Spoofing emails: The trickery costing businesses billions(bbc.com)
bbc.com
Spoofing emails: The trickery costing businesses billions
https://www.bbc.com/news/technology-49857948
15 comments
What kind of email are they sending you that involves so much PII? Like, what is their angle?
>It was left to cyber-security experts to break the bad news to the firm: emails are not to be trusted.
Well unsigned emails are not to be trusted...
This is another example of people disparaging email while doing it wrong. This sort of thing was totally solved over 20 years ago.
Perhaps we need to do the same sort of thing that is being done with non-tls websites. Have email clients show a flag for anonymous emails. While we are at it we could show a flag for emails sent in the clear as well.
Well unsigned emails are not to be trusted...
This is another example of people disparaging email while doing it wrong. This sort of thing was totally solved over 20 years ago.
Perhaps we need to do the same sort of thing that is being done with non-tls websites. Have email clients show a flag for anonymous emails. While we are at it we could show a flag for emails sent in the clear as well.
When I was in high school one of my friends showed us this affiliate marketing site with some email function where you could send emails impersonating any email address you want. Pretty much the next day we used it to spoof his crush sending him some email hinting she liked him and he wouldn't stop bugging us whether it was real or whether we were spoofing. He went on about it for a whole semester. If only we got a bit creative.
Also that friend was pretty a weird guy but he went onto go to Stanford and is now a co-founder for a large US tech company now which a lot of people here probably use.
Yup. I'm gonna go back to my dead end job now
Also that friend was pretty a weird guy but he went onto go to Stanford and is now a co-founder for a large US tech company now which a lot of people here probably use.
Yup. I'm gonna go back to my dead end job now
I’m surprised more companies haven’t just deprecated internal email entirely for most employees (who don’t otherwise require a public facing one), as workforces have moved more and more to chat systems.
Doesn't DMARC solve this problem?
In my experience, enterprise email systems are pretty paranoid about email that didn't go through them that claims to, as well.
In my experience, enterprise email systems are pretty paranoid about email that didn't go through them that claims to, as well.
DMARC does a great job at stopping direct domain spoofs. Like [email protected] (where company.com is at dmarc p=reject). But it doesn't address display names attacks "Jane CEO <[email protected]>" or as is increasingly the case: compromises of real accounts, even those otherwise protected with DMARC. But everyone should use dmarc, just like websites should use https for the baseline protection.
DMARC solves part of the problem. There are many attack vectors when it comes to email. For a more sophisticated con it is usually much easier to register a domain that looks like the victim domain.
However, the real problem (as what happened with SPF) is that many email services have really, really poor implementation of the RFCs. Most make it impossible to even reach DMARC alignment. If just one of the mail services you use does not meet DMARC requirements, you can't enable DMARC for your domain. The result is that DMARC implementers (the receivers) still need to take DMARC alignment with a grain of salt, and may still pass email even if it does not align.
The biggest part of internet users don't care about security, they just want their email to reach the destination. As long as large email services don't follow the RFCs (expensive 'enterprise' email software vendors are the worst offenders), the receivers cannot implement any kind of strict checking.
However, the real problem (as what happened with SPF) is that many email services have really, really poor implementation of the RFCs. Most make it impossible to even reach DMARC alignment. If just one of the mail services you use does not meet DMARC requirements, you can't enable DMARC for your domain. The result is that DMARC implementers (the receivers) still need to take DMARC alignment with a grain of salt, and may still pass email even if it does not align.
The biggest part of internet users don't care about security, they just want their email to reach the destination. As long as large email services don't follow the RFCs (expensive 'enterprise' email software vendors are the worst offenders), the receivers cannot implement any kind of strict checking.
tl;dr: use PGP.
>but it's hard
If you're doing multi-billion dollar transactions with email as your sole authorization structure, you can afford for it to be hard.
>but it's hard
If you're doing multi-billion dollar transactions with email as your sole authorization structure, you can afford for it to be hard.
The new attacks I've seen, which happened to me directly as well, seem to use more direct methods. Instead of just a blanket phishing e-mail, the e-mail will come in as just being from an "old friend". The e-mail looks legit and the person doing it even puts in efforts to know where you worked in the past or your past history (my guess is they grab this data from facebook or similar social media). They will talk to you and the story they give you sounds completely legit. A lot of the stories they give you do sound legit and will check out but they only check out due to being somewhat vague (like they know where you worked but don't know exactly what you did there). The reason I was targeted is most likely because I used mtgox (the first bitcoin exchange which eventually got hacked - database stolen which included my e-mail address and full name). My guess is they think I have a large stash of bitcoin or similar cryptocurrencies.
The real shocker is they have a scary amount of personal information about you. Some of this data I can only see it coming from hacked databases from compromised websites - date of birth, phone number, full work history, current address etc. among others.