One of the most common question that people ask us on how we know if the DMARC is really working and is it worth implementing.
Let me talk about basics first:
What is DMARC – It’s an Email security standard
Full form – “Domain-based Message Authentication, Reporting & Conformance”
Implemented via DNS records
Modes: None, Quarantine, Reject
You can implement it on your own with difficulty or you can use a third party SAAS provider for assisting with implementation and measuring ROI.
Now let us talk about how do we measure the ROI. So, for discussion I am going to talk about a real incident through which we helped our customer for measuring the ROI and how the same was applauded by the customer.
The Customer has been with us for a couple of years now and he always had doubts about whether the DMARC solution was actually working or not and we always used to assure him that it’s like an Insurance policy. When an incident hits you, don’t worry, ProDMARC would do its job.
This incident that I am talking about happened with the customer a few months back. When the customer was busy with the month end activities, they received an automated alert from the ProDMARC solution stating below.
THERE IS A THRESHOLD BREACH OBSERVED FOR THE EMAIL ACTIVITY AND WE HAVE WITNESSED A NEW MAILING PROVIDER SENDING MAILS ON BEHALF OF YOUR DOMAIN WHICH ARE FAILING DMARC AND HENCE THE MAILS ARE REJECTED.
The customer quickly looked at the alert and started to investigate about this unusual trigger from the ProDMARC solution. He quickly went through the dashboard and started to analyze the DMARC compliance trend for the domain. He was surprised to see about 1,941 emails were found to be failing DMARC.
He went to the forensic module to check if there are sample forensic emails so that he can check the headers and body of the email. Luckily, he found a few forensic samples through which he identified the FROM ADDRESS and the DMARC action being taken by the email gateways.
The customer was quite happy that the email was blocked by ProDMARC. But he was curious to know more about this suspicious email and whether there are any phishing link or malware being downloaded. To his surprise, the customer found that the content of the email was related to a SWIFT COPY with an attachment.
The attachment had an embedded link pointing to an URL. Virus Total straight away gave a verdict that 5/80 engines have detected this URL as Phishing/Malicious
The customer was delighted that ProDMARC stopped a real incident and applauded the solution for doing its job. He even presented this to the senior management highlighting ROI of the DMARC solution.
So basically, what I am trying to say is that we sometimes expect the results to show immediately and start triggering security incidents the moment we plugin solutions in enterprises. But that is not normally the case and as an organisation we should keep applying layered security to ensure that the solutions are deployed considering the risk surface and the implemented solution like DMARC would kick in when required.
If any organisation would like to evaluate DMARC for their organisation, they can write a email at info@progist.net for taking a no obligation 15 days free trial of award winning PRODMARC Solution.
Thief wearing a black hat, obscuring the face, was arrested on a gray background.
The year 2020 has been the year of bad news as the Covid-19 has hit the world. There has been growth in technology and digitization due Work From Home and Study From Home and hence cases related to cybercrime have seen a sharp rise during this period. Cybercriminals are getting smarter with new techniques and modus-operandi to target people. So, in order to keep ourselves safe in the digital world, it is important for each and every person to know what are these threats.
WHAT IS A CYBERCRIME?
Cybercrime is criminal activity that either targets or uses a computer, a computer network or a networked device. Any unlawful act where computer or communication device or computer network is used to commit or facilitate the commission of crime.
Ministry of Home Affairs (MHA) has recently advised people about such crimes and has defined them in the following categories.
TYPES OF CYBER CRIMES AND HOW TO IDENTIFY THEM
1. CHILD PORNOGRAPHY/ CHILD SEXUALLY ABUSIVE MATERIAL (CSAM)
Child sexually abusive material (CSAM) refers to a material containing sexual image in any form, of a child who is abused or sexually exploited. Section 67 (B) of IT Act states that “it is punishable for publishing or transmitting of material depicting children in sexually explicit act, etc. in electronic form.
2. CYBER BULLYING
Cyberbullying is bullying with the use of digital technologies. It can take place on social media, messaging platforms, gaming platforms and mobile phones. It is repeated behavior, aimed at scaring, angering or shaming those who are targeted.
3. CYBER STALKING
Cyberstalking is the use of the ,,Internet or other electronic means to ,,stalk or
Cyber grooming is the process of ‘befriending’ a young person online “to facilitate online sexual contact and/or a physical meeting with them with the goal of committing sexual abuse.
5. ONLINE JOB FRAUD
Online Job Fraud is an attempt to defraud people who need employment by giving them a false hope/ promise of better employment with higher wages, not necessary in 2020 as the jobs are not available and fraudsters are taking advantage of this situation.
6. ONLINE SEXTORTION
Online Sextortion occurs when someone threatens to distribute private and sensitive material using an electronic medium if he/ she doesn’t provide images of a sexual nature, sexual favors, money or sometimes personal enmity or revenge.
7. VISHING
Vishing is an attempt where fraudsters try to seek personal information like Customer ID, Net Banking password, ATM PIN, OTP, Card expiry date, CVV etc. through a phone call. This technique has been exposed because of user awareness campaigns.
8. SEXTING
Sexting is an act of sending digital images, videos, text messages, or emails, usually by cell phone which are sexually explicit in nature.
9. SMISHING
A form of phishing, smishing is when someone tries to trick you into giving them your private information via a text or SMS message. Smishing is becoming an emerging and growing threat in the world of online security.
10. SIM CLONING/SWAP SCAM
SIM Cloning Scam occurs when fraudsters manage to get a new SIM card issued against a registered mobile number fraudulently through the mobile service provider. With the help of this new SIM card, they get One Time Password (OTP) and alerts, required for making financial transactions through victim’s bank account. Getting a new SIM card against a registered mobile number fraudulently is known as SIM Swap.
