SoylentNews is people
SoylentNews
from the do-you-have-a-phishing-license? dept.
Phishing is still the most common way for cyber attackers to gain entry into networks. Whether it's crooks looking for financial gain or state-backed hacking operations engaging in cyber espionage, it almost always starts with a message designed to make someone click a link or give away sensitive information. Just one person falling victim can be enough to provide hackers with the foothold they need to gain access to the whole corporate network and the confidential information stored within.
But blaming the victim rarely solves anything – especially given how phishing emails can be so highly tailored towards victims, meaning it can be almost impossible to distinguish a real message from a spoofed one created as part of an attack.
"It's fairly easy for an attacker to get hold of an email address and pretend to be somebody," says Amanda Widdowson, cybersecurity champion for the Chartered Institute of Ergonomics & Human Factors and human factors capability lead for Thales Cyber & Consulting.
[...] "There's a power play going on in a lot of these emails. There's somebody impersonating a position of authority, of seniority, effectively saying don't ask questions, just get it done, which is effective," says Tim Sadler, CEO of email security provider Tessian.
"When people send spear-phishing emails, they're taking on the persona or identity of a trusted person. That personalisation makes it highly effective in terms of getting the target to comply with the request, pay the invoice, do what they need to do," he adds.
[...] "There's very little to let the person receiving the email know the person they're receiving it from is who they say they are. It's a little asymmetric, asking a person to do the hard bit, then making not life easy for them," says James Hatch, director of cyber services at BAE Systems.
This behavior isn't restricted to email either; there are times when banks, utilities, telecommunications and other service providers will call customers out of the blue, and then ask the customer to provide their personal security details to verify it's them, yet the customer has no way of identifying if the call is a hoax or not.
(Score: 0) by Anonymous Coward on Wednesday August 21 2019, @07:02AM (1 child)
Huh? Why not? If you have a proper mail setup in place, you already have separated your user-facing MTAs (inside) from the Internet-facing MTAs (outside). That means e-mails from inside fishco.com should never be routed through the outside MTA unless coming from inside. You can, and should, have a spam rule in place to flag local domains coming from the outside interface.
(Score: 2) by vux984 on Wednesday August 21 2019, @05:14PM
"You can, and should, have a spam rule in place to flag local domains coming from the outside interface."
john@FlSHCO.COM is not a local domain. the l is a lowercase L. so its really john@FLSHCO.COM.
What spam rule would you have in place to flag a message that properly passes SPF and DKIM for FLSHCO.COM, an external domain coming from the external interface??
"Why not? If you have a proper mail setup in place, you already have separated your user-facing MTAs (inside) from the Internet-facing MTAs (outside)."
You also don't really need this if you have SPF and DKIM/DMARC setup. Instead of a spam rule flagging local domains from an outside the interface you publish a DMARC reject policy. At that point someone trying to spoof your headers, would be caught and rejected because it lacked the signatures. It's actually a better solution because someone trying to spoof email as coming from you and sending to a 3rd party also gets rejected because if the 3rd party is checking DMARC policy they'll see that its not signed properly and that your domain policy says to reject it it if its not signed.
There's not really much advantage to the layout you've described but there's certainly no harm in it as 2nd layer -- defense in depth is impossible to criticize.