I heard about a phishing email attack on American Express that spoofed top-level domains (TLDs), including the...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
.gov domain; apparently, the attackers exploited a loophole in SPF verification. How did this attack work? Are there specific filters or techniques that can help antispam or antimalware products detect TLDs?
Phishing attackers will continue to try new attack ideas to see what improves their success rates in getting victims to click malicious links or to open malicious attachments in phishing emails. A few victims is all it takes for a phishing email attack to be profitable.
The specific attack you're asking about was created to look like an American Express notification telling a victim that a message is waiting for him at the American Express website. The phishing email is practically identical to a legitimate Amex notification, except it has a link to a compromised website. The email was created to look like it came from a legitimate Amex email addresses, but because Amex implemented DKIM/SPF, the email messages were blocked. However, one of the addresses used looked like it came from a .gov email address, which was not blocked.
Domain Keys Identified Mail (DKIM) is an email validation system that allows a domain administrator to check if incoming email from a domain -- such as americanexpress.com -- actually came from that domain and wasn't modified in transport. Sender Policy Framework (SPF) is another method for a domain administrator to verify an incoming email is from an approved email server. Both approaches use DNS for publishing authorized email servers and can be set up for pretty much any domain name.
However, things are a little different when it comes to .gov top-level domain names. Companies can register most TLDs -- including .com and .org -- to ensure their organization is not spoofed in phishing email attacks. For example, American Express registered TLDs, including americanexpress.com and welcome.aexp.com. Since the SPF and DKIM records are published for these domains, they would fail an antispam check and be quarantined. However, when an antispam system checked an email stating it came from americanexpress.gov, it would return "none" and not fail the check since Amex cannot register .gov domains, only government agencies can. The phishing email could then be delivered to the victim.
There are specific steps that enterprises can use to fight spam and malware. While implementing DKIM and SPF in your enterprise domains is useful, using an email reputation tool like Proofpoint, Barracuda Email Security Service, Cisco Cloud Email Security, and many others can also help identify spam and phishing emails that get past the DKIM and SPF setups.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Get advice on addressing gTLD security as domain space expands
Dig Deeper on Email and Messaging Threats (spam, phishing, instant messaging)
Related Q&A from Nick Lewis
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
An Instagram application can be turned into C&C infrastructure with the help of image steganography malware attacks. Expert Nick Lewis explains how ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.