A recent example of SIM cloning where businessman lost 2 Crores to fraudsters:
Credit card (or debit card) fraud involves an unauthorized person using another person’s credit or debit card information for the purpose of purchases or withdrawing funds from it.
12. IMPERSONATION AND IDENTITY THEFT
Impersonation and identity theft are an act of fraudulently or dishonestly making use of the electronic signature, password or any other unique identification feature of any other person to cause Monetary harm to the individual or the organization.
13. PHISHING
Stealing personal information such as Customer ID, IPIN, Credit/Debit Card number, Card expiry date, CVV number, etc. through emails that appear to be from a legitimate source is phishing.
14. SPAMMING
Spamming occurs when someone receives an unsolicited commercial message sent via email, SMS, and any other similar electronic messaging media. They may try to persuade recipients to buy a product or service, or visit a website where he can make purchases, or they may attempt to trick him/ her into divulging bank account or credit card details.
15. RANSOMWARE
Ransomware is a type of computer malware that encrypts the files, storage media on communication devices like desktops, Laptops, Mobile phones etc., holding data/information as a hostage. The victim is asked to pay the demanded ransom to get his/her device decrypts. So please don’t click on links that are sent by unknown people.
16. VIRUS, WORMS & TROJANS
Computer Virus is a program written to enter to your computer and damage/alter your files/data and replicate themselves. Worms are malicious programs that make copies of themselves again and again on the local drive, network shares, etc. A Trojan horse is not a virus. It is a destructive program that looks as a genuine application. Unlike viruses, Trojan horses do not replicate themselves, but they can be just as destructive. Trojans open a backdoor entry to your computer which gives malicious users/programs access to your system, allowing confidential and personal information to be theft.
17. DATA BREACH
A data breach is an incident in which information is accessed without authorization. Data breaches can be far more than a temporary terror — they may change the course of your life. Businesses, governments, and individuals alike can experience huge complications from having sensitive information exposed. Whether you are offline or online, hackers can get to you through the internet, Bluetooth, text messages, or the online services that you use.
Denial of Services (DoS) attack is an attack intended for denying access to computer resource without permission of the owner or any other person who is in-charge of a computer, computer system or computer network. A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources of the legitimate users of that service are denied access to that service.
19. WEBSITE DEFACEMENT
Website Defacement is an attack intended to change visual appearance of a website and/ or make it dysfunctional. The attacker may post indecent, hostile and obscene images, messages, videos, etc. Many times, when tensions between two countries increase, they attack government websites of the opponent country.
20. CYBER-SQUATTING
Cybersquatting is the practice of registering as Internet domains identical or similar to a third party company name or trademark, with bad faith intent to profit from the goodwill of a third party brand, or in the hope of reselling them at a profit.
21. ,PHARMING
Pharming, a amalgamation of the words “phishing” and “farming”, is a type of cybercrime very similar to phishing, where a website’s traffic is manipulated, and confidential information is stolen.
22. CRYPTOJACKING
Cryptojacking is the unauthorized use of computing resources to mine cryptocurrencies. As it is believed to replace gold as the reserve currency, Cryptocurrencies are the future.
23. ONLINE DRUG TRAFFICKING
Online Drug Trafficking is a crime of selling, transporting, or illegally importing unlawful controlled substances, such as heroin, cocaine, marijuana, or other illegal drugs using electronic means. It is much easier online than offline and it has less probability of getting caught, so more and more drug trafficker are coming online.
24. CYBER ESPIONAGE
Cyber Espionage is the act or practice of obtaining data and information without the permission and knowledge of the owner.
Rear view of Asian audience joining and listening speaker talking on the stage in the seminar meeting room or conference hall, education and workshop, associate and startup business concept
What is Brand Impersonation?
Impersonation refers to intentionally replicating other person’s characteristics, such as their speech, appearance, behavior, or expressions etc. Just like inter-person impersonation, brand impersonation is a particular organization holding a brand name gets targeted for the enactment. Brand impersonation occurs when an impostor creates a page or an account on social media or sends out mails pretending to be the targeted brand, using it to gain confidence of entrusting consumers or to conduct other activities that sabotage the reputation of the brand. This is an increasingly common problem on the social networking channel that thousands of brands are forced to deal with each day.
Brand impersonation is BIG business
In modern times, scams that trick victims into thinking they are dealing with a genuine brands or service providers they trust are not new, but there are new developments making these attacks more intense and visually bona fide. The growing sophistication of cyber-criminals come through carefully studying the profile, the types of victims they want to target and even set fraud quotas for their criminal employees in the organization who can help them in carry out scams.
Another factor is the ease with which scammers can use brands’ own tools to cloak their identity. Copying a brand logo or even a validation symbol like the Twitter check mark takes only a few minutes and minimal skills. Because email was originally developed without safeguards to verify sender’s identity, many if not most brands’ domains are open to these tech-savvy malicious users. Without raising any alarms, scammers can launch phishing attacks on brands’ customers that appear to come from the brand’s genuine email accounts. This practice is commonly known as domain spoofing.
In the most recent high-profile coronavirus scam, an email supposedly from the World Health Organization (WHO) was sent around the world requesting donations. The sender’s address was ‘donate@who.int’, where ‘who.int’ is the real domain name for WHO. The email was confirmed to be a phishing scam, but at first glance, all signs pointed to the sender being genuine, as the domain belonged to the real WHO.
Automation has dramatically increased the speed and scope of brand-impersonation fraud attempts, too. Scammers now send nearly 30 phishing emails every second and launch a new impersonated phishing domain every five minutes. The result is a blizzard of brand fakery targeting consumers and damaging brand reputation.
The domino effect of impersonation scams on brands
Impersonation scams can damage brands name in more than one way. First and foremost, scams take away customers. Victims of these attacks i.e. customers can blame the brand for not preventing the fraud by setting up necessary safeguards, and research shows that nearly 65% of consumers stop shopping with a brand after one bad experience. Other victims, as well as future customers who learn about the scam in the media, may hesitate to open future emails from that brand, and that can cause marketing email campaigns lose effectiveness because of lack of trust for the brand. News reports and social media discussions can also steer potential customers toward other brands.
