Modern spoof mail attack and phishing mail attacks are very sophisticated attacks, that consist of a couple of “parts,” and exploit the weakness of our mail infrastructures and the weakness of our users (the human factor that exploited by that attacked that uses the social enginery method).The “solution” that we are looking for, realized as a combination of solutions or, a “logic fan of solutions” that will deal with each of the different parts of the Phishing mail attacks and its derivative Spoof mail attack.
The first and the most important step is – the need for “acknowledgment.”
- The acknowledgment of the fact that – Spoof mail attack and Phishing mail attacks are sophisticated and include many “moving parts.”
- The acknowledgment of the fact that – we must learn to think like the attacker, and understand the DNA and the characters of Spoof mail attack and Phishing mail attacks.
- The acknowledgment that – the “solution” will be a combination of technical solutions, guidelines, educations and so on.
- Before we get into the specific details, and the different options that we can use for dealing with Spoof mail attacks and Phishing mail attacks, just a quick reference to the “structure” that we need to use:
The phishing mail attack is exploiting the weakness of human factor by:
- Using a spoofed identity of a trusted sender
- Using a social engineering method for convincing and seduce the victim (our users) to “do something.”
The first thing that we will need to deal with is – the phenomenon of “Spoof E-mail.”
Luckily, at the current time, there are a couple of mail standard that we can use for implementing and enforcing a process, in which we will be able to identify most of the Spoof E-mail scenarios.
The second thing that we will need to deal with is – our user’s education. Allow our users to be aware of the risks and characteristics of Phishing mail attack, so they will have the ability to recognize Phishing mail.
- The third thing that we will need to deal with is – the “way” or the method in which the Phishing mail attack actualized.
The “channels” which are used by the attacked the executable Phishing mail attacks to attack his victims are
- Using a malware file – seduce the victim to open seemingly innocent file (malware).
- Using a Phishing website – lure the victim to download + open seemingly innocent file (malware), provide personal information (password, bank account, etc.) or deposit a sum of money to the bank account of the attacker.
To be able to mitigate these risks, we will need to find a protection mechanism; that could identify and block the specific malware and also, find a protection mechanism that could identify and block the “problematic URL’s” (links that lead our users to Phishing websites).
As we know, the Spoof mail attack is one of the main characters of Phishing mail attack.
For this reason, we need to implement a solution in which our mail infrastructure will use a mechanism of a sender verification process.
Each time that a sender addresses our mail infrastructure, our mail infrastructure will implement a verification check, so we will be able to be sure that the sender is really who he claims to be.
n other words, using a protection mechanism, that will identify (and block) E-mail message that has a spoofed sender identity. A scenario in which hostile element prettied to be one of our legitimate users or legitimate sender from another organization.
The good news is that at the current time, there are a couple of mail security standard that created for the purpose of verifying sender identity such as – SPF, DKIM, and DMARC.
In addition, in case that your mail infrastructure is based on Exchange architecture, we can use additional option for verify sender identity by, identify authenticated versus non- authenticated (anonymous) senders who use our organization domain name.
Using a spam mail filter
For the sake of full disclosure, I don’t think that a spam mail filter is very usefully for identify Phishing mail because Phishing mail is not a spam mail.
Only in a scenario in which the Phishing mail also has characters of spam mail, the spam mail filter can identify such as E-mail message.
Another scenario in which spam filter can be useful is – in a scene that the particular Phishing mail attack recognized as a Phishing mail attack, and distinct characters of the E-mail message (the signature) appear in the signature database of a “well know problematic E-mail messages.”
It’s recommended to use a spam mail filter, but we should not relate to the spam filter as the “ultimate solution” for Phishing mail attacks.
Dealing with E-mail attachments
Many times, the Phishing mail attack is implemented by an E-mail message that includes malware attachment that appears as an Innocent file.
1. Implementing malware mail filters.
The purpose of the malware mail filters as the name implies is to detect malware that appears as an E-mail attachment.
