Spear Phishing Swims Past E-Mail Filters
When it comes to fighting phishers, users may be the best line of defense. In an experiment, penetration-testing company PacketFocus initiated a spear phishing attack that it says popular e-mail services and appliances -- such as Microsoft Outlook 2007, Verizon Email Cloud Filtering and Cisco IronPort -- failed to filter. Detailed in a report here, the experiment was conducted in September with the intent of determining the effectiveness of e-mail security controls. Unless you are a phisher, the results were not good. "It's a problem in SMTP," said Joshua Perrymon, CEO of PacketFocus. "I just wanted to show that none of the current e-mail security protection controls (cloud, e-mail security software, e-mail security appliance, e-mail gateway, desktop software, e-mail clients, smartphones) can correctly identify or protect against a directed phishing attack. The core problem is with SMTP itself and the general idea of 'operations before security.'" In his test, Perrymon sent a fake LinkedIn e-mail designed to resemble a legitimate LinkedIn invite from Microsoft Chairman Bill Gates. The fake invite spelled LinkedIn as "LinkedIN" in the "from" field of the message. According to Perrymon, he was able to get the spoofed message around filters 100 percent of the time. "Technically, SMTP can do nothing to protect against these attacks," he said. "It doesn't provide authentication and is easily spoofed. If you look at marketing e-mails, 99 percent of them are designed just like a phishing attack. They are spoofed, contain links to different domains, track users, harvest user data, etc. So to technically protect against phishing attacks will break e-mail marketing." Many users don't know how to identify a real phishing attack, he continued. "I would recommend training often and through a variety of mediums," Perrymon said. "Adult learning is not my specialty, but my readings suggest that SCORM-compliant online training is the way to go ... Companies also need a portal or application that allows users to report potential attacks. This creates awareness, and also provides a paper trail for auditing." As for vendors, they need to determine an effective way to quarantine spoofed e-mails and cannot rely on blacklists, he said. "The mail server has to stop the attacks from getting delivered," he said. "If it doesn't, then the e-mail client has to. If that doesn't work, then the browser is the last line of defense ... I mean, how hard is it for vendors to perform a lookup on link domains to determine how long they have been registered? This is itself would mitigate much of the risk." |
Comments (2)
I would disagree - some email security companies like the one provided by Proofpoint can provide better pretection versus spear phishing and phishing attacks. They have actual built in a phish score into their spam classifications and can adjust the scaling to be more effective versus attacks like this. Their Spam technology is built out different then other solutions in the space like those mentioned in the article as well. They leverage a learning technology that udpates your system around the clock and gets more intelligent over time. I would recommend checking them out at www.proofpoint.com
Posted by Robert Gerner | January 6, 2010 11:03 PM
Hey Robert,
I understand your comment as your work for Proofpoint. But the truth is, nobody is really stopping directed attacks with technology. SMTP is the root probleme here, so you can only do so much.
Contact me at packetfocus.com as I would like to test ProofPoints email security solution to see if it does what you say.
Posted by Josh Perrymon | January 25, 2010 2:02 PM