A lot of damage control also essential in phishing scams. Brands that are targeted need to send a warning their customers about the impersonation scam. They also need to try to find out the reason behind the phishing attacks, its source and employ countermeasures to ensure that the fraudsters are unable to use the brand’s domains or lookalike domains to send email to its customers.
Reducing the risk of brand impersonation
There are three core areas that help companies protect their brands from abuse by scammers: Communication, Security and Monitoring.
Communication: Including a safety policy in the customer-facing emails, on your social media accounts, and on your site, stating along the lines of “Brand ABC will never contact you to ask for your customer login or payment card information.” Visual communication matters too ! So it is advisable to keep your logo, colors, and other visual branding elements consistent across channels, so that any knockoffs are easier for customers to spot. And when scammers target your brand, let your customers know what to watch for.
Better security: Create strong passwords for your brand’s social media accounts, keep a running list of who has login access, and update passwords when there are staffing changes. To prevent domain spoofing, implement a DMARC sender authentication policy on all your email domains. This open-source protocol gives domain owners the power to detect and block unauthorized users.
Monitoring: Use social monitoring tools to keep tabs on brand mentions and conversations. Report scam accounts when they appear and delete comments on your pages and posts by accounts impersonating your brand. For email, DMARC will show you who is sending emails from your domains and can flag or reject suspicious outgoing messages. Finally, respond quickly to customer reports of scammers abusing your brand.
Protecting your brand from impostors requires attention to what is happening in your brand’s communication channels, as well as regular security improvements. These efforts are a good way to drive scammers away from your brand in search of easier targets. They are also a must to build and maintain trust with your customers in an age when brands and consumers need to be allies in the fight against cyber crime.
Since email becomes the primary communication medium between the brand and its customers, it is very essential for organizations to ensure that no mails are sent to their customers using their domain or any lookalike domains.
In relation to this, Google has come up with a bundle of security enhancements for G Suite services in a recent announcement, and one of the biggest announcements is about Gmail. Google has announced its alliance with the Brand Indicators for Message Identification (BIMI) group, which enforces an email feature that adds brand logos to authenticated emails. Google confirmed that their BIMI pilot will enable organizations, who authenticate their emails using ,DMARC, to validate ownership of their corporate logos and securely transmit them to Google. Emails are authenticated using the existing ,DMARC system. Once these authenticated emails pass all of the anti-abuse checks, Gmail will start displaying the logo in existing avatar slots in the Gmail UI. To read more about the Gmail integration with BIMI, read our article.
As new organizations are born each day, email security is important and plays a vital role in every organization and there should be necessary actions taken to make sure there is no security breach. It becomes the responsibility of every business to protect themselves, their clients’, and employees’ sensitive personal information.
How can we help?
ProDMARC is built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated. It helps in gaining visibility on your email domain getting used on your behalf by third parties. It’s important to gain visibility of unauthorized emails which might be getting sent from your brand; ensures that emails do not get blocked due to misconfigurations, making the best use of the customer email communication; generates actionable threat intelligence feeds for your security and transaction monitoring systems helping to block targeted attacks proactively and also helps in identification of lookalike domains for your brand.
To summarize, ProDMARC helps improve customer trust in email communications
With the economy in slump, ProDMARC announces a limited-time offer during the ongoing pandemic — 15 days of DMARC health assessment report, completely free for all organizations who wish to gain visibility of the mail based phishing threats which are at an all-time high.
Sign up for your 15 day ProDMARC trial by writing to us on ,info@progist.net
Credit card data security unlock payment shopping online on smartphone
To start with, lets get a brief idea about DMARC
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an ascendable mechanism by which a mail-originating system can express domain-level policies and preferred for message validation, disposition, and reporting, that a mail-receiving system can be used to improve mail handling.
Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers.
These abilities have several benefits like:
Receivers can provide feedback to Domain Owners about the use of their domains; this feedback can provide valuable insight about the management of internal operations and the presence of external domain name abuse.
DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.
Let us understand the importance of implementing DMARC by looking into a couple of examples of scams happening in the banking and insurance sector.
In light of the current scenario, where scammers are using COVID-19 as a bait, security researchers warn that fraudsters will run their old playbooks of fraud schemes, but also take advantage of COVID-19 scare, like physical distancing and fear of getting infected by the virus.
Orchestrated accidents are generally defined as an event where someone purposely cause an accident in order to make a claim against your car insurance or their own. Intentionally rear-ending or sideswiping another car are common schemes. Staged accidents are often committed by organized fraud rings.
With a large slice of the country practicing social distancing, there are less cars on the road and less witnesses, giving scammers the opportunity they wish for. Investigators believe scammers will use the fear of spreading COVID-19 as an excuse to discourage police involvement, leaving an opening to file false insurance claims.
Problems arise when people who were not in the car at the time of the “accident” file injury claims, hoping to get a settlement from another driver’s liability car insurance. The COVID-19 scam is similar to the staged accident scam. Scammers may take advantage of others’ fear and suggest a limited exchange of information, such as passenger names. With no police report and no witnesses, they have an excuse to make false injury claims for people who were not in the car.
Here’s what you can do: If you get into a car accident, try to note how many people were in each car and, if possible, their names and contact information while of course maintaining social distancing. You can also call the police and wait in your car.
Auto repair frauds can happen when a repair shop takes advantage of both you and your insurance company. Fraud investigators report that some repair shops charge excessive fees for cleansing, disinfecting, and storing vehicles – claiming they cannot work on vehicles for several days because of possible COVID-19 infection.