Case 1 – Phishing mail attack that includes Zero-day attack malware
The major disadvantage of the “standard malware mail filters” is his inability to cope with
Zero-day attack. The term Zero-day attack, describe a “new attack” that wasn’t recognized, classified, and was registered on the well-known attack database (have no signature).
The standard malware mail filter can detect E-mail malware, based on a signature database that includes a “documentation” of malware signatures. For this reason, the standard malware mail filters cannot deal with a zero-day attack.
In simple words, cannot detect “new malware” that his particular signature doesn’t appear in the identified malware database.
Case 2 – Malware that doesn’t implement as E-mail attachment
In many Phishing mail attacks, the malware doesn’t appear as an E-mail attachment. Instead, the victim is seduced to click on a link that will lead him to the hostile website and then asked to download a particular file (the malware). In this scenario, the malware mail filter is not involved in the process and cannot detect the malware.
2. Implementing E-mail attachment policy.
The advice of “Implementing mail attachment policy,” in which block a particular type of E-mail attachment such as the executable file is a “good advice,” and not just for the scenario of dealing with a Phishing mail attack.
The main problem is that most of the time, Phishing mail attack that has an attachment, will use an Innocent type of file such as Microsoft Office files (Word, Excel, etc.).
The main problem that we are facing is – that most of the time, we cannot define mail attachment policy that will block “standard” E-mail attachment such as a word document.
This is the weak spot that is exploited by the hostile element that sends the “Innocent attachment.”
3. Implementing “sandbox” solutions.
One of the most frustrating and challenging security threats is the subject of zero-day attack.
The simple meaning of this term can be translated into a “new type of malware” that is distributed by hostile elements, that consider as “UN knows malware” meaning, the security, defense systems that should protect our infrastructure from this particular malware are not aware of the fact that this malware.
The solution for a zero-day attack is a technology (technology that is offered by a couple of manufacturers) that was built to deal with the problem by implementing a mechanism named – sandbox.
The concept of “Sandbox” is implemented in the following way:
When an E-mail that includes an attachment sent to a destination recipient who protected by security gateway that uses the mechanism of “Sandbox,” the E-mail will not be sent directly to the destination recipient but instead, will be “Intercepted” by the security gateway.
The security gateway will simulate the exact action that was supposed to perform by the end user, such as, open the E-mail message, and try to open the attachment (double-click on click on the file).
The “activation” of the attached file is executed in a dedicated and isolated memory space (the is the meaning of the term Sandbox).
Implementing a URL verification mechanism.
A very common method that is used in a Phishing mail attack is – to infect the victim’s desktop with a malware or hostile code, using a smart process” which includes a two or three steps.
The first step is to convince the victim to “do something” by clicking on a particular link that will lead him to a website which includes the malware.
The victim will need to download the file and open the file (the malware).
This method enables the attacker to bypass existing implementation of malware filter because the malware doesn’t appear as part of the E-mail message.
The only way to deal with this “bypass method” is, to implement a security mail filter that can verify URL addresses that appear in the E-mail message by deciding if the particular URL considers as a legitimate URL address or a hostile URL address such as Phishing website.
The security mail filter that needs to verify URL address can implement the verification process in two methods:
1. URL address database
Using a database that includes information about a “problematic website” or a dangerous website” such as a Phishing website or websites that compromised.
2. Simulate the access to the specific website instead of the “original user”
A process in which the “URL filter” tries to access to the URL address that includes in the E-mail message before the recipient read the E-mail and try to check if the website looks like a legitimate website or a website that attempts to manipulate the user desktop by trying to exploit existing vulnerability.
An example of such “URL verification filter” is the Microsoft technology, that implemented in the EOP (Exchange Online Protection) by using the feature named ATP (advanced threat protection) which includes a component called – safe links.
The purpose of this technology is to add an additional layer of security, in which the mail security gateway (the EOP infrastructure) will check and verify each URL address (link) that appears in E-mail message, and verifies the that the “destination website” is a legitimate website and not a website that is displayed as a problematic website.
