alan fields - ciso @ akzonobel - e-mail enabled fraud
TRANSCRIPT
E-MAIL ENABLED FRAUD
.
WHO AM I
One of the Global Corporate Information Security Officers
within The Security and Compliance team working within
the Office of the CIO.
I am not a PowerPoint Guru (I have a life) so apologies for
my bland, non branded black on white slides.
What will I cover
• In the short time available I will only be touching on the
high level aspects related to e-mailed enabled fraud.
• I apologise if at some point I drop down to some random
technical detail;
• To do the subject real justice more time is needed.
• I am more than happy to discuss details later.
What does a fraudster look like
• With acknowledgement to Barclays Bank this is an awareness video for their SMEs
customers which can be found on Youtube - it shows a fraudsters sentiments quite
nicely…
• Length 2.5 minutes
• Male Persona - https://www.youtube.com/watch?v=-PQ_UN5tN2Y
• Female Persona - https://www.youtube.com/watch?v=eLRGG7oyrdA
• Female Persona (subtitled) - https://www.youtube.com/watch?v=HLiy_nQLJP0
E-MAIL ENABLED FRAUD
What is it ?• It is nothing new…..
• It has other names
Business Email Compromise ( BEC )
• It is just a new age spin on “good” old Traditional Social Engineering
being used to enable a fraudulent activity to be executed.
• Suggested reading
– The auto biographies of the likes of Frank Abagnale and Kevin Mitnick
– The “Art of Deception”, “Art of Intrusion”, “Social Engineering”.
Some samples of typical BEC
Hi xxxxx,
Are you in the office? I'll be unable to call in or take your call if necessary as I expect to be in meetings all day. < Name of CEO> has asked me to send over a due invoice which was billed to your branch for payment. Items are already being shipped.
Can this be included in your payment run for today?
Please revert back at the earliest so I can email you more details including the shipping document and order invoice.
Kind regards,
<Name of CFO>
Sent from my iPad
Some samples
• Typical wording seen…. Next in chain if first one is responded to
Hi xxxxxxxx
There is an overdue invoice that needs to be paid to a supplier in Hong Kong and CEO <CEO name> wants the payment to be handled today unfailingly.The invoice amount is 550,000.00 EUR.I will send more documentation as soon as he makes them available to me.
Could you please copy the authorized person in the account department so that the invoice can be sent and the payment can be made.How long will it take the supplier to receive the funds if the bank sends it today by wire transfer?I have the invoice and the supplier bank details now, please reply quickly so I can forward the invoice for payment.
Kind regards,
<CFO-name>
Some other samples
Hello xxxxxxx,
Have you got a minute ? I am currently tied up in a meeting and we need to carry out an urgent Invoice payment <CEO name> requires us to pay for today. Let me know if you can handle it so that I can convey information to you. I'm sorry i cant take or make calls at the moment. Thanks.
Sincerely<CFO First Name>
Sent from my iPhone
Some Other samples
Hi Bignell,
Are you at desk, Can you process a wire transfer today ?
Regards,
<CEO-Name>
Chief Executive Officer, Chairman of the Board of
Management and the Executive Committee
Sent from my Verizon Wireless Phone
Some Other samples
Donna,
Are you there? I need your assistance.
Thank You
<CEO-Name>
Chief Executive Officer
8005 Tabler Rd
Morris, IL 60450-9184
Some Other samples
Good morning John,
<lawyer-name> is handling an important case for us. I asked her to get in touch
with you. Did she call you yesterday?
Sent from my iPhone
Some Other samples
Recon mail
Silvia
How are you? I tried to reach you on your mobile.
I need you to arrange a Telegraphic Transfer today. Let me know the required details and
if this can be done today.
e-mail me.
awaits your mail.
Regards,
<CEO-Name>
Who's risk
• Its more than the fraud mails coming into your own
organisation
• Its mails to your customers and vendors which you do
not see.
– Supply Chain Fraud
• Impact – Financial, Reputational, Brand image loss
WHY IS IT SO EASY.
• Most People are weak….
– Inherently want to trust
– Want to please
– Pressured to meet “unrealistic” deadlines.
– Believe systems are secure.
– Publish too much information on themselves
- How many of you here today have put something on Facebook or
Twitter about attending this conference…. Or what has your Family or
colleagues published?
WHY IS IT SO EASY.
With a researched target then Fraud mails can be made to look quite plausible.
This with suitable timing when defences are down increase the probability of someone responding.
Compare the e-mails you receive through a mobile device/tablet compared to your PC e-mail client
What is the weakness?
The Mobile problem
• Display names vis full e-mail address.
• Most smart devices have limited screen space so they
tend to keep text down to minimum.
• Most email apps only display the Display name which is
easily manipulated in an email so the user does not
necessary see the true reply to mail address.
• Hence easy to mask source
Mail seen by Customers
Customer/Supplier who have been subjected to a successful fraud are quite sensitive
about it.
They rarely share copies of the e-mails used.
It is loss of face problem…..
Where I have been able to get my hands on samples mails I have been able to show the
mails were not genuine based on addressing and stenographic fingerprints of the images
used in signatures or content. MD5’s are your friend.
In some cases it is believed the customer e-mail service has been compromised
especially those who use a webmail interface with weak passwords and no 2nd factor
authentication.
In these cases the fraudster has read e-mails to gain enough social information to be well
informed or even sends the actuals mails directly.
What can we do
• End-user education.
• Technical controls to make it harder.
• Strong non-technical verification processes.