Be suspicious with auto repair shops that charge high fees for cleaning and storing your car. Speak with your insurance adjuster before paying any up-front out-of-pocket costs.
COVID-19 Travel Insurance Scams
The Coalition Against Insurance Fraud is urging consumers to be aware of the traps for bogus travel insurance policies that claim to cover COVID-19-related trip cancellations. Most travel insurance policies DO NOT cover pandemics. If someone pitches you a travel insurance that specifically covers COVID-19-related problems, that should raise a red flag.
Be aware of scammers impersonating legitimate travel insurance companies. While some travel insurance companies have extended coverage that would typically be excluded to their policyholders during the COVID-19 outbreak, scammers may try to take advantage of financial anxieties and sell bogus products.
Bank Email Scam
Ask a question to yourself: Why would the bank send you an email asking you for information after you’ve opened an account? After all, after you open up a bank account, they already have all of your information.!
However, many people still fall for professional-looking emails that appear to be from their banks, asking for information to process a transaction or with the excuse of your credit / debit card about to get expired.
If you ever receive an email that looks like it’s from your bank and that asks you for your personal information, DON’T FALL FOR IT.
You might have this question – All of this information is basically a Dos and Don’ts for users… What about the Banks and Insurance companies? Where does DMARC come into the picture?
Here’s where DMARC plays a leading role – With the rise of the social internet and the ubiquity of e-commerce, spammers and phishers have a tremendous financial incentive to compromise user accounts – enabling theft of passwords, bank accounts, credit cards, and more. Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well-known brand into an email gives it instant legitimacy with many users.
End users (customers) can’t distinct a real message from a fake one; and large mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm users. Senders remain largely unaware of problems with their authentication practices because there’s no scalable way for them to indicate they want feedback and where it should be sent. DMARC addresses these issues. DMARC takes the advantage of the existing email authentication techniques SPF (Sender Policy Framework) DKIM (Domain Keys Identified Mail), also adding an important function, reporting. When a domain owner publishes a DMARC record into their DNS record, they will gain insight in who is sending email on behalf of their domain. This information can be used to get detailed information about the email channel. With this information a domain owner can get control over the email sent on his behalf.
Also, as an additional benefit, Gmail has now integrated with Brand Indicators for Message Identification (BIMI) in which Google confirmed that this engagement will enable organizations, who authenticate their email domains using DMARC, to validate ownership of their corporate logos and securely transmit them to Google. Once these authenticated emails pass all of the anti-abuse checks, Gmail will start displaying the logo in existing avatar slots in the Gmail UI. Which means lesser chances of brand impersonation, lesser chances of your customers getting scammed by your brand name and more trust factor of your emails that are sent to your customer base.! For more information, read our blog about Google – BIMI integration and get to know how DMARC plays an important role in the email ecosystem.
How can we help?
ProDMARC as a product built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated.
To summarize, ProDMARC helps improve customer trust in email communications.
With the economy in slump, ProDMARC announces a limited-time offer during the ongoing pandemic — 15 days of DMARC health assessment report, completely free for all organizations who wish to gain visibility of the mail based phishing threats which are at an all-time high.
Sign up for your 15 day ProDMARC trial by writing to us on info@progist.net
Double exposure image of business people handshake on city office building in background showing partnership success of business deal. Concept of corporate teamwork, trust partner and work agreement.
Organizations – big or small – are generally bothered about security of their customers, clients, third party vendors and their prospects. In a colossal way, organizations rely on third party partners who are responsible for sending notifications, marketing promotions and other important emails to our customers prospects or even their clients.
Due to the growing phishing and spoofing attacks, organizations are paying a substantial amount to services and companies which can secure their email in an effective way. As email is so important to the business, setting up DMARC becomes mandatory, also making sure third party senders mails are DMARC compliant is another objective to be triumphed.
As part of the DMARC endeavor, organizations often tend to overlook the necessity and the effort which they would need to invest in ensuring that the third party partners are DMARC compliant too. In case this aspect is not taken care of, there is a high risk that the genuine mails sent out by these senders may get blocked at the recipient end causing major business process disruption.
Question is – How to integrate third party senders ??
There are a couple of approaches that help in achieving DMARC compliance with third party senders. It will, certainly depend on what efficiency your third party sender has in implementing these suggestions:
1. External Integration
If your third party senders use their own mail servers to send your email, you can delegate a sub-domain for their usage and partner’s SPF record and DKIM public Keys can be configured in the sub-domain’s DNS server. This will allow you to authorize them as your third-party mail sender, also ensuring their mass mailing activity does impact your company’s parent domain reputation.
2. Internal Integration
Other option is: Having your third party sender relay your emails through your own mail servers, thus enabling the emails sent to use your own SPF, DKIM, and DMARC configurations giving you greater control over your email.
Steps to integrating Third Party Senders
Engaging with third party senders is often fundamental and helps the organization move forward. With that said – it bears its own set of uncertainties; There are reasons to be vigilant in ensuring that these senders have all appropriate security measures in place, principally before they commence mailing on your behalf. Here are a couple of steps to make that happen:
1. Sending messages in compliance with SPF records
This would require you to ensure that the bounce email ID (envelope-from) is configured by your partner to be in alignment with the mail domain (same as or sub-domain of your mail domain) and by including your partner’s mail system IP/SPF domain in your envelope-from domain’s SPF record. Several organizations may require specific IP addresses to introduce into the domain’s SPF record, rather than using an include: mechanism.
2. Implementing DKIM signing for the domain in use
This would require your mailing partner to enable DKIM signing for your emails in its mailing system and share the corresponding DKIM public key with you, which must then be added by you in your DNS. While configuring a DKIM signature, ensure you are signing it with at least a 1024 bit size key. The signing domain (d=) in the DKIM header of the mail must align with (same as or sub-domain) the domain which is used to send mails.
