DMARC: Taking a Bite Out of PhishingPhishing Expert Says E-Mail Authentication Will Help
Phishing attacks are on the rise, and cybercriminals' methods are changing. How can the DMARC initiative help to reduce phishing incidents? Paul Ferguson, vice president of threat intelligence for online security company IID, a member of the Anti-Phishing Working Group, explains.
DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, standardizes how e-mail receivers perform e-mail authentication by providing a uniform reporting practice (see Can DMARC Hook Online Phishers?).
"It's a very good feedback mechanism," says Ferguson, vice president of threat intelligence for online security company IID (Internet Identity), in an interview with Information Security Media Group [transcript below].
DMARC uses identifiers, such as DKIM and SPF, which are used to measure certain criteria within an e-mail. "If certain criteria are not met, [it's] going to reject the message," he says.
Ferguson says phishing attacks are increasing against PCs, Macs and mobile devices. During the first half of 2012, phishing attacks throughout the world were up 12 percent from the first half of 2011, according to the APWG's Global Phishing Survey.
DMARC can sufficiently mitigate phishing risks, Ferguson says. "But for it to have more impact on the whole spam and phishing problem, it needs more wide-scale adoption," he says.
During this interview, Ferguson discusses:
- Challenges organizations and security firms face when it comes to mitigating spear-phishing risks;
- How initiatives such as Domain-based Message Authentication, Reporting and Conformance can reduce phishing;
- Why the growth of social networking has fueled phishing's success.
At IID, Ferguson monitors online traffic patterns and advises client companies about phishing trends and other threats. As a member organization of the APWG, IID works to spread the message about the need for stronger online security to global organizations.
Phishing Attacks Increase
TRACY KITTEN: Back in October, the APWG issued a report about international phishing trends, noting that phishing attacks jumped 12 percent during the first half of 2012, relative to the same period in 2011. Do you expect those comparisons for the second half of 2012, which are still being calculated, to yield similar results?
PAUL FERGUSON: I do expect them to reveal similar results. The threat window - which is the time when the phish are actually active and harvesting credentials from victims that they're targeting - is actually shrinking. That means the time that the phish are actually active is shrinking, and, overall, the volume of phish seems to be shrinking. But it seems like the victimization is actually growing, and I know that's kind of counterintuitive. But it just means that - exactly what you referenced - the phishers and the criminals themselves that are perpetrating these schemes are fine-tuning their methodologies. This is primarily low-hanging fruit for them. They're fine-tuning their methodologies to grow their victim base without using as many resources on their end.
KITTEN: What are phishers doing to enhance their techniques?
FERGUSON: It's not necessarily websites themselves, but actually victim PCs, Macs and things that are being used for botnets, called spambots. They're actually generating the spam. Every day there's a new campaign using a brand impersonation, like sending spam under the guise of the Better Business Bureau, the IRS, a law enforcement agency, UPS or FedEx; and they happen to find the right times of the year when people are more susceptible to falling for those ruses.
Another part of it is websites. There are some websites that are low-hanging fruit with outdated versions of software that are easily compromised by even the least-sophisticated hackers, and they use those sites to perpetrate other crimes, including spamming and phishing.
Compromising Apple Computers
KITTEN: Are we beginning to see more compromises of Apple computers and i-devices? Aren't these systems more secure, or is that just a long-standing misnomer?
FERGUSON: It's absolutely a misnomer. It may have been true at one point in time, but it wasn't because of any technical factor. Criminals are not stupid, and they're going to go after the largest installed base. But what we've been seeing lately is cross-platform software that's operating-system agnostic - things like Java and Flash. We're coming into the HTML 5 era. These are cross-platform technologies that don't really care what the operating system is; they only care what the plug-ins are, the browsers, and things like that. It could be on an Android system; it can be on Linux or Apple/Mac OSX; it could be Windows. These are cross-platform technologies that, while also suffering what I would call the tragedy of the masses, can be used cross-platform, and so the criminals are taking advantage of that to compromise mobile platforms and other operating systems as well.
