On Thu, 30 Jun 2016, Olivier Coutu wrote:
>The other way to fix that is to detect the lexical distance between the
>sender's domain and your organisation's domains, e.g. by building a
>plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance.
>That could be done for a small number of domains within a few hours. In
>my experience results are impressive and it's really awesome to block
>such a personalized attack, although this spoofing method is not used
>that often due to its cost. Mail me if you want the core of the code to
>do those checks.
That sounds VERY interesting, Olivier! :)
What language is it written in?
I'll be contacting you off-list. :)
Have you used that technique to generate tokens for regular
Phish prevention (e.g. all the myriad variations on Paypal)?
>You can keep a list of the executive names in your SA configuration,
>but good luck on catching all variations.
That got me thinking...
Catching variations can NEVER be perfect, however,
performing EXACT matches is easy and reliable.
In most email systems, it's close to trivial to rewrite headers,
in particular the Subject header.
Given that (at each domain) the number of spear-phish-relevant
senders & recipients is very small, and we know whether they're
authenticated and sending from the "correct" IP(s), we can do
exact matching just on email "From" the pool of money-authorizers
and "To" the pool of money-movers, then modify the Subject at the
SYSTEM level with a "magic token" only known to the money-movers.
All other emails would remain unmodified.
Nobody else should know the current "magic token".
It took me about an hour of Coding to add that to my post-SA
filter and has been in use at one of my domains (a charity) for
over a month. They're not at high risk, however they have been
receiving a steady trickle of well-targeted scams/malware and
have been worried, so were enthusiastic volunteers when I
explained what I wanted to experiment with. They're not Techies,
however they're attentive, cautious, and awesome at
asking questions & giving feedback. :)
I set it up on just one sending account (which has been regularly
spoofed), and three recipients.
I felt it would be easier (for the endusers) if we used a
two-part "magic token", with one part being human-readable &
"friendly", and one part being random (e.g. "[banana-38DYIT]"),
so the recipients could first screen on the easy to recognize &
remember part, then look up the random part on a printed list.
I asked the recipients to create their own list of "friendly"
tokens (and encouraged them to have fun with the task), then
generated a random token to pair with each, and set things up so
the two-part token automatically changes each weekend. They keep
the printed list (tokens&dates) in a drawer.
So far, there's been no technical issues.
Satisfaction is high and none of the three has expressed any
discomfort with seeing the extra token in their email clients.
After a couple of weeks, I sent a few RealName spoofs, and they
immediately spotted & reported all of them. Disclaimer: they did
know I'd be testing them (and were enthusiastic about it).
One feature I'm considering adding, is removal of the token when
they reply to the Money-Authorizer/sender. That would keep the
token private to the only people who need to see it.
** Can anyone think of any flaws in that, other than a cracked
Money-Authorizer account?
It's NOT idiot-proof, however it does give attentive non-techies
a simple & easy to see "code", and puts zero burden on the
Money-Authorizers, who tend to be the ones resisting change.
It's a lot easier on sysadmins than using a desktop addon. :)
*** Yet Another Idea (not yet implemented):
Many companies have a helpdesk email address that endusers are
told to forward questionable email to.
Great in theory, but the problem is that there's a human in that
loop, and most endusers are deeply reluctant to appear ignorant
or risk being chastised for "wasting time".
What if there was a mailbox that ran software that performed a
detailed technical analysis, then sent back a human friendly
report?
For example, with the "drive-by malware" campaign that I posted
last week, almost all travelled thru two IPs located in "unusual"
Nations, and the URL redirected to a 2nd URL at a newly
registered domain, that contained pure javascript.
The report might look something like:
You have previously received email from "James Kirk",
but <b>never</b> from the email address in this email.
It was sent from <b>India</b>, thru Great Britain.
It contained a link that was redirected to a brand
new domain, which looks like <b>drive by malware</b>.
Rating: DANGER! DANGER! DANGER!
Blocking stuff like that campaign takes significant extra lookups
(particularly WHOIS) at gateway time, but time wouldn't be an
issue with a small batch of human selected "uncertain" emails.
Endusers should be told up front that the only time a human
Techie would see anything sent to it, is if it raised an alarm...
in which case, they'd get a prize & thanks. ;)
They could even be encouraged to send at least one per day, just
for "practice".
*** Does such software exist?
I suspect it may already exist, in which case someone here _WILL_
know of it. :)
It would have to be smart enough to look up the original complete
email just from a (worst case) Outlook/etc forwarded email (only
core headers), so may have to be platform specific (unless IMAP
is sufficient?).
Obligatory disclaimer: I'm a programmer, not a sysadmin.
...though XKCD 705 is among my top 10 favorite Geek webcomics. :)
- "Chip"
