PiChris - Fotolia

Manage Learn to apply best practices and optimize your operations.

How can phishing emails spoofing TLDs be avoided?

Attackers have found a loophole in SPF verification and are using the .gov top-level domain to trick users with phishing emails. Expert Nick Lewis explains how to defend against the threat.

I heard about a phishing email attack on American Express that spoofed top-level domains (TLDs), including the...

.gov domain; apparently, the attackers exploited a loophole in SPF verification. How did this attack work? Are there specific filters or techniques that can help antispam or antimalware products detect TLDs?

Phishing attackers will continue to try new attack ideas to see what improves their success rates in getting victims to click malicious links or to open malicious attachments in phishing emails. A few victims is all it takes for a phishing email attack to be profitable.

The specific attack you're asking about was created to look like an American Express notification telling a victim that a message is waiting for him at the American Express website. The phishing email is practically identical to a legitimate Amex notification, except it has a link to a compromised website. The email was created to look like it came from legitimate Amex email addresses, but because Amex implemented DKIM/SPF, the email messages were blocked. However, one of the addresses used looked like it came from a .gov email address, which was not blocked.

Domain Keys Identified Mail (DKIM) is an email validation system that allows a domain administrator to check if incoming email from a domain -- such as americanexpress.com -- actually came from that domain and wasn't modified in transport. Sender Policy Framework (SPF) is another method for a domain administrator to verify an incoming email is from an approved email server. Both approaches use DNS for publishing authorized email servers and can be set up for pretty much any domain name.

However, things are a little different when it comes to .gov top-level domain names. Companies can register most TLDs -- including .com and .org -- to ensure their organization is not spoofed in phishing email attacks. For example, American Express registered TLDs, including americanexpress.com and welcome.aexp.com. Since the SPF and DKIM records are published for these domains, they would fail an antispam check and be quarantined. However, when an antispam system checked an email stating it came from americanexpress.gov, it would return "none" and not fail the check since Amex cannot register .gov domains, only government agencies can. The phishing email could then be delivered to the victim.

There are specific steps that enterprises can use to fight spam and malware. While implementing DKIM and SPF in your enterprise domains is useful, using an email reputation tool like Proofpoint, Barracuda Email Security Service, Cisco Cloud Email Security, and many others can also help identify spam and phishing emails that get past the DKIM and SPF setups.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Get advice on addressing gTLD security as domain space expands

This was last published in September 2015

Dig Deeper on Email and Messaging Threats-Information Security Threats