Harvard Kennedy School’s Littauer Building. Photo credit: KAKM on en.wikipedia
A Russian phishing attack used a fake Harvard email address in an attempt to get malware into American think tanks and nonprofits, the Harvard Crimson reports.
The attack shows how effective it can be for phishers to use the exact domain name of organizations that are unprotected by email authentication.
According to the Crimson, the attack, launched after the 2016 election, used a PDF of a paper by Kennedy School Professor Pippa Norris. The paper has the title “Why American Elections Are Flawed.” The attackers inserted malware into the PDF, then sent it to recipients using a faked email address that made it appear is if it came from Harvard’s Faculty of Arts and Sciences (whose emails end with fas.harvard.edu).
The attack reveals a few important things about phishing and email authentication.
Phishers do use same-domain phishing attacks.
This appears to have been a same-domain phishing attack, meaning the attackers used the exact same domain name as Harvard’s, rather than a similar one, like fas.hahvard.edu. Phishers could use either type of attack, but in this case, they used Harvard’s exact domain to their advantage.
Using the Harvard domain gave the malware credibility — and wide distribution.
According to a cybersecurity firm contacted by the Crimson, the “email sent from the fake Harvard address had the ‘widest distribution’ compared to phishing attempts sent through other organizations,” including the Clinton Foundation. That makes sense: Harvard has a tremendous brand, and people are inclined to trust emails sent from harvard.edu.
Phishing attacks are a threat to the spoofed brand.
While Harvard itself and the Kennedy School were not directly hacked, they have potentially suffered from brand damage as a result of it. After the attack, Professor Norris expressed concern about damage to the reputation of her research study, the Electoral Integrity Project. If people are reluctant to click on email messages from her or from fas.harvard.edu, that could hinder the project’s ability to do research and to get the word out about election tampering worldwide.
Alert recipients are the last line of defense against phishing.
Harvard discovered the attack only because individual recipients at the Kennedy School (which is part of Harvard) noticed that the email looked suspicious.
“We were aware of this most recent phishing attempt because a few individuals at HKS received the email (without clicking on the link) and quickly alerted our IT team,” according to a Kennedy School spokesperson quoted in the story.
So training your users is important. However, it’s not as effective as stopping the problem at its source, which brings us to our next point.
DMARC stops attacks like this cold.
If Harvard had set up email authentication using DMARC (including its related standards, DKIM and SPF), the hackers would have gotten nowhere. That’s because with authentication turned on, recipient mail servers would have checked to see whether the sender was an authorized user of the fas.harvard.edu domain. If it wasn’t authorized, the email (and its malware-laced attachment) would never have made it through.
(Note: The receiving email server does need to check for DMARC records and, if one exists, verify the sender. But virtually ever major email service provider uses DMARC now — if the sending domain has turned it on.)
What’s more, DMARC would have generated an alert that would have alerted the Harvard IT administrators that a phishing attack was underway.
All of that would have happened without ever having to expose any users’ inboxes to the threat.
And does Harvard’s Faculty of Arts and Sciences use DMARC? Not at all, according to ValiMail’s domain checker.
In fact, there is no DMARC record and no SPF record at all for fas.harvard.edu yet.
Finally, this brings us to our last point.
Even Ivy League colleges struggle with email authentication.
Professor Norris got a somewhat confusing response from the Harvard IT team:
“When I asked our security guys, they said, ‘Well, there’s nothing we can actually do about it,’ in the sense that people can obviously download PDFs from wherever they find them and send off false malware. But in some ways it’s not actually a security issue at the Kennedy School.”
Given that email authentication is relatively new, even many security experts are not aware of how it works. Obviously, yes, people can download PDFs from wherever they find them. But the phishing attack would not have been able to use a harvard.edu address to lead people to that PDF if the university had set up email authentication.
Sure, the attackers could have tried to bait think tanks and nonprofits with emails sent from a completely bogus domain that they controlled, like hahvard.edu or something similar, but that would look much more suspicious.
We’re not singling out Harvard’s IT team here. As our recent study has shown, around 70 percent of all organizations that have tried to set up email authentication fail to configure DMARC correctly and completely. That applies no matter what their size or pedigree. It’s just that DMARC, for all its massive benefits, is difficult to implement correctly.