Why Email Authentication Can’t Stop Phish

Jane Wasson |@Area1Security| Area 1 Security

The headlines are full of bad news about data breaches and financial losses that start with phishing emails. For example, a recent phishing attack at MacEwan University in Canada involved a series of fraudulent emails that convinced staff to change electronic banking information for one of the institution’s vendors. This fraud resulted in the transfer of $9.5 million into an account that staff believed belonged to the vendor.

In another case last year, Google and Facebook fell for a targeted phishing attack that collected $100M over a two-year period. This particular campaign involved forged email addresses, invoices, and corporate stamps. The scam tricked employees into believing that they were receiving payment requests from a supplier — when in reality, the payment requests were from a cyber attacker.

The common thread here is fake email. A hacker sends a phishing email that the victim believes to be from a trusted party but in reality came from the criminal.

The unfortunate truth is that email technology was not initially designed to be secure. Hackers use many techniques to send imposter email and trick end users. In response, email security technology has evolved over the years to add sender authentication features meant to protect recipients from fake email. While this helps, it’s clear from the headlines that fake email continues to bypass email authentication defenses and in fact, the entire security infrastructure.

How does this happen, and what can be done to better protect organizations and individuals from phishing attacks that start with fake email?

Fake Email: Techniques Hackers Use

Hackers use several techniques to craft fake email phishing attacks.

• Display name spoofs: Hackers can easily spoof the display name or “From” email field to make it appear that an email comes from an executive or other trusted party.
• Domain spoofs: Hackers can also easily spoof a sender email domain to make it appear that a trusted organization or partner sent an email.
• Look-alike domains: In some cases, hackers establish a domain with a name similar to a trusted organization or a trusted partner’s domain name. This fools recipients into believing that an email comes from a trusted source.

Although the industry is aware of these techniques to deceive recipients, traditional email security technologies still aren’t effective at detecting fake email phish and preventing them from landing in end-user inboxes.

Can Email Authentication Stop Spoofing?

Email security technologies rely on sender authentication techniques to validate an email sender and ensure that sender is who they claim to be. Key authentication techniques include:

• Sender policy framework (SPF): SPF helps identify spoofed email. SPF records indicate which server IP addresses are authorized to send email on a domain’s behalf. When a recipient email server receives an email, it can check the SPF record for the sending domain. This is to verify that the received message sender’s IP address (listed in the message header on most email) is authorized to send email on behalf of the sending domain. The SPF check passes if the domain’s SPF record indicates that the message’s sender IP address is authorized; if not, the check fails.
• DomainKeys Identified Mail (DKIM): DKIM is another email authentication technique that helps prevent spoofing. With DKIM enabled, the sending email server adds a digital signature to outbound message headers. The recipient email server uses the signature and the domain’s public DKIM key to validate the sending domain.
• Domain-based Message Authentication, Reporting, and Conformance (DMARC): DMARC is another email authentication technique that helps prevent spoofing. The sending domain’s DMARC policy is used by receiving email servers, along with SPF and DKIM check results, to decide if an email should be quarantined, blocked or allowed. By implementing DMARC for your domain, receiving email servers can authenticate email from your domain. They can also recognize and block imposter email pretending to be from your domain. Implementing only SPF or DKIM for a domain is less effective for sender authentication. Without a DMARC policy, if an SPF or DKIM check of an incoming email message fails, it can indicate either that the email: 1) was sent by an imposter; 2) that the sender’s domain record isn’t effectively configured for SPF or DKIM; or 3) that the sender hasn’t kept the configurations up-to-date. In the latter cases, the email may be valid, even though the checks fail. Without a DMARC policy, the receiving server can’t reliably determine from SPF or DKIM checks whether the email is fake or not.

Most email services and security technologies support these email authentication techniques, and security experts strongly recommend implementing DMARC. For sending domains, implementing DMARC is a best practice for organizations that want to protect their brand and ensure that destination email servers trust messages sent from their domain. However, sender authentication alone is not sufficient to protect from inbound fake email phish. These fake email phish still frequently bypass authentication checks. For example:

• Look-alike domains: With look-alike domains, hackers establish a domain with a name similar to a trusted organization’s or trusted partner’s domain. The hacker sets up the domain with SPF, DKIM, and DMARC configured, so that emails sent from the hacker’s domain will pass authentication checks and land in end users’ inboxes undetected. This fools recipients into believing the email is from a trusted source. Hackers often launch and shut down these domains quickly, before reputation databases mark them as malicious.
• Spoofed accounts: Another hacker trick is to establish spoofed accounts with free email services such as Gmail or Yahoo, using a name similar to that of a trusted party. Because many free email service providers implement DMARC, SPF, and DKIM, these spoofed accounts will pass email authentication checks and can land in end-user inboxes and cause harm.
• DMARC adoption: Although DMARC email authentication has been available for several years, adoption is limited. Industry leaders estimate that DMARC policies are implemented in only five percent of domains and only 30 percent of email traffic. Therefore, for 70 percent of inbound email traffic, using DMARC to validate senders and detect fake email phish isn’t possible. This situation leaves a significant security gap.

Email authentication alone, including DMARC, is not sufficient to detect and protect against incoming fake email phish. Not all techniques hackers use to send imposter email, as noted above, are detectable by email authentication technologies. More protection is necessary to defend organizations and users from fake email phish. Specifically, the need is for security technology that is aware of hackers campaigns and infrastructure before a phishing attack launches. With early visibility of compromised or malicious websites and servers, fake email phish originating from hackers can be detected and blocked before they hit user inboxes and impact organizations.

How to Stop Phishing Attacks

Area 1 Security is a pioneer in hunting for, and disabling phishing campaigns before they go live. The Area 1 Horizon™ anti-phishing service stops phishing attacks that other security technologies miss. This service is cloud-based, adds a layer of security that deploys in minutes, and, with our $10 pay-per-phish program, charges no upfront cost. You pay only if we catch malicious phish. Customers confirm that the Area 1 Horizon service protects them from phishing attacks that traditional defenses miss. In the first couple of months after deployment, a Fortune 500 consumer products company found that Area 1 Horizon stopped over 150,000 phishing attempts missed by its traditional security defenses.

Learn more about email authentication and how to effectively shut down fake email phish, including:

• Techniques Hackers Use to Spoof Email
• The Role of Email Authentication
• How to Fortify Your Security Infrastructure to Stop Phish
• How customers in case studies stopped fake emails

Watch the webinar “Why Email Authentication Can’t Stop Phish.”