Cybercriminals are the world's greatest opportunists. It's not unusual to see retailers react and respond to things in the news — holidays alone are evidence of this. However, nothing sells like an emergency, and this is even more true for criminals who use disasters, wars, and now pandemics as air cover to focus collective anxiety and fear into highly targeted, malicious messaging.
Cybersecurity professionals have a saying: "It's easier to hack people than systems." I think it's appropriate to add that people desperate for answers, solutions, cures, and vaccines are even easier to hack than those who have the space and time to consider the consequences of clicking a link, making a purchase, or logging in to a site they're not sure is real.
COVID-19 has created a massive opportunity for the criminal underground — COVID-related abuse skyrocketed by as much as 14,000% in a matter of weeks. Trusted sources of information like the World Health Organization, Centers for Disease Control, and others are being targeted by criminals using their names and brands to hide beneath.
This identity and trust problem isn't new. COVID didn't create the Internet's digital messaging woes — though it exacerbated the problem. Because we are glued to our phones, laptops, and televisions, desperate for any inkling that something will change for the better in the days and weeks to come, the opportunity is rife for abuse.
So, what can we do about this?
First, Let's Define the Problem
Phishing is a social engineering attack that is most often, but not always, conducted through email. The thrust of phishing messages can be anything from asking recipients to reconfirm their password (creating fear that their account has been limited or suspended) or any number of lures that compel us to log in to a fake site or send personally identifiable information to some netherworld where we're fleeced for as much as fraudsters can grab.
The rise of phishing tracks with the growth of the Internet and the growth of the Internet's first and most widely used communication mechanism: email. Email, as an open framework for people to share ideas and information (and yes, cat videos and memes) was designed more than 40 years ago when today's use cases weren't yet fathomable. It went largely unsecured over the years. However, as more people and businesses began to rely on the medium, the criminal world took notice. In the early 2000s, the problem had come to a head. As more people signed up, more abuse began to happen.
The Solutions Have Been Around
Organizations like the Messaging Malware Mobile Anti-Abuse Working (M3AAWG) Group were created to deal with problems of massive scale. Email was the first problem the organization and its members began to tackle and continue to work on today as the threat landscape and countermeasures have evolved.
Over the last 15 years, the Internet Engineering Task Force (IETF) has standardized new technologies to make it harder for cybercriminals to abuse the domains that send legitimate email. Three of these technologies — each a different component of email authentication — are essential to preventing a significant amount of the fraud we see today.
M3AAWG and its member organizations have endorsed the widespread adoption, use, and implementation of these technologies to protect wanted and crucial communications.
At its core, phishing is a social engineering attack that hijacks the trustworthiness of email. Recipients trust the from domain they see when a message arrives. Until email authentication was developed, anyone could send a message that appeared to come from any domain. With the following authentication standards in place, organizations and individuals can trust that the COVID-19 information they're sending or receiving is safe, accurate, and, in some cases, actionable. Our health and well-being should be the top priority right now, not being one click away from a digital catastrophe.
Sender Policy Framework (SPF)
At its core, SPF is a simple list that a domain owner publishes, telling the world which services are allowed to send mail for the domain. When an email is received, a simple check can validate if it has been approved. On its own, this does not stop abuse, but it is part of a layered system of checks and balances that help mailbox providers, such as M365, Gmail, and Yahoo Mail, discern the good from the bad.
While it's conceptually simple, there's a lot of technical nuance in maintaining a proper SPF record. Here's a detailed rundown of how to manage yours.
Domain Keys Identified Mail (DKIM)
DKIM is a cryptographic method of signing email that attaches a unique identifier to messages using public key cryptography, which has the added benefit of being able to tell if a message has been modified after it was sent, perfect for stopping malicious parties.
It's important that all parties not only sign all outgoing mail with DKIM but also ensure the DKIM signatures are aligned with the sending domain in the from header field.
Domain-based Message Authentication, Reporting and Conformance (DMARC)
The final piece of this puzzle is DMARC. With SPF and DKIM, there's nothing that tells a receiving mail system what to do if a message fails to authenticate. DMARC lets this policy be explicitly published, telling a receiving mailbox provider what to do with messages should they fail a check of both SPF and DKIM.
As with all things, the devil is in the details and the experts strongly advise domain owners to publish this record with a reject policy, ensuring that messages that do not pass aligned SPF or DKIM will not be delivered, shutting out bad guys from the inbox.
There are innumerable problems in the world now, and layering on a technical challenge, in addition to the obstacles we're all facing during this crisis, can be monumental.
If your communications are integral to helping inform and coordinate COVID response, then you need to take the necessary steps to secure your messaging infrastructure. Not only are we relying on scientists to keep us safe, but we have to rely on our tech experts at organizations such as M3AAWG, DMARC.org, APWG, and other tech and policy organizations to keep the systems we treasure free of abuse so that we can all be part of each other's socially distant circles and provide what comfort and care we can during this crisis.