For an email message to be DMARC compliant, SPF and DKIM must be configured and at least one of the authentication methods must pass for the message to be delivered.
Each of the above mentioned steps helps organizations realize that email safety is top notch for the entire organization — whether the email is received from a third party sender or not.
At the end of the day, which policy you choose is ultimately the decision of your organization as you decide which policy best suits your needs. There are many growing organizations implementing DMARC but the question is not whether you’re implementing DMARC or not but it is about are you implementing it correctly. To meet the end goal at the end of the day it is your organization your customers and your reputation.
At ProDMARC, we’re here to help you ensure DMARC compliance for your organization and your third party vendors. ProDMARC as a product built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated. Summarizing, ProDMARC helps improve customer and third party trust in email communications.
Our ProDMARC platform and managed services ensure that customers are able to identify, inventorize, and achieve DMARC compliance for all third party partners of the organization. ProDMARC is chosen by top organizations across industry verticals including banking, insurance, stock markets, healthcare & pharmaceutical, telecom, energy etc.
Considering the economy being in slump and resources scarce, ProDMARC announces a limited-time offer during the COVID-19 pandemic — 15 days of DMARC health assessment report, completely free for all organizations who wish to gain visibility of the mail based phishing threats which are at an all-time high.
Sign up for your 15 day ProDMARC trial by writing to us on ,info@progist.net
So that while you stay home safe from COVID-19,
your email domains are safe from email spoofing !!
In a recent announcement, Google has come up with a bundle of security enhancements for G Suite services, and one of the biggest announcements is about Gmail. Last year, Google announced its alliance with the Brand Indicators for Message Identification (BIMI) group, which enforces an email feature that adds brand logos to authenticated emails.
Google confirmed that their BIMI pilot will enable organizations, who authenticate their emails using DMARC, to validate ownership of their corporate logos and securely transmit them to Google. Emails are authenticated using the existing DMARC system. Once these authenticated emails pass all of the anti-abuse checks, Gmail will start displaying the logo in existing avatar slots in the Gmail UI.
Google said it will kick off a pilot of the technology within Gmail in the coming weeks with a limited number of senders, and with two Certification Authorities to validate logo ownership: Entrust Datacard and DigiCert. Which means we can expect to see those kinds of indicators popping up in the existing avatar box. To prepare for the post-pilot launch of BIMI and to generally help secure the ecosystem, Google encourages organizations to start adopting DMARC.
BIMI facilitates advantages to the entire email ecosystem. By requiring strong authentication, both users and email security systems can improve trust in the source of emails, and senders will be able to boost their brand trust and provide an enhanced immersive experience to their customers.
BIMI is a great opportunity for organizations that want to create a trusted brand presence over email encouraging them to implement strong authentication leading to a more trusted, safer email ecosystem for mail users.
How does DMARC help?
To explain in short, DMARC – developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email, and additionally has a mechanism that sends the domain owner a report whenever an email fails DMARC validation. This means the domain owner is notified whenever an email sent by an unauthorized third party.
Click here to read our article to learn more about the DMARC deployment roadmap.
Every new invention brings its new challenges. Every new challenge pushes us to find a new way to overcome it. DMARC has been around for some years now, still phishing has existed for much longer. As new organizations are born each day, email security is important and plays a vital role in every organization and there should be necessary actions taken to make sure there is no security breach. It becomes the responsibility of every business to protect themselves, their clients’ and employees’ sensitive personal information.
At ProDMARC, we’re here to help you meet this new challenge with ease.! ProDMARC as a product built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated.
Summarizing, ProDMARC helps improve customer and third party trust in email communications.
Considering the economy being in slump, ProDMARC announces a limited-time offer during the ongoing pandemic — 15 days of DMARC health assessment report, completely free for all organizations who wish to gain visibility of the mail based phishing threats which are at an all-time high.
Sign up for your 15 day ProDMARC trial by writing to us oninfo@progist.net.
Verified Twitter accounts of high-profile individuals and companies like Apple, Bill Gates, Joe Biden, and Elon Musk assured followers a huge pay out if they just send bitcoin to a block chain address — presumably to contribute to the COVID-19 relief funds; after the social media platform was breached.
Affected accounts belong to businesses and individuals involving Apple, Bitcoin, Barack Obama, CashApp, CoinDesk, Jeff Bezos, Elon Musk, Coinbase, Uber, Bill Gates, Joe Biden, Michael Bloomberg, and Kanye West. A few account owners quickly took control of their profiles and deleted the tweets.
The message from some accounts read, “I am giving back to my community due to Covid-19,” noting that the offer was valid for only 30 minutes. Bill Gates’ account promised to send $2,000 back to people who sent $1,000. A similar message appeared on Elon Musk’s account, with a tweet saying, “I’ll double any BTC payment sent to my BTC address for the next hour,” followed by a hyperlink.
Cyber security firm RiskIQ has published a list of domains connected to the scam, giving further insight into the magnitude of people and corporations targeted. It’s ambiguous how widespread the incident is, but so far, the scammers have been successful in collecting more than $103,000.
Security researchers also found that the attackers had not only taken over the victims’ accounts, but also changed the email address associated with the accounts, making it tougher for the real user to regain access.
Twitter said in an official statement: “We are aware of a security incident impacting accounts Twitter accounts. We are investigating and taking steps to fix it. We will update everyone shortly”. As a part of the company’s remediation efforts, verified accounts, used to promote the scam, have been blocked from tweeting.
Hours later, twitter confirmed that the hack was a result of a social engineering attack by which the hackers targeted some of their employees with access to internal systems and tools.
Once aware of the incident, twitter immediately locked the affected accounts and removed tweets posted by the attackers. Internally, Twitter said it has also taken steps to limit access to internal systems and tools while the investigation is ongoing.
