Leveraging DMARC as a Key Component of a Comprehensive Fraud Program

Transcription

1 Leveraging DMARC as a Key Component of a Comprehensive Fraud Program Summary: Fraudulent messages and orchestrated attacks have eroded trust in as a communications medium to such an extent that it is nearly impossible for major financial institutions, retailers and marketers to authentically reach their customers. Fortunately, the DMARC draft specification, created by a group of leading providers, shows great promise for securing channels, reducing the amount of spoofed that gets received and improving threat intelligence and visibility around targeted attacks. This white paper explains the DMARC draft specification, and how to leverage it to reduce phishing attacks and strengthen customer trust in your communication.

2 Table of Contents < Why is Worth Saving 1 as a global communications medium has become so polluted that companies and individuals are moving to other channels such as social media to regain the ability to have a trusted conversation. But is worth saving because it is still the most efficient and effective way to communicate with customers and other businesses. An Introduction to DMARC 2 While authentication is not a new idea, DMARC is a technical specification that has been developed by leading providers to deliver an Internet-scale, federated policy, authentication, and enforcement framework for trusted delivery. As such, it has the potential to transform security as we know it. Why DMARC Matters, and Who Can Benefit 3 DMARC's rapid and widespread adoption is finally standardizing efforts to verify that s are actually from who they say they're from. This has positive implications for any organization that seeks to securely correspond and interact with their customers, which is to say, all organizations. 4 Challenges with Standalone DMARC Solutions DMARC is a huge step forward for message authentication, but there are other security issues that DMARC doesn't address. Standalone DMARC solutions are often inefficient, incomplete and expensive, since they only solve a portion of the fraud problems plaguing the channel. A much more comprehensive anti-fraud strategy is necessary to protect your brand and customers. 5 DMARC Compass with Detect Monitoring Service: Compliance and Attack Takedown DMARC Compass from Easy Solutions directly integrates DMARC reporting data to quantify abuse, facilitate attack deactivation, and to protect users. When combined with Detect Monitoring Service (DMS), your organization receives phishing attack takedowns, compromised card monitoring, brand intelligence and much more to give you a truly comprehensive anti-phishing and fraud protection solution. About Easy Solutions 6 Easy Solutions is the only security vendor focused on the comprehensive detection and prevention of electronic fraud across all devices, channels and clouds. 2

3 Why is Worth Saving 1 Phishing attacks are wearing away trust in the channel as a means to communicate with customers, and are often at the root of major data breaches. To cite just one example, the Target breach was set in motion by a phishing attack launched against a third-party vendor that worked with Target, starting the chain of events that led to the theft of the credit cards and personal information of 110 million customers. And that's just the beginning of the problem; 100 billion spam s are sent around the world every day, resulting in over 2 billion dollars a year in losses due to phishing attacks. as a means to correspond globally has become so corrupted that organizations are starting to move their communications to other channels like social media, in the hopes that they can once again regain the ability to have a trusted conversation. This just opens up a new set of risks and privacy concerns. In fact, we are already seeing phishing attacks being launched through social media and mobile applications. Cybercriminals will always try attacks wherever potential victims might be lurking. Changing the communications channel only briefly postpones the new wave of attacks. So let's not declare that using to communicate with customers and other businesses is dead just yet. is an overlooked hero of the global economy, a medium of communication that may not be glamorous but remains the best way to stay in contact. Facebook, Snapchat, Whatsapp, and other supposed replacements are simply not adequate substitutes for personal business-to-customer communication and sensitive peer-to-peer messaging, let alone robust, secure communication between businesses. is worth saving and protecting because it remains the best way for companies to communicate with clients and other businesses. But something effective must still be done to stop phishing; over 120,000 phishing attacks were launched in the first half of 2014 alone. The Anti-Phishing Working Group reported that unique phishing attacks are launching at the highest level in five years, even with all of the varied security solutions that are available purporting to solve this problem. Emerging standards of authentication and encryption offer the best hope yet for making communication more secure. These are not new ideas, but the problem with most forms of authentication that have been developed up until now is that they depend on non-technically savvy end users to make those systems function and keep them working. A system that has a chance of succeeding has to be intuitive or most senders and receivers just won't use it. Fortunately, an Internet-scale, federated policy, authentication and enforcement framework for trusted delivery is already available, and the skeleton of this system is already deployed and supported by the biggest receivers on the planet. It's called DMARC, and it has the potential to greatly reduce the phishing attacks plaguing the channel. ¹ ² ³ 3

4 An Introduction to DMARC 2 DMARC stands for Domain-based Message Authentication, Reporting & Conformance, and it is an emerging delivery standard that improves trust between senders and receivers while also providing unparalleled external visibility. DMARC was developed by a group of primary receivers such as Gmail, Hotmail, Yahoo and others in an effort to restore trust to the sender/receiver relationship by reducing threats such as phishing, brand impersonation and -delivered malware. DMARC relies on senders to provide a method for authenticating messages, and for receivers to check this authentication and follow a specific enforcement policy provided by the sender to accept, quarantine or reject each message. All of this is done in a completely invisible way to the people on either end. DMARC relies on two other standards, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to allow senders to sign their outbound and announce authorized servers on each domain. SPF is an open standard that prevents the impersonation of senders through a record placed on a sender's domain's public DNS servers. Receiving mail exchangers can check that incoming mail being sent from a host authorized by the domain's administrators, and decide what to do with those messages that fail SPF validation. This standard lowers spam and messages with forged sender addresses, because those kinds of illegitimate messages will get caught in spam filters that check the SPF record. In this way, an SPF-protected domain is less likely to be blacklisted by a spam filter and legitimate messages from that domain are more likely to get through. 4

