Dnia 12.07.2023 o godz. 08:53:16 Bill Cole via mailop pisze:
> For the overwhelming majority of sending systems, the only internal
> security benefit to implementing SPF/DKIM/DMARC is to make
> impersonation of local users by outsiders for the purpose of fraud
> (so-called "BEC") much harder.
>
> For most sending domains, targeted forgery to the world at large is
> a non-problem. No one is out there impersonating you or me in email
> to random strangers for financial gain. Most businesses do not have
> widespread 'brand value' that can be stolen by random broadcast
> forgery.
Despite I said that SPF/DKIM/DMARC adds little to security, I would disagree
with what you write here.
The problem is for recipients, not for senders.
Assume someone receives a forged mail claiming to be from a delivery company
(like DHL or similar) saying "Your package cannot be delivered, because
additional delivery charge of 1$ is required, please go here to pay: <and a
link to a fake payment gateway>".
Even if one in 1000 people who receive it logs in to the fake payment
gateway - and in turn will have their online banking credentials intercepted
and their money stolen - it is a HUGE damage if they send this phish to
millions of people.
The same type of attack can be performed by impersonating basically any
company that sells something online, because the key point here is to direct
recipients to the fake payment gateway, which allows the attacker to steal
their money ("their" == recipients, not impersonated company).
Theoretically SPF/DKIM/DMARC should protect against it. But this type of
messages is also very well recognized and filtered by antispam/anti-malware
software.
It's also enough that the attacker uses own domain that is similar to the
impersonated one (for example uses dhl-courier.com or dhl-poland.com instead
of dhl.com; both don't exist as of this writing) to pass all SPF/DKIM/DMARC
tests (while the antispam/anti-malware software should still properly detect
and filter the message).
Also, as I already said, this type of attack is usually carried out using
SMS messages to mobile phones, not email (at least huge majority of phishing
campaigns of this type that were reported by security-related websites in my
country were carried out using SMS). I don't remember any serious phishing
incident in recent years that was related to email.
Maybe this is because of more widespread use of SPF/DKIM/DMARC, but I rather
suppose this is because much more potential victims can be reached via phone
than via e-mail, and because it is much harder to verify on a phone what
website you are logging to. The phishing message uses a link shortener
(which seems understandable because of the limited length of a text
message), people just click on that link and land on a website that looks
just like the real one they are used to.
--
Regards,
Jaroslaw Rafa
[email protected]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