Whereas in other cases, the attackers have bribed workers to leverage tools over individual users, in this case social engineering has been used to gain access that has led to takeovers of some of the biggest accounts on the social media platform and tweeted bitcoin related scams in an effort to generate income.
A lot of progressive organizations have been running phishing simulation programmes for their employees for many years now. These programmes are executed either with consultation of a cyber security company as a service or through a phishing simulation platform or as a hybrid model. The key objective of these programmes has been to train the end employees to detect and report most commonly known phishing incidents.
However, these programmes have been highly ineffective to identify topical phishing attacks resulting in a material impact on the organization. The reason being, some of the most high profile and successful phishing attacks were wrapped in the context of a usual business process of a critical user. These phishing attacks can be highly covert, if they are further wrapped in the context of a current topical matter, for instance COVID-19.
Definition of a critical user need not always be a system administrator or payment processing employee; it could be a PR / marketing department employee dealing with massive listing of customer leads generated or it could be a customer helpline executive possessing a list of high profile irate and vulnerable customers.
In this article, I am trying to bring about a change in mindset of how phishing simulation programmes should be conceptualized and executed.
To start with, let us understand the present threat landscape …
Since mid-March, cyber-criminals launched a variety of COVID-19 themed phishing and malware attacks against essential workers, healthcare facilities, and also the recently unemployed. One of the vital reasons behind the success of these attacks has been phishing sites running on HTTPS. A report suggesting the number of phishing sites protected by the HTTPS encryption protocol was published recently.
In Q1 2020, a new high of 74% of sites used for phishing was recorded protected with SSL. Majority of phishing web sites continue to use SSL / TLS. Users have to learn that SSL doesn’t mean a site is legitimate. Virtually every website — good or bad — now use SSL.
Taking advantage of the ongoing pandemic situation, scammers are using COVID-19 as a bait for cyber-crimes. E-mails — purportedly from renowned health organisations like the WHO, UN and ICMR — along with websites, messages and apps are being used to steal crucial information.
Cyber-criminals topical “COVID-19” usage in Business Email Compromise attacks
COVID-19 themed phishing attacks started spiking in the second week of March. Same time when COVID-19 started to spike as a topic of general public interest according to Google Trends. Security researchers identified what may have been the first documented use of the pandemic as a lure in a “Business Email Compromise” or BEC attack.
In a BEC attack, a scammer targets employees who have access to company finances, usually by sending them email from a fake or compromised email account (a “spear phishing” attack). The scammer impersonates a company employee or other trusted party, and tries to trick the employee into sending money.
Soon after the spike of COVID-19 themed phishing attacks, a criminal group named “Ancient Tortoise” reached out to a company and posed as one of the company’s real suppliers. The criminal requested that the company pay past-due invoices, and used the coronavirus as a pretext to provide new payment details to the victim. The criminal explained that the outbreak had forced the supplier to change the bank it was using to receive payments. The new account turned out to be in Hong Kong, from which the criminal could retrieve funds via money mules.
Image Source: The attacker used a look-alike domain
to spoof the target company
Later on, security researchers reported that ransomware attacks on healthcare facilities were up 35%, versus similar attacks from 2016 through 2019. Healthcare providers must prevent disruptions to patient care, and cyber-criminals saw them as targets that would likely pay ransom. Researchers found that 70% of the healthcare attacks were directed at healthcare facilities operating with fewer than 500 employees. Attackers targeted smaller direct-patient care facilities because they might have smaller security budgets. It is predicted that threat actors would begin using ransomware against companies and organization in healthcare and related fields. By mid-March, cyber-criminals were spreading malware by adding text from COVID-19 news stories in attempts to bypass security software that uses artificial intelligence and machine learning to detect malware.
Current method adopted by organizations for phishing simulation programmes
Phishing attacks from an organizational impact context could be classified broadly in two categories
High Frequency – Low Impact
Low Frequency – High Impact
Impact can range of locking of files due to ransomware, compromise of internal / customer data, insertion of self-spreading malwares in the system, etc.
High Frequency – Low Impact: This type of attack targets a large set of users generally in the form of free vouchers / gift cards with an intention to get the personal / professional details enrolled by the victim.
Low Frequency – High Impact: This type of attack is on a huge scale where the end intention of the attackers is to carry out major frauds / scams such as the direct bank transfer SWIFT fraud of Bank of Bangladesh, the Unacademy data breach of 22 million users found to be sold on dark web, the Italian email provider data breach exposing data of 600,000 users.
Range of attack methods used by cyber-criminals:
Email based phishing
SMS based (SMiShing)
Voice based (Vishing)
USB drops
Most of the phishing simulation programmes are towards detecting the “High Frequency – Low Impact”. These programmes are not contextual based trainings on the risk profiling of the organization considering topical threats, its business departments / processes, country of primary business, industry vertical (bank, insurance, healthcare, manufacturing etc.), key business processes, partnerships, etc.
While “High Frequency – Low Impact” approach should be continued for detecting run of the mill phishing attacks, special emphasis should be put on subjecting your critical employees on phishing simulation which may be highly obfuscated under standard business process related email interaction.
Let me illustrate few common business processes / departments which would exist in most organizations & how tailor-made & contextual phishing simulation programme could be created:
Get to know us
ProgIST offers a full range of cyber security consulting services and products for email security of employees, customers and third parties. Our consulting services include cyber security maturity assessments, incident response framework setup (SOC) and review, web application and mobile app security assessments (VAPT), security awareness, cloud / vendor risk assessment, forensic investigations etc. ProgIST is formed by practitioners who have an Information Technology and Information Security hands-on cumulative work experience of more than 100+ man-years.
ProgIST’s flagship and country leading DMARC analytics platform ProDMARC has provided us an opportunity to work alongside and understand, in-depth – the mailing ecosystem and related business processes of leading organizations across sectors viz. Banks, Insurance, NBFCs, AMCs, Healthcare and Pharma, Stock markets, IT & ITeS, Manufacturing, Power & Telecom, Media & Entertainment etc.