• Monitoring and Reporting - do you know if you are being spoofed or under attack ? Use your
logs.. Look for patterns; Look at the address registration failures; Look at the times;
• Learn to say NO to shadow IT Cloud applications spoofing main mail domains.
• Teach folks to keep business correspondence e-mail business like and stop dressing up their
email contents which can makes them look like SPAM. eg do not use iframe in HTML mails
• Do not give away information which can be used in fraud activities (eg Planned absence,
Linkedin, Facebook, look at your out of office text, block auto loading images – aka web bugs)
• Oh and did I say end-user education….
• Regular Phishing and process tests are worth it…
Technical controls.We have a bad starting point E-mail was never designed to be secure
• Nonrepudiation is an add on.
• Authentication added as an after thought.
• SPF, DKIM, DMARC – only works if they are Published, used and the recipient
systems actually checks results.
• Keep very tight control of your Domain MX, SPF, DKIM, DMARC records.
• Segregate your mail flows – keep business correspondence away from website,
news, invoice, traffic.
• DNSSEC to minimise DNS hijacking
• DANE for encryption authentication.
• Cousin domain watching…
• IT can do all the right things which can then be totally undermined by a marketing
group telling folks to “allow list” to ensure their mail does not go into junk mail.
Authentication controls
SPF/DKIM/DMARC
SPF – Sender Policy Framework• See http://www.openspf.org/
DKIM - Domain Keys Identified Mail • See http://www.dkim.org/
DMARC - Domain-based Message Authentication, Reporting & Conformance
• See HTTPS://DMARC.ORG
What is DMARC !
DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message.
DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages.
DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.
This reporting will help you understand if you are subject to spoofing as well as finding those unauthorized Shadow IT cloud systems mail senders.
If you want to know more about DMARC - see HTTPS://DMARC.ORG
What is the difference between the "Mail From" and
"From Header", aren't they the same?
In email, like in real mail, there is the concept of an envelope containing the message.
• The envelope will have three pieces of identification information, the host greeting, the "MAIL FROM:" return address and the "RCPT TO:" list of recipient addresses.
• The message content comprises a set of header fields and a body. The body, in turn can be simple text or can be a structured, multi-media "MIME" object of attachments. The set of header fields can be quite extensive, but typically at least include: "Subject:" "Date:" the "To:" and "From:".
The "MAIL FROM" command specifies the address of the recipient for return notices if any problems occur with the delivery of the message, such as non-delivery notices.
The "From:" header field indicates who is the author of the message.
The technical notation for referring to components of email information is: RFC5321.MailFrom and RFC5322.From according to the IETF RFCs where the field is defined and the specific field being referenced.
All this information can be spoofed. DMARC protects the domain name of the RFC5322:From field against spoofing.
In short domain name alignment enforcement is a good thing…..
DMARC is not easy
• If you are not careful as soon as you start using DMARC you will break a lot of “known” and unknown mail flows.
• You may/will be amazed at the amount of Shadow IT using your main mail domains and spoofing mails.
• Use the reporting capability you will be surprised what it will brings out…
• Mail flows takes time to fix so monitor before you go to Quarantine then finally to Block !
DANE
DNS-based Authentication of Named Entities
The future of Email encryption
Until recently, there has been no widely implemented standard for encrypted email transfer.
Sending an email is security agnostic; there is no URI scheme to designate secure SMTP.
As a result, most email that is delivered over TLS uses only opportunistic encryption.
Since DNSSEC provides authenticated denial of existence (allows a resolver to validate that a certain domain name does not exist), DANE enables an incremental transition to verified, encrypted SMTP without any other external mechanisms, as described by RFC 7672.
A DANE record indicates that the sender must use TLS…
WHAT HAVE TECHNICAL CONTROLS
DONE TO E-MAIL ENABLED FRAUD.
• As MSPs are now getting their acts together to block spoofing via their servers the attack vector is moving to cousin domains and display name manipluation.
• Fraudsters are now actually registering cousin like domains (normally done of a Thursday night, send their mails early Friday).
• Fraud mails timed at break times, end day and weekends when folks may read on mobile devices which hides full e-mail address.
• Some time the domain registrars discover registration has been made using a stolen credit card and disable the domains.
• Or suspended the domain when told by IP holder by abuse@ methods that’s if registrar or MSP actually listens….
Cousin domains
• Cousin domains are now being registered by fraudsters and are setting up full authenticated and encrypted mail flows.
• WHY WHY WHY are the domain registry's allowing such things to happen. They can do a lot more to make things safer.
• The e-mail services they offer are being abused.
Cousin domains
What can you do?
• Use Domain watch services - make sure they are briefed to looks fully at DNS for more than fake websites.
• Create on your mail systems some transport rules looking for variants in your key domain names name and recat on the hits…
• Problem left – Display Name manipulation
End user awareness.
• No matter what technical controls you
have something will get through.• eg Display Name manipulation.
• Can you can trust? No so verify.
• Review and test your all your controls.
• Use the four eyes principles.
• Use Phishing tests regularly.
Best practice conclusion
USE DMARC
The UK government’s is now mandating the use of DMARC across all governmental agencies. The Dutch government are mandating DANE on all new services
This should help to greatly reduce the risk of breaches and cyber-attacks.
Now action is a need to be set in motion for other public and private sector organizations to follow suit and implement more effective methods for authenticating emails.
Emails are the preferred method used to infiltrate networks. So watch for it…
If businesses want to protect their assets, they must protect their inboxes.
Remember training alone will not stop even the most aware employee from falling victim to a sophisticated, well-researched social engineering attack.
Don’t make it easy for the fraudster
Questions
Is this your e-mail security ?