Spear Phishing Swims Past E-Mail Filters

When it comes to fighting phishers, users may be the best line of defense.

In an experiment, penetration-testing company PacketFocus initiated a spear phishing attack that it says popular e-mail services and appliances — such as Microsoft Outlook 2007, Verizon Email Cloud Filtering and Cisco IronPort — failed to filter. Detailed in a report here, the experiment was conducted in September with the intent of determining the effectiveness of e-mail security controls.

Unless you are a phisher, the results were not good.

“It’s a problem in SMTP,” said Joshua Perrymon, CEO of PacketFocus. “I just wanted to show that none of the current e-mail security protection controls (cloud, e-mail security software, e-mail security appliance, e-mail gateway, desktop software, e-mail clients, smartphones) can correctly identify or protect against a directed phishing attack. The core problem is with SMTP itself and the general idea of ‘operations before security.'”

In his test, Perrymon sent a fake LinkedIn e-mail designed to resemble a legitimate LinkedIn invite from Microsoft Chairman Bill Gates. The fake invite spelled LinkedIn as “LinkedIN” in the “from” field of the message. According to Perrymon, he was able to get the spoofed message around filters 100 percent of the time.

“Technically, SMTP can do nothing to protect against these attacks,” he said. “It doesn’t provide authentication and is easily spoofed. If you look at marketing e-mails, 99 percent of them are designed just like a phishing attack. They are spoofed, contain links to different domains, track users, harvest user data, etc. So to technically protect against phishing attacks will break e-mail marketing.”

Many users don’t know how to identify a real phishing attack, he continued.

“I would recommend training often and through a variety of mediums,” Perrymon said. “Adult learning is not my specialty, but my readings suggest that SCORM-compliant online training is the way to go … Companies also need a portal or application that allows users to report potential attacks. This creates awareness, and also provides a paper trail for auditing.”

As for vendors, they need to determine an effective way to quarantine spoofed e-mails and cannot rely on blacklists, he said.

“The mail server has to stop the attacks from getting delivered,” he said. “If it doesn’t, then the e-mail client has to. If that doesn’t work, then the browser is the last line of defense … I mean, how hard is it for vendors to perform a lookup on link domains to determine how long they have been registered? This is itself would mitigate much of the risk.”