ProDMARC provides us the threat intelligence of the most of pervasive phishing attacks which are impacting organizations, their employees, suppliers, distributors and other third parties.
Based on our strong understanding of the business context and mailing ecosystem, we at ProgIST, have developed a unique cloud-platform “ProPhish”. We offer ProPhish based Employee Awareness Programme (P.E.A.P) which addresses the key lacunas mentioned in this article. Some of the key features included in the programme are:
A North Korean sponsored hacking group famously known as Lazarus, has devised a plan to launch large scale phishing attacks through fake mails designed as COVID-19 relief efforts. The target of the attack are countries like US, UK, South Korea, Japan, Singapore, and India, where the respective governments extended incentives to deal with the pandemic.
These phishing emails are designed to route recipients to fake websites where they will be misled into disclosing personal and financial information.
As per security research firm CYFIRMA, there is a common thread across six targeted nations in multiple continents – the governments of these countries have announced significant financial support to individuals and businesses in their effort to stabilize their pandemic-ravaged economies.
Of these countries, Korea government allocated a total of US$200B of emergency relief funds; Indian government announced Rs 20 lakh crore package; Singapore announced almost SGD 100B; Japan announced funds of about 234 trillion yen; America set aside trillions of dollars to sustain its economy, and the UK government also came out with a pandemic recovery strategy.
As per researchers, the attackers plan to take advantage of on these announcements to bait vulnerable individuals and companies into falling for the phishing attacks. Given the potential victims are likely to be in need of financial assistance, this campaign carries a significant impact on political and social stability. The campaign is designed to mimic government agencies, departments, and trade associations who are tasked to oversee the distribution of the financial aid.
For launching campaign in India, attackers are claimed to have 2 million individual email IDs. The strategy is to send emails with the subject “Free COVID-19 testing” to all residences in Delhi, Mumbai, Hyderabad, Chennai, and Ahmedabad provoking them to share personal information.
In light of the phishing campaign to be launched on India, CERT-IN has laid out a list of best practices to be followed in order to prevent falling for the phishing attack:
Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints
Block/restrict connectivity to the malicious domains/IPs shared by CERT-In from time to time. If any of the machines are found contacting them, take volatile evidence, isolate the machine, start necessary mitigation and containment procedures. Take forensic image of the machine for root-cause analysis. It is recommended to restore the system from a known good back up or proceed to a fresh installation.
Keep up-to-date patches and fixes on the operating system and application software such as client side softwares, including Adobe Products (Reader, Flash player), Microsoft Office suite, browsers & JAVA applications.
Restrict execution of PowerShell/WSCRIPT in enterprise environment. Ensure installation and use of the latest version (currently v6.2.2) of PowerShell, with enhanced logging enabled, script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
Control outbound DNS access. Permit internal enterprise systems to only initiate requests to, and receive responses from, approved enterprise DNS caching name servers. Monitor DNS activity for potential indications of tunneling and data exfiltration, including reviewing DNS traffic for anomalies in query request frequency and domain length, and activity to suspicious DNS servers. The dnscat2 tool alternates between CNAME, TXT, and MX records when it is operating. Investigate abnormal amounts of these records going to the same second level domain, or a group of second level domains.
Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
Consider deploying Microsoft’s Enhanced mitigation Experienced Toolkit (EMET) which provides end node protection against zero-day vulnerabilities and blocks and prevents memory-based attack approaches.
Enhance the Microsoft Office security by disabling ActiveX controls, Macros, Enabling Protect View, File Protection Settings.
Protect against drive-by-downloads through controls such as Browser JS Guard
Leverage Pretty Good Privacy in mail communications. Additionally, advise the users to encrypt / protect the sensitive documents stored in the internet facing machines to avoid potential leakage
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e. the extension matches the file header).
Block the attachments of file types, “exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf”
If using VPN services to access organizational networks, consider configuring mandatory 2 Factor authentication. It is recommended to consider an additional form of authentication, prior to granting access to internal network resources.
Consider limiting users’ access using VPN services to a single IP address at a time. No multiple simultaneous remote access by the same user should be allowed.
Consider Geo-limiting users access to known geographical locations. Use Geo Location analysis to identify impossible connections, such as a user calling from 2 points geographically remote in a short period of time.
Check if the VPN software writes session data to the remote workstation’s disk. If possible, use a connection method that keeps the data in memory only, preferably encrypted.
Maintain up-to-date antivirus signatures and engines.
Restrict users’ ability (permissions) to install and run unwanted software applications.
Enforce a strong password policy and implement regular password changes.
Enable a personal firewall on workstations.
Disable unnecessary services on agency workstations and servers.
Exercise caution when using removable media (e.g. USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats; implement appropriate ACLs
HOW CAN WE HELP
DMARC, developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email, and additionally has a mechanism that sends the domain owner a report whenever an email fails DMARC validation. This means the domain owner is notified whenever an email sent by an unauthorized third party.
ProDMARC as a product is built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated. Summarizing, ProDMARC helps improve customer and third party trust in email communications.
Combining ProDMARC with ProPHISH, our offering to train your employees not to fall prey to the cyber-attacks, you can ensure that your first line of defense is well prepared not to get phished. ProPHISH provides threat simulation by recreating real life scenarios. This simulation helps in defining your existing employee awareness levels and basis on that, preparing a plan of action to increase employees’ knowledge levels.
With a battle against COVID-19 worldwide, a different sort of battle is being waged in the electronic conduits of the internet. People around the world have fallen prey to email scams supposedly from trusted organizations during the coronavirus pandemic.
Click here to read our article on one such Coronavirus themed phishing attack.
