Phishing vulnerability is even worse than Gizmodo story shows
It’s remarkably easy to trick people by sending them phish emails, even at the highest levels, as a Gizmodo story this week demonstrated.
The blog’s investigative team set up what could only be described as a very lightweight phishing campaign aimed at members of the Trump administration and people associated with it:
We sent them an email that mimicked an invitation to view a spreadsheet in Google Docs. The emails came from the address firstname.lastname@example.org, but the sender name each one displayed was that of someone who might plausibly email the recipient, such as a colleague, friend, or family member.
Compared to actual phish emails, this is a pretty low-key level of deception. The reporters used the fact that you can put whatever you want in the “display name” or “friendly name” of an email message, so the address looked something like “Donald Trump <email@example.com>”. (If viewed in a desktop Gmail client, that is — on mobile, only the “friendly name” is visible.)
Using this half-fake email address, they crafted an email that imitated a Google Docs invitation, but actually linked to the Gizmodo website. If recipients clicked on the links, the site appeared to request their Google login credentials, but didn’t actually do so: It just delivered a warning instead. There was no attempt to download malware onto their computers, get them to authorize a malicious app, attempt to steal their Google password, or anything else nefarious.
The results were predictable: According to the blog post, many opened the email and more than half the recipients clicked the included link; one of the devices visiting the site went there multiple times.
Nobody actually appeared ready to turn over their passwords, and a couple of the targets replied with messages asking for clarification. (“Don’t want to open without care. What is it?” then-FBI director James Comey wrote in a reply to what he thought was Benjamin Wittes, the editor of LawFareBlog.com.)
Upshot: This campaign wouldn’t have compromised anyone in the administration.
However, it’s easy to imagine a slightly more sophisticated phishing campaign, in which the senders spoofed not just the “friendly name” of the sender, but also spoofed their actual email address which, by the way is really, really easy. According to a recently published report, 56% of phish sent in Q1 of 2017 used domain spoofing.
LawFareBlog, as you can see, does not enforce email authentication. In fact, no attempt has been made to protect this domain from spoofing, as it has neither DMARC nor SPF records configured. If a sender put “Ben Wittes <firstname.lastname@example.org>” in the From field of their email, it would get through to most recipients’ inboxes without a hitch.
Incidentally, the same trick would work for email messages sent with “Donald J. Trump <email@example.com>”, because Whitehouse.gov is similarly unprotected. It has an SPF record, and it’s correctly configured (in contrast to many organizations), but there’s no DMARC record. As a result, receiving email servers will only validate whitehouse.gov if it appears in the Return-Path field of incoming messages, not if it appears in the From field.
Yes, people are sadly all too willing to click on links in inbound email. That’s just human nature.
Most phishing campaigns are more sophisticated than the Gizmodo test, and rely on the weaknesses of un-authenticated email domains like LawFareBlog.com and Whitehouse.gov. Nothing was compromised in the Gizmodo test, but sometimes merely clicking a link is enough for the phishers to deliver a payload to the target’s computer, as Clinton campaign chairman John Podesta learned last year, to his chagrin. So the human willingness to click on links is definitely something to worry about.
Regular training and testing for phishing awareness can help. But an essential component needs to be blocking unauthenticated messages before they reach the inbox through the use of email authentication. That would eliminate more than half of phishing attacks (the 56% using domain spoofing), so the burden on recipients to spot fakes is lower. Since domain spoofs are the hardest type of attacks for end-users to spot, eliminating them enables training programs to be more focused and effective.
In short, it would be essentially impossible for attackers to fake a message from Donald Trump or Benjamin Wittes if their domains implemented and enforced DMARC authentication. And the same goes for your domain.
To find out if your domain is protected by email authentication, click here.