KITTEN: What would you say is the core vulnerability that this online environment needs to address?
FERGUSON: Poor Internet hygiene - that's what I call it. It's the case of people putting up a website, whatever it is - your own blog in WordPress or a small business putting up a website. It really doesn't matter what it is. It's the core set of technologies, vulnerable extensions and plug-ins to Joomla and WordPress. The people who are using these platforms are not taking proper care to ensure the software versions are current. There's constant background noise on the Internet of people, with bad intentions who are constantly scanning for these vulnerabilities. When they find them, they can use them to inject code, give themselves administrative privileges on these websites, and then use those privileges to perpetrate other crimes, whether it's spamming, phishing, launching denial-of-service attacks or injecting code that redirects people's browsers to other exploit kits. That's really become a huge, huge problem these days, and it's going to take a very large community effort to get the awareness level up to the point where people are not facilitating these crimes unwittingly any further. We have a big task ahead of us.
KITTEN: Would you say that outdated versions of WordPress and Joomla, for instance, are most often to blame for these types of website compromises?
FERGUSON: It varies. It's not necessarily the core software itself. There's a whole laundry list of vulnerable Joomla extensions. It may not necessarily be Joomla, but the plug-ins to Joomla that people use. And there are plug-ins and add-ons to WordPress. A lot of people think about their laptop, their browser or their operating system every "Patch Tuesday," when they have to install updates. But they need to apply that same kind of vigilance, where updates are concerned, to their Web-based software platforms as well, because those are now becoming the compromised vectors of choice. You have to remember a lot of these websites are sitting in data centers with access to a lot of bandwidth. The damage they can inflict on their targets is much larger than some residential broadband user sitting on a cable modem.
Shared Hosting Compromises
KITTEN: Once a legitimate site is overtaken by phishers, exactly how is it used in attacks to compromise shared hosting?
FERGUSON: In any number of ways. In the case of phishing, they can create a phish in a directory somewhere, and once the spam goes out, [it] says, "You have reached the limit on your e-mail box storage. Please click here to enter your password and ID so that we can increase your disk allowance." And then it will redirect them to this template they created on a compromised website somewhere.
The problem that causes is that you have to do much more surgical mitigation. Instead of saying, "I want this domain taken down," you really can't take down the domain or the IP because a lot of this touches shared-hosting environments. You may have one IP address hosting 10,000 domains, and they've gotten access to one or two installations of software and one or two domains in these shared hosting environments. It makes it much more difficult on the mitigation side to make that stuff go away. To get the attention of people responsible for the site, and those who are responsible for the domain, usually requires a little bit more effort.
The people who are perpetrating these crimes understand this, because it maximizes their window of opportunity. It takes longer to respond and it takes longer to mitigate. The criminals know how to maximize a window of opportunity here.
KITTEN: How are social-networking vulnerabilities playing a role in some of these phishing upticks?
FERGUSON: The biggest vulnerability in social networking is the human being. People get used to getting Facebook messages from their friends. Social networking has pretty much trained people to expect messages from people they're following, topics they're interested in, celebrity events, natural disasters. People become accustomed to clicking on shortened links in Twitter and links in Facebook, which may impersonate a friend, topic or things that they may be interested in. That's why we call it social engineering. People get trained into the social-engineering aspect of clicking on things they probably shouldn't, and that's where the whole "Stop.Think.Connect." campaign came into play. We're trying to get people to think before they click. Is this really from my friend? Is this really what I think it is? [Think] instead of just mindlessly clicking on things and having some criminal takeover your PC, your Web server. It's a serious problem and we need to do a better educational campaign overall.
KITTEN: Spear-phishing campaigns continue to be an issue, and banking institutions are often the most targeted, or at least they have been. Is this a trend that you see growing?
