Ever since email has become popular, perhaps the one most
effective way bad guys have been exploiting people is with spear phishing
attacks. These are the email messages sent to specific individuals, or
sometimes a whole group of people, to try and make them click on a link or open
a file that contains a virus. From the compromised systems, attackers can do
anything the user can, including read keystrokes, record passwords, documents,
banking information, and so on. Phishing emails have become such a problem that
a number of security procedures have been set in place over the years in order
to protect us from these types of attacks. As IT pros, we deal with the
aftermath. We handle the users and systems that already were compromised. Here
is a look from the other side, showing an inside view as to how these emails
are crafted, designed, and sent out, along with some of the barriers that these
people have to go over.

There’s a misconception in the general public that the only people
able to hack into large corporations are uber geeks, dressed in fancy clothing,
and paid millions by organized crime in order to carry out their attacks. In
most cases, that’s just not the case. Most hacks don’t happen because some very
intelligent hacker figured a way to break an encryption method; instead they
happen because someone makes a mistake. It could be that the designer of one of
the corporation’s many web portals left a bug in, and someone finds it, or more
often than not, after the attacker sends thousands of phishing emails, just one
person inside the organization takes the wrong decision and opens it. From
there, the attacker just gained a foothold inside of the corporate network. People
might do it for fun, for an act of hacktavism, or for money, turning the hacked
data over to criminal organizations, often for just a few dollars per account
stolen.

The barriers to spam and phishing emails

The first challenge for the bad guy is SMTP itself, the protocol used to
send emails. In the old days, anyone could run their own mail server in their
house and start sending spam emails. Now, most Internet providers are much
stricter. Many block you from sending emails by yourself, instead requiring you
to use an outside service such as Gmail, Yahoo or Hotmail. These in turn have a
lot of filters and automated checks in place to detect and block unwanted
emails. Using traditional email clients would not be very effective if you want
to send a lot of phishing emails, so what attackers typically do is use a bulk
mailing software to defeat some of these protections. Modern tools include all
sorts of features that allow them to get their emails through. The first is the
ability to stagger sending. By clicking one button, you can have the program
send emails all night long with a few seconds pause in between each. They also
offer proxy features. By loading a list of proxy addresses, or servers that can
work as relays, they can appear to come from various addresses all over the
world.

The next set of barriers is aimed at analyzing the received
messages and trying to see if they are legit. One big feature of phishing
emails is that they appear to come from a legitimate domain, but in fact are
not. If the attacker is attempting to make you believe the email is coming from
PayPal, then the From address has to have that domain name in it. This
is where two technologies come into play: SPF and DKIM. The Sender Policy
Framework, or SPF,
works at the SMTP level to check if your originating IP is authorized to send
emails on behalf of that domain name. Domain owners simply set a TXT record in
their DNS that specifies which hosts are allowed to send email from them.
Obviously, if someone in Russia is attempting to send email that claims to come
from the US PayPal domain name, that should raise a red flag, and it does,
thanks to SPF.

DKIM doesn’t
check IPs, instead it signs message content. The DomainKeys Identified Mail
standard is used by many mail servers and adds a header to any email message
that goes through that server. Then, other servers that receive this message
can query the DNS system for the key to verify the signature. That way a person
or organization can take responsibility for messages sent from a particular
domain. Of course not all domains use SPF or DKIM, but if they do, they can
advertise that fact with a DMARC
entry in their DNS. Finally, there’s one last way to prevent a bad email from
arriving in the first place, and that’s with black lists. Spamhaus is perhaps the most well known provider
of spam lists. In partnership with many Internet companies out there, they keep
track of IP addresses that send spam, and create lists of blocked addresses.
That way, a server can quickly check the originating IP, and if it’s on the
list, then it simply closes the connection, forcing attackers to constantly
look for new proxies.

If an attacker is clever enough to bypass these protections,
then the only protection left is in the form of spam filters, often installed
either on a web server or on local computers as part of an anti-malware
solution. Spam traps are used in order to identify phishing emails, which is
why crafting the message itself is one of the most critical tasks for bad guys.
These traps look at the content itself and try to find out if it’s a dangerous
message. This can include how old the domain name is, such as if it was
registered just a few days ago, then it may be a disposable domain name used
for phishing. If there are links, then do the links go to different places than
what the text says? That is an old and effective way to mislead users. The From
address is also critical, and how many web mail systems can alert you that a
message might be spam, if the actual origin is different than what the user
sees? Attachments used to be a big attack vector as well, but now modern
clients block unsafe attachments, and scan others. HTML is now a standard for
email instead of plain text, so care must be taken by email clients to make
sure it’s valid code, and the content doesn’t include red flags like scripts,
badly formed tags, frames, and so on.

The fact that there are so many different servers and clients
out there, and so many attackers trying to get in, means phishing is unlikely
to stop. Typically, getting in isn’t the result of finding a new, miraculous
way to break one of these protections. Instead, it’s a long and tedious process
from the bad guys of sending slightly altered messages and seeing if they get
through, until they get it just right. After all, the balance is heavily on the
side of attackers if they have enough patience. Your protections have to block
every bad email, while the attacker only needs to have one get through and be
opened up.