

IRS TAX TIP 2012-08, January 12, 2012The Internal Revenue Service receives thousands of reports each year from taxpayers who receive suspicious emails, phone calls, faxes or notices claiming to be from the IRS. Many of these scams fraudulently use the IRS name or logo as a lure to make the communication appear more authentic and enticing. The goal of these scams – known as phishing – is to trick you into revealing your personal and financial information. The scammers can then use your information – like your Social Security number, bank account or credit card numbers – to commit identity theft or steal your money.

Here are five things the IRS wants you to know about phishing scams.

  1. The IRS never asks for detailed personal and financial information like PIN numbers, passwords or similar secret access information for credit card, bank or other financial accounts.
  2. The IRS does not initiate contact with taxpayers by email to request personal or financial information. If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site:• Do not reply to the message.
    • Do not open any attachments. Attachments may contain malicious code that will infect your computer.
    • Do not click on any links. If you clicked on links in a suspicious e-mail or phishing website and entered confidential information, visit the IRS website and enter the search term ‘identity theft’ for more information and resources to help.
  3. The address of the official IRS website is www.irs.gov. Do not be confused or misled by sites claiming to be the IRS but ending in .com, .net, .org or other designations instead of .gov. If you discover a website that claims to be the IRS but you suspect it is bogus, do not provide any personal information on the suspicious site and report it to the IRS.
  4. If you receive a phone call, fax or letter in the mail from an individual claiming to be from the IRS but you suspect they are not an IRS employee, contact the IRS at 1-800-829-1040 to determine if the IRS has a legitimate need to contact you. Report any bogus correspondence.  You can forward a suspicious email to phishing@irs.gov.
  5. You can help shut down these schemes and prevent others from being victimized. Details on how to report specific types of scams and what to do if you’ve been victimized are available at www.irs.gov. Click on “phishing” on the home page.

Links:

YouTube Videos:

 


Targeted Attacks – Harden the Human Target

January 11, 2012

In order to compromise data networks, a point of entry is required.  An effective point of entry is the people who use the systems.   The Wall Street Journal‘s recent article, You Are A Security Risk, provides a nice discussion of this topic.  Ironically, the criminals use publicity about cyber intrusions to dupe careful people into their trap.  For example, there is a fake security alert purporting to be from CERT.  There is another current targeted attack using emails allegedly from the Stratfor’s CEO George Friedman, urging recipients to provide personal information in response to the recent compromise of Stratfor by cyberattackers.

Equally frightening is how effectively the malware that is installed evades detection by security software. We saw this in the recent compromise of the U.S. Chamber of Commerce, in which the FBI, and not internal security measures, alerted the Chamber to the problem. The Chamber is not alone in being unable to detect compromised systems. Kevin Mandia, CEO of Mandiant Corporation, recently testified as follows before the U.S. Congress:

we routinely witness attackers circumvent conventional safeguards deployed to prevent and detect security breaches.  Virtually all of these intrusions belong to the growing subset of advanced threats that usually evade off-the-shelf technologies that American corporations rely upon – often times exclusively – for their defense.  In fact, in over 90% of the cases we have responded to, Government notification was required to alert the company that a security breach was underway.  In our last 50 incidents, 48 of the victim companies learned they were breached from the Federal Bureau of Investigation, the Department of Defense or some other third party.

Employees must be empowered to defend against cyberattacks. When the cyberattacks target the human, the human must be hardened. A tool that hardens the human  is available now from Iconix. That tool is SP Guard from Iconix.

SP Guard Inbox

SP Guard provides the recipient with three confirmations that a message is real:

  1. List View. There is an integrity indicator in the list view of the email client.
  2. Message. The open message has a further indicator of authenticity.
  3. Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.

SP Guard now offers a fraud filtering enhancement.  This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.

SP Guard is available now from Iconix. For further information, contact us at  408-727-6342, ext 3 or use our online form.