I heard about a phishing email attack on American Express that spoofed top-level domains (TLDs), including the...
.gov domain; apparently, the attackers exploited a loophole in SPF verification. How did this attack work? Are there specific filters or techniques that can help antispam or antimalware products detect TLDs?
Phishing attackers will continue to try new attack ideas to see what improves their success rates in getting victims to click malicious links or to open malicious attachments in phishing emails. A few victims is all it takes for a phishing email attack to be profitable.
The specific attack you're asking about was created to look like an American Express notification telling a victim that a message is waiting for him at the American Express website. The phishing email is practically identical to a legitimate Amex notification, except it has a link to a compromised website. The email was created to look like it came from legitimate Amex email addresses, but because Amex implemented DKIM/SPF, the email messages were blocked. However, one of the addresses used looked like it came from a .gov email address, which was not blocked.
Domain Keys Identified Mail (DKIM) is an email validation system that allows a domain administrator to check if incoming email from a domain -- such as americanexpress.com -- actually came from that domain and wasn't modified in transport. Sender Policy Framework (SPF) is another method for a domain administrator to verify an incoming email is from an approved email server. Both approaches use DNS for publishing authorized email servers and can be set up for pretty much any domain name.
However, things are a little different when it comes to .gov top-level domain names. Companies can register most TLDs -- including .com and .org -- to ensure their organization is not spoofed in phishing email attacks. For example, American Express registered TLDs, including americanexpress.com and welcome.aexp.com. Since the SPF and DKIM records are published for these domains, they would fail an antispam check and be quarantined. However, when an antispam system checked an email stating it came from americanexpress.gov, it would return "none" and not fail the check since Amex cannot register .gov domains, only government agencies can. The phishing email could then be delivered to the victim.
There are specific steps that enterprises can use to fight spam and malware. While implementing DKIM and SPF in your enterprise domains is useful, using an email reputation tool like Proofpoint, Barracuda Email Security Service, Cisco Cloud Email Security, and many others can also help identify spam and phishing emails that get past the DKIM and SPF setups.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Get advice on addressing gTLD security as domain space expands
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading