December 14, 2017
Impersonation Attacks . . . an Oldie but a Baddie – WST
With the Holidays right around the corner, it is a good time to up the alert level, and reiterate proper email security with users. We have had numerous WSTs on ways to spot phishing messages so we won’t go into the basics here (feel free to ask your sales rep if you would like to receive one to send to your users again). An old tactic has been making a comeback, so in addition to the usual, remember to train your employees on how to spot impersonation attacks.
Email impersonation is just like what it sounds, the bad guy sends an email claiming to be from someone the recipient would know and trust. This could be a colleague, a supervisor, a big customer, or the CEO. There are many ways to do this, including:
- Old fashioned email spoofing, i.e. just forging the from address
- Using a look alike email domain, like using firstname.lastname@example.org, instead of the real email@example.com
- Using a free account with the proper name, firstname.lastname@example.org
- Or just forge the display name and use a random email address, like Big Boss <email@example.com>. This may not seem like it would work, but many users simply look at the display name rather than the address
The ease and efficacy of these types of phishing messages are making them one of the tactics of choice when attackers are targeting a specific organization. There have been several high-profile instances where a simple Gmail message from what appears to be a company CEO can initiate the movement of large sums of money (generally to accounts in countries with no extradition treaties) or other Bad Things™. This is why it is important to include this type of attack in your security awareness efforts. In addition, there are technical ways to make this harder for the bad guys to pull off:
- Consider stamping all email originating from outside the network with a prominent message that the email came from the outside. This is not infallible, but can help remind users to be cautious.
- Your MX servers should not allow spoofing. Email originating from the internet at large, using your domain as the from address should be dropped.
- Ensure you have a properly formatted Sender Protection Framework (SPF) record for your domain. This DNS record states what servers are authorized to send as you, and can help prevent impersonation and spoofing.