In the most recent high-profile coronavirus scam, an email supposedly from the World Health Organization (WHO) was sent around the world requesting donations. The sender’s address was ‘donate@who.int’, where ‘who.int’ is the real domain name for WHO. The email was confirmed to be a phishing scam, but at first glance, all signs pointed to the sender being genuine, as the domain belonged to the real WHO.
Although, this is one in a growing series of phishing scams that use emails related to coronavirus to steal money and sensitive information from people. But if the attackers are using a real domain name, how can we distinguish a legitimate email from a fake one? How are the attackers able to employ email domain spoofing on such a large organisation with such efficiency? And how do entities like WHO find out when someone is using their domain to launch a phishing attack?
The answer is DMARC !
Email is the most widely used business communication tool in the world, and still it’s a completely open protocol. On its own, there’s very little to monitor on who sends what emails and from which email address. This becomes a huge problem when attackers disguise themselves as a trusted brand or public figure, asking people to give them their money and personal information. As per statistics, over 90% of all company data breaches in recent years have involved email phishing in one form or the other. And email domain spoofing is one of the most leading causes of it. In an effort to secure email, protocols like Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) were developed.
What are SPF and DKIM ?
SPF cross-checks the sender’s IP address with an approved list of IP addresses, and DKIM uses an encrypted digital signature to protect emails. While these are both individually effective, they have their own set of blemishes.
To learn more about SPF, DKIM and DMARC, click here
THE UNIFIED COMBATANT : DMARC
DMARC, developed in 2012, is a protocol that uses both SPF and DKIM authentication to secure email, and additionally has a mechanism that sends the domain owner a report whenever an email fails DMARC validation. This means the domain owner is notified whenever an email sent by an unauthorized third party.
Also decisively helping out the email receivers how to handle unauthenticated mail: whether to let it reach inbox, quarantine it or reject it outright. In theory, this should stop bad email from flooding people’s inboxes and reduce the number of phishing attacks. So why doesn’t it?
Email authentication requires sender domains to publish their SPF, DKIM and DMARC records to the Domain Name System (DNS). There’s a lack of serious implementation of DMARC across the business landscape, and it’s not gotten much better over the years. Many large scale private, public and not-for-profit organizations are yet to implement DMARC with their domains.
Here are some of the most serious concerns cited by major companies and businesses to implement DMARC authentication:
1. Deployment challenges
The strict enforcement of security protocols often means a high level of coordination in large institutions, which they often don’t have the resources for. Beyond that, many organisations don’t have much control over their DNS, so publishing DMARC records becomes even more challenging.
2. Risk of breaking the existing system
The relative novelty of DMARC makes it more prone to improper implementation, bringing up the real risk of legitimate emails unable to pass through. Businesses that rely on email circulation can’t afford to have that happening, and hence don’t bother adopting DMARC at all.
3. Concerns for returns on investment
DMARC authentication has direct benefits to the recipient of the email rather than the domain owner. The lack of serious motivation to adopt the protocol has kept many companies from incorporating DMARC into their systems.
Recognizing the need to implement DMARC
While the concerns expressed by businesses have merit, it doesn’t make DMARC implementation any less imperative to email security. The longer businesses continue to function without a DMARC-authenticated domain, the more all of us expose ourselves to the very real danger of email phishing attacks.
As the coronavirus email spoofing scams continue to teach us, no one is safe from being targeted or impersonated. Think of DMARC as a vaccine — as the number of people implementing it grows, the chances of catching an infection go down dramatically.
There are real & viable solutions to the problems expressed that might overcome people’s concerns over DMARC adoption. Here are just a few that could boost implementation by a large margin:
1. Reducing friction in the implementation process
The biggest hurdle standing for a company adopting DMARC are the overheads such as identifying the business processes which use third party mailing services for aspects such as marketing, CRM, HRMS, invoice generation etc., coordinating with such third parties for ensuring they become DMARC compliant, monitoring the steady state compliance levels etc. ProDMARC, through its automated platform and managed services ensures that the DMARC compliance is achieved quickly and maintained.
2. Streamlined deployment
By automating the compliance checks for the DMARC anti-spoofing authentication (SPF / DKIM) and ensuring sufficient learning curve in the “only-monitoring” but “no-blocking” phase of DMARC deployment, the project team can assess the impact it has on organization’s mailing ecosystem before going for a full deployment i.e. “block-everything” but “the-whitelisted”. ProDMARC, through its highly scalable automated platform ensures sufficient visibility of all mail senders of the organization from a SPF / DKIM and thereby DMARC compliance.
3. Improving usefulness
For the DMARC project team to justify the ROI for the DMARC project, they need to provide the requisite insights to the management in terms of improved mail deliverability as well as mitigation of spoofed mails impacting their brand. ProDMARC’s highly scalable data analytics setup provides large number of visually appealing dashboards for justifying the ROI.
Click here to read our article to learn more about the DMARC deployment roadmap.
Every new invention brings its new challenges. Every new challenge pushes us to find a new way to overcome it. DMARC has been around for some years now, still phishing has existed for much longer. In recent times, the coronavirus pandemic has only given it a new face.
At ProDMARC, we’re here to help you meet this new challenge with all guns blazing! ProDMARC as a product built on a mission to achieve a secure and spoofing free email channels across all of internet space; makes reporting of DMARC, providing volumes and trends of the outbound mails including that of phishing campaigns and yield confirmation for reliability of the outbound mails in terms of SPF, DKIM & DMARC conformance; smooth and uncomplicated. Summarizing, ProDMARC helps improve customer and third party trust in email communications.
The economy being in slump and resources scarce. Here’s where ProDMARC announces a limited-time offer during the Coronavirus pandemic — 3 months of DMARC health assessment report, completely free for all organizations who wish to gain visibility of the mail based phishing threats which are at an all-time high.
Sign up for your 3-month ProDMARC trial by writing to us on info@progist.net so that while you stay home safe from coronavirus, your domain is safe from email spoofing.
