SoylentNews is people
SoylentNews
BofA Phish Gets Around DMARC, Other Email Protections:
A credential-phishing attempt that relies on impersonating Bank of America has emerged in the U.S. this month, with emails that get around secure gateway protections and heavy-hitting protections like DMARC.
The campaign involves emails that ask recipients to update their email addresses, warning users that their accounts could be recycled if this isn’t done.
“The email language and topic was intended to induce urgency in the reader owing to its financial nature,” according to analysis from Armorblox. “Asking readers to update the email account for their bank lest it get recycled is a powerful motivator for anyone to click on the URL and follow through.”
The messages contain a link that purports to take visitors to a site to update their information – but clicking the link simply takes the recipients to a credential-phishing page that closely mirrors a legitimate Bank of America home page, researchers said.
The attack flow also included a page that asked readers for their ‘security challenge questions’, both to increase legitimacy as well as get further identifying information from targets, researchers said in a posting on Thursday.
“With the enforcement of Single Sign On (SSO) and two-factor authentication (2FA) across organizations, adversaries are now crafting email attacks that are able to bypass these measures,” Chetan Anand, co-founder and architect of Armorblox, told Theatpost. “This credential-phishing attack is a good example. Firstly, it phishes for Bank of America credentials, which are likely not to be included under company SSO policies. Secondly, it also phishes for answers to security-challenge questions, which is often used as a second/additional form of authentication. Asking security-challenge questions not only increases the legitimacy of the attack, but also provides the adversaries with vital personal information about their targets.”
(Score: 2, Interesting) by RandomFactor on Saturday June 20 2020, @12:13AM
Hardly just banks, most Fortune 500 companies have adopted DMARC, although far less (around 20%) have moved it to a fully protective state.
DMARC is designed to overcome weaknesses inherent in SPF and DKIM.
With SPF and DKIM, shadow IT systems/forgotten legitimate ones can be caused to fail. Shutting down random applications (or making them unreliable) is actually NOT the goal (tempting though it can be.)
As a result implementation of SPF and DKIM was often done at weaker settings leaving the ability to spoof email in place for the criminals to use.
DMARC does two new things.
1) it actually allows for redundancy, if either aligned SPF or DKIM authenticate the email then it is authenticated for DMARC
2) it provides feedback. If a participating site receives an email that fails DMARC, a report is sent to the designated reporting address of the sending domain. This lets the IT Admins identify legitimate systems that aren't authenticating, fix them, and confirm that there is no failing legitimate traffic before switching DMARC to a strict (reject spoofed email) mode.
Implementing DMARC can be a long road for large enterprises but it helps protect both the business and its customers from impersonation and MITM type BEC attacks and really has little downside.
It is also a base requirement for BIMI, which is something that is going to get all the marketing types excited over time I think, so all the companies lagging are likely to start working on it since Marketing rules the world :-p
В «Правде» нет известий, в «Известиях» нет правды