Notice that I didn’t use the common term “user education” because the subject of “education” is related to different elements of the ecosystem:
1. Our education
Most of us (IT persons) have the misleading sense that we know everything about mail security, the different type of mail Threats such as Spoof mail attack and Phishing mail attacks and so on.
The simple truth is that we don’t.
Let’s make it simple – the purpose of the current “boring article series” is -to make you understand that the subject of Spoof mail attack and Phishing mail attacks is not so simple and that there is a lot of information that we should learn about this subject.
2. Management education
When I use the term “management education,” I relate to the concept of “management commitment.”
The concept of “management commitment” must be realized in two ways:
- The acknowledgment that Spoof mail attack and Phishing mail attacks could cause serious damage.
- The acknowledgment that there is no “magic solution” to this risk buy instead, a combination of a different solution.
- The acknowledgment that there is no “magic solution” that will block 100% of the Spoofing or Phishing attacks.
The management will need to commit to the simple fact in which she needs to allocate the required resources (time, money, education and so on).
3. User’s education
Because the Phishing mail attack is so sophisticated and hard to detect one of the most practical tools that we can use dealing with this risk is – to make our user aware of this threat.
Teach them about the specific characters of Spoof E-mail attacks and Phishing mail attacks, show an example of Spoof E-mail or Phishing mail and so on.
The outcome of the acknowledgment of the great importance to educate our user regarding the subject of Spoof E-mail attacks and Phishing mail attacks is – the user awareness program.
E- Dealing with a Spoof mail attack and Phishing mail attacks effectively | Client side security
In this section, I would like to review the “client side” of the formula.
In an event of Spoof E-mail attacks or Phishing mail attacks, we can use a “client side” mechanism; that will help us to deal with this problem.
1. Using antivirus
Most of the common antivirus clients, was not created for identifying an event of Spoof E-mail.
The main benefit of using antivirus client is in a scenario in which the Phishing mail seduces the user to download an open a malware file, and the malware manage to slip that “server side defense systems.”
For example – a scenario in which the Antivirus client can be useful is – a situation in which the user downloads a malware from a particular URL address that appears in the E-mail message (Phishing website).
In this scenario, the Antivirus client provides an additional layer of protection because, the mail security gateway is useful when the malware appears as part of the E-mail message, and not a scenario in which the user uses his browser for downloading the malware to his desktop.
2. Using additional desktop “smart defense mechanism”
As mentioned, the antivirus software is useful for detection of “well know malware.” The problem is with zero-day malware that their signature is not listed.
The solution for this “blind spot” is – using a “smart client,” that have the capabilities to identify programs that behave strangely and not in a proper way or a scenario of “anomaly” in which a particular process or service behaves strangely.
There is no specific name for this feature because each of the providers of “desktop security product” uses other names or terms.
An example of such a solution is a desktop security product that includes IDS\IPS (intrusion-detection detection system \ intrusion prevention system) that can identify and detect software component that doesn’t beehives on a legitimate way.
3. Harding the policy that related to Microsoft Office documents such as disabling macro
- Some of the malware will appear as E-mail attachment and some won’t.
- Some of the malware will look as E-mail attachment using an executable file and some won’t.
What is my point?
My point is that in a “perfect scenario,” the malware will be implemented as an executable file that will be recognized by the malware filter as a malware and will block.
Most of the time, the attacker who uses a Phishing mail attack is a professional, that will make the required effort to make our life difficult, by using attachments that appear as a legitimate file such as Microsoft Office file.
The malware will be “hidden” in the office document as a macro, and will execute when the user opens the file.
Besides of implementing a mechanism that can perform “Sandbox” verification test, one of the simplest solutions that, can we implement is – by configuring and enforcing the policy that will prevent from our users to use Microsoft Office document that includes macro.
In case that now your mind says something like – I cannot do it, some of my users must use the document with macros!
My answer is – it’s your decision; you will need to weigh the business need versus the security need and make the right decision.