Wednesday, July 21, 2010

Spam, Spoofing, Phishing, Pharming

Are you concerned about email fraud, how to keep your message private, and avoiding identity theft? Do you think that people receiving an email attachment that was clearly sent from you (as stated in the From line) may fear opening it?

I frequently receive email from myself, that is with my name in the From line, that I never sent. It's well-known that anyone can send a regular email using your name and email address. This is used in spam attacks.

But, why should you care? "After all, it's just an email and I can simply delete it."

However, hidden persuaders in a message (or just in its Subject) may trigger your inadvertent reply to it, such as hearing that you are now listed in "The Internet Harvard Who's Who" (a fake honor), that your site can get a free evaluation (a scam offer), or an "alert" that someone is registering the left-most label of your .COM domain name in the Taiwan registry under .TW (which is legal and should not affect you). Or, and even more effective for the attacker, that triggers an irrational fear factor, where you fear things you shouldn't and then put yourself in greater danger. For example, a message from your bank, looking as the "real thing" and asking you to login to change your password.

So, as in many other cases, an initial, simple attack that is not checked can lead to secondary attacks with far more damaging consequences than originally thought possible.

What's gaining in importance in this space, although much less well-known than spam, is that attackers often use spam as a vector for delivering secondary attacks.

The most relevant secondary attacks today include not only spoofing, phishing, and pharming (see GLOSSARY), but also installing a "trojan horse", a computer virus, or crippling your computer with a ransom request to fix it.

Of these attacks, the most insidious and prevalent today is phishing, which can lure recipients to disclose their private data, that criminals worldwide (not necessarily just the attacker) can use to mount a real-world threat to your identity, bank account, and business, leading to potentially large losses. And criminals can do it all from an Internet cafe, somewhere in a far, far way place, or even next to you, and you (or the FBI) will not likely ever be able to hold anyone accountable for it.

How did we get to this point? Some think that the reason is that your email address is global and even searchable; that's why your mailbox is overflowing with spam. In short, one is led to think that there is no way to prevent it. You must fight it by purchasing solution X (a spam/spoofing/phishing filter), which will require frequent paid updates to be effective. But such solutions can only protect you against yesterday's attacks, and even that may fail as attacks have many variants.
Do I need to change my email address, Mail app, or provider, to be secure? No, the problems are not due to your email address or Mail app, but how you send and receive email. You should be able to use any email address, Mail app, and provider you want, including webmail.

How about if I add a firewall and always use SSL? Still, solution X (a spam/spoofing/phishing filter) will be killing good emails, and you really shouldn't open attachments even if you know the sender.
In addition, anyone can read any email that you send and receive, so that you cannot use regular email in HIPAA and regulatory privacy compliance. Regular email communication is simply not secure. Sending an email is similar to sending a postcard. Any regular email that is sent by you or to you may be copied, held and changed by various computers it passes through, as it goes from you or to you. Persons not participating in your email communications may intercept your communications by improperly accessing your computer or other computers, even some computer unconnected to any party in the communication, which the email passed or was made to pass through. That's also at the root of the spam problem. In the same way that anyone can send a postcard in your name, anyone can send a regular email using your name and email address.

NMA has developed ZSentry to protect your email against spam, spoofing and phishing emails, while adding a number of security and usability features that are missing in email, without changing your email address, Mail app, or provider. ZSentry also encrypts your email per-message, providing HIPAA and HITECH Safe Harbor compliance, as well as compliance with other privacy rules, with no Business Associate Agreement to be signed.

How does this work against spam, spoofing, phishing, and pharming? Rather than fight them, ZSentry prevents them by (among other features):
  1. authenticating the source (including the sender's location) of a message; and
  2. authenticating the name and email address of senders and recipients.
For example, if a Zmail (ZSentry Mail) comes to you from the email address <friend@isp.com>, and you can decrypt it using the ZSentry service, then you have strong, cryptographic evidence that it did come from that address as cryptographically authenticated during signup, with the original subject, date, body and attachment intact.

To read a Zmail, ZSentry also reminds users that they can copy-and-paste the ZSentry link (when, selected by the sender, Zmail uses an encrypted link). Rather than just click on the link, this simple procedure prevents users from landing at a destination that was encoded in the email to be different from what users can read on the screen before they click.

