Deterring spammers and phishers

We’ve seen an interesting attack recently. Some malicious actor set up a domain and an email account that was one letter different from the real domain,
acquired a copy of an invoice, and sent it to a known customer attached to a note saying that their bank details had changed. Fortunately the attack was spotted…

We took a little look at this. There’s actually very little that a small business can do about this sort of impersonation beyond human vigilance (there are tools, but they’re primarily for larger businesses). However, there are a number of things that can be done that will suggest to malicious actors that this is a hard target and they should go elsewhere.

Namely:
Account security: We won’t insult you by assuming that you haven’t got a good password and two-factor authentication on your email account and system access. To remind you, a good password is one that’s unique, easy for you to remember, but hard for a computer to guess: so a passphrase of three or four words (for a total of 20+ characters), maybe one capital letter and a number somewhere in it, is a good starting point. Store it safely and change it when you think it might have been disclosed. And if anyone is saying, “what is 2FA?”, please give us a call and we’ll explain why you need it!

SPF, DKIM and DMARC settings: These are three linked tools that help to prevent spam and phishing. Sender Policy Framework (SPF) allows domain owners a way to publish a list of IP addresses or email addresses that should be trusted for a specific domain. Domain Keys Identified Mail (DKIM) adds a signature to outgoing email that a receiver can verify, while Domain-based Message Authentication, Reporting and Conformance (DMARC) builds on SPF and DKIM, first to report on which systems are sending mail from a domain, and later to quarantine any email being sent that’s not legitimate.

All three of SPF, DKIM and DMARC require that you have a public DNS record, and DKIM requires you to set up a public/private key pair. They are a little fiddly to get right, but the hassle is worth it. The two legitimate local businesses were some of the way there, but there were parts that were missing or misconfigured.

TLS settings: The current version of Transport Layer Security (TLS) is 1.3, and the previous version (1.2) is also viewed as providing satisfactory security. Anything below that is not (and both of the businesses was still allowing versions 1.0 and 1.1)

The problem here is that every time email is sent, a negotiation takes place. The sender says I have mail for you. The receiver says something like OK, you can send me using TLS v1.3. A normal sender might reply, I can’t do 1.3, but will 1.2 do? and the receiver should agree it. However, if the sender and the receiver can’t agree a level, the mail will be sent across unencrypted.

So when you limit the number of acceptable versions of TLS for your email, you need something that will stop that happening. That something is MTA-STS, short for Mail Transfer Agent-Strict Transport Security. The simple upshot is that any mail where it isn’t possible to agree a satisfactory TLS connection is blocked. Most mail service providers – the likes of Microsoft and Google – provide it, but not out of the box. But neither of the local businesses had enabled it.

There are a number of other tools you can use – the next step after the basics might be DNSSEC, which allows you to put a cryptographic signature onto DNS records. It’s an attractive idea, but it does introduce rather more complexity, and a lot of .com domains do not use it. And there’s also one non-technical process that you should have: if you are going to change important details like bank accounts, ensure that you have a way to carry out an out-of-band check, where the recipient can communicate (say) via a secure messaging app like Signal or WhatsApp whose details are not known by anyone else.

Let’s be clear: we are not sticking the boot in on the victims of the attack. But the problem is that if people think that one Jersey business or organisation is a soft touch, more malicious actors will try attacks here and that’s the last thing we want.

As our story shows, we are not immune: malicious actors do target Jersey. So… we really do need businesses and organisations in Jersey to do better and to be prepared for this sort of attack. And if you want us to check the status of your system (we have access to tools), we’re very happy to do so and to help you prepare for the next attacker.