FERGUSON: Actually, it's growing, but it's really hard to get visibility into these attacks because they're targeted. They're not just wide-cast nets to get as many victims as possible. And a lot of the targeted campaigns are not necessarily against financial institutions, believe it or not. A lot of them now are business-on-business or nation state-on-business, for intellectual property theft, defense contract [compromise], dissidence and things of that nature, to gain intelligence, competitive advantage or exfiltrate data that may assist them in furthering their own cause, whether it be nationalistic or hacktivist, or for competitive advantage or for blueprints for some new weapon. There's been a really large uptick in those types of spear-phishing attacks in the past couple of years.
Steps to Mitigate Risks
KITTEN: What steps are organizations taking, to mitigate some of these spear-phishing risks?
FERGUSON: One of the messages that we're trying to explain to people is that, from an organizational perspective, you have to know what "normal" looks like in your traffic patterns before you can ever pick out the abnormal. If people are looking at their traffic, analyzing their logs on a daily basis and setting up the proper alarms to flag the abnormal, like authentication failures and traffic going to places or coming from places that is not normal, then they could probably catch some of this stuff a lot faster than they're catching it now.
A lot of these people have been compromised for anywhere from three to nine months before they even find out about it, primarily because they're not looking at their traffic. To understand what abnormal is, you have to know what normal looks like. A lot of folks in the IT space for these organizations will need to put the technology in place that monitors the traffic patterns and monitors their logins in order to understand what normal looks like first, so they then can flag the abnormal occurrences.
KITTEN: How are these attacks varying, and are the targeted organizations different, depending on the country?
FERGUSON: It's not necessarily so much country, per se, as it is culture. For instance, the phishing and malicious attacks that come out of Portuguese-speaking countries are different from those coming out of Chinese-speaking countries, which are different from those coming out of Russian-speaking countries. And those are all different from the attacks we see coming out of Dutch, German, French or English-speaking country. Generally, it's cultural, and their motivations are usually different based on culture. A lot of the Russian/Eastern European propagated crimes are financially motivated. A lot of the ones we're seeing coming out of Chinese-speaking countries are primarily after intellectual property; and the ones seen coming out of other places have their own motivations. Usually you can break that down on language and cultural lines.
KITTEN: Have you found that phishing attacks actually are remaining active longer?
FERGUSON: There's a cyclical deviance here. It comes and it goes, and it comes and it goes. Here at Internet Identity, we've done a lot better on our mitigation times. That means that from the time that a customer alerts us of something that they would like for us to go mitigate, our times have come down on getting them mitigated. But, overall, the lifetime of these attacks is generally fairly short, somewhere between 24 and 72 hours. And, of course, there are always exceptions to the rule. There's always this small group of what we call "immortals," and they're usually in bullet-proof hosting facilities, primarily in Eastern Europe or in places where we don't have a very good country-to-country geopolitical relationship.
KITTEN: Talking about things for the future or ways that we could address some of these vulnerabilities, how would you say that DMARC and the new domain-naming system could help diffuse these types of attacks?
FERGUSON: DMARC is a really good tool, actually. DMARC at least provides a feedback mechanism to the sender domain on a rejection, based on some certain criteria. There are other identifiers in there, such as DKIM and SPF, that are used to say, "If certain criteria are not met, I'm going to reject the message." It then sends a feedback loop back to the sender domain, whether it's been spoofed or not. It's a very good feedback mechanism. But for it to have more impact on the whole spam and phishing problem, it needs more wide-scale adoption. But I'm not sure exactly how that ties into the expansion of the generic top-level domain space, because actually I'm of the opinion that growing the breadth of the top-level domain space is only going to increase the problem.
Trends in 2013
KITTEN: What other trends has the APWG noted in recent months, or at least since the beginning of 2013, that would be of interest here?
FERGUSON: There's a lot of Internet hygiene that needs to go on. I mentioned that earlier, and that's a message that we're really trying to push right now to various constituencies around the world.
Getting out there and doing the awareness will be critical, because the criminals are getting smarter and we need to get smarter, too, and help people understand how they can help not facilitate this type of crime. People don't really understand that if they're not doing proper hygiene at the organizational level on their websites and the infrastructure, then they may actually be facilitating this crime without even knowing it.