Users can also beneficially apply a spam/spoofing/phishing filter prior to reading the Zmail, to reduce input email volume. However, the filter no longer has a critical, final function. This also means that the filter does not have to be set so tight as to increase too much the number of false positives (the number of rejected but good email), or should one fear that the filter is letting through too many false negatives (the number of accepted but bad email).

A further benefit of the ZSentry approach is that it does not require the customer to update anything in order to remain protected.

Other approaches (solution X, a spam/spoofing/phishing filter) such as those based on email headers, reputation, non-verifiable metrics (eg, community detection), blacklists, pattern detection, heuristics, zombie detection, and message scanning, can break privacy and may easily fail. One of the reasons to fail is that spam and phishing emails are created in an arms race scenario, where defenders lag behind with less knowledge and resources and are often fighting (perhaps, even well) the last exploit but not the next. Exploits are also hard to filter because they have many variants, spoof various parts of email headers and body, and come in the name of people or organizations you trust — your friends and business contacts. You probably receive several emails from yourself (surely, it is a valid email address and one that belongs to a real, reputable person) that you never sent.

Training users to detect spam, spoofing and phishing adds costs and also frequently fails, as users cannot be trusted to follow procedures, are easily distracted, and may not understand the instructions in the first place. ZSentry does not depend on users learning ever-changing patterns, as this is one of the few things that is actually proven not to work, or just work poorly.

How about spam? ZSentry also has a zero-tolerance spam policy. There are several mechanisms in place to prevent any ZSentry user from abusing the system and sending Zmail spam. For example, ZSentry BASIC users can send a limited number of secure email Zmail messages a day. ZSentry PREMIUM users, who must provide a valid payment information and physical address in order to use the service, are allowed to send larger amounts of secure email.

GLOSSARY

What is a "spoof web site"?

A spoof website is one that mimics another website to lure you into disclosing confidential information. This can be done even with SSL (Secure Sockets Layer) using 128-bit encryption. To make spoof sites seem legitimate, spoof web sites use the names, logos, graphics and even code of the real company's site. They can even fake the https web address that appears in the address field at the top of your browser window and the "SSL padlock" that appears in the lower right corner of your browser.

What is a "spoof email"?

A spoof email has the "From:" header of the email, and possibly other headers as well, set to the email address of a different sender, to lure the recipient to read and act on the email. For example, using the email address of a friend, a legitimate company, a bank or a government agency. This is very easy to do with regular email. To make spoof emails seem legitimate, the email body uses the names, logos, graphics and even legitimate web addresses and email addresses in some fields. The action links in the spoof e-mails almost always take you to a spoof web site. Spoof emails can be sent also as an attack against you or your organization, with fraudulent offers, bogus announcements or malicious content.

What is a "phishing email"?

Phishing (or hoax) emails appear to be from a well-known company but can put you at risk. Although they can be difficult to spot, they generally ask you to click a link back to a spoof web site and provide, update or confirm sensitive personal information. To bait you, they may allude to an urgent or threatening condition concerning your account. Even if you don't provide what they ask for, simply clicking the link could subject you to background installations of key logging software or viruses. Every business on the Internet is a potential victim of phishing email attacks, eroding the trust of their customers in the company's communications.

What is "pharming"?

A pharming attack redirects as many users as possible from the legitimate website they intend to visit and lead them to malicious ones, without the users' knowledge or consent. A malicious site can look exactly the same as the genuine site. But when users enter their login name and password, the information is captured. Emailed viruses that rewrite local host files on individual PCs, and DNS poising have been used to conduct pharming attacks. Even if the user types the correct web address, the user can be directed to the false, malicious site.

What is "spam"?

All Internet users should by now know about spam. The word spam as applied to email means Unsolicited Bulk Email. Unsolicited means that the recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantially identical content. Usually, a message is spam if it is both Unsolicited and Bulk. Unsolicited email is usually normal email (examples include first contact inquiries, job inquiries, and sales inquiries). Bulk email is usually normal email (examples include subscriber newsletters, discussion lists, information lists, and update announcements).

Comments are welcome.