5 An Introduction to DMARC 2 DKIM is just like SPF, in that its purpose is to allow senders and receivers to verify the authenticity of a message. But in the case of DKIM, every sent from a legitimate mail server includes a digital signature in the header. This digital signature can then be validated by the recipient through use of the signer's public key in their DNS record. While SPF validates a message's envelope (i.e. the SMTP bounce address or the header that says who a message is from), DKIM signs a message's contents, including the headers. SPF validates the sender's address compared to the source server, and publishes a record that authorizes the IP addresses that are permitted to send on behalf of a domain, while DKIM validates the message header and body through cryptography. Essentially, DMARC leverages both of these widely used mechanisms to create a transparent handshake between the and sender via DMARC policy records presented as DNS TXT records. If a received fails both DKIM and SPF under a DMARC policy, the sender will then be asked what to do with the mail (accept, quarantine or reject it). 25,000,000 Number of messages spoofing PayPal that were rejected during the 2013 holiday buying season thanks to DMARC monitoring. In addition to unifying policy around SPF and DKIM, DMARC also provides visibility into the channel, so that organizations can see what attacks are being launched and assess fraud patterns. DMARC-compliant mailbox providers give feedback about every message that can't be authenticated in the form of two different reports: Aggregate (RUA) and Failure (RUF) reports. The RUA report contains consolidated information about all s processed by destination servers, arriving in an XML format, usually within a zip file. RUA reports include information about the IP address of the sending server, the sender domain, the number of sent messages, whether the messages passed DKIM and SPF policies, and what action was taken with the message after it passed or failed. The RUF is only sent after a failed is detected, with detailed information about the message including the contents of the body of the and the phishing domains its links contain, in an.msg attachment. RUA reports are always sent, but some providers decide not to send RUF reports. These two reports provide visibility into the current health of your channel. Fraudulent R U A - R e p o r t s Genuine The DMARC standard has remarkable promise, because when it is fully standardized and globally deployed, it can fix a fundamental flaw in the technology underpinning the Internet: the easy anonymity that allows cybercriminals to impersonate other entities to launch attacks. While it is not an official Internet protocol yet, DMARC has already shown so much progress and potential in cutting down phishing and spam that it is already supported by 70% of all mailboxes around the world, about 2 billion in total, including the planet's top 10 receivers. A number of prominent brands have already seen abuse drop by more than 50% when DMARC is deployed. ⁴ ⁴ 5

6 Why DMARC Matters 3 We saw a reduction of 5000% in the amount of spoofing claiming to be from a major corporation during their busiest season after implementing a DMARC reject policy John Rae- Grant, Gmail Product Manager Counterfeit s enable the perpetration of phishing, malware and spam. Established brands are often the lure used to trick unsuspecting customers. If a brand suffers numerous impersonation attacks, its communications with customers won't be trusted. Brands need to protect their businesses and clients with aggressive attempts to reduce spam, phishing and spoofing that leverage their trademarks and name. The time and resources spent on brand awareness and engagement through marketing can be undone in an instant with a successful, massive phishing incident; a recent poll found that 71% of U.S. adults with bank accounts would be at least somewhat likely to change banks if they became a victim of an online banking fraud attack at their present bank, to cite just one example.⁵ DMARC offers organizations a way to vastly reduce the possibility of falling victim to such an attack. DMARC is important because previous efforts to verify that s were authentic were not standardized, and tended to try and authenticate in isolation from every other part of the chain. Receivers made decisions about how to evaluate authenticity on their own, and domain owners could never be sure if receivers were getting messages from imposters. DMARC solves this problem of many uncoordinated efforts to prove that s are genuine by bringing them all together under one standard that all senders and receivers are invited to use. A reliable way to determine real messages from fake ones is taking shape, which will make the ecosystem a little bit safer in the near future and potentially a whole lot safer in the long term, improving the quality of the communication that is so necessary for businesses and their marketing teams to thrive. This means that any organization that relies on or sees value in a trusted -based communications channel with their customers stands to benefit from DMARC's implementation. A few examples are illustrated in more detail below: Banks If your customers cannot figure out which s are actually from your financial institution, and which are from phishers, this dilutes customer confidence in your brand. This is not just an academic question. In the case of Experi-Metal, Inc. v. Comerica Bank in 2011, an employee from a Michigan metal works company clicked on a phishing that was supposedly from Comerica bank, of which the company was a customer. Following a link in the , the employee entered their credentials to enter the banking site, which was actually a fake site put up by cybercriminals. As a result, the cybercriminals were able to gain access to the company's accounts with the bank, and fraudulent transfers totaling more than half a million dollars were made and never recovered. Courts later held Comerica liable for those losses, and now that a legal precedent has been set, there's no telling which bank may be next. DMARC can make sure the vast majority of fraudulent s never reach unsuspecting customers in the first place. Retailers Recent breaches at a number of prominent retailers, including Target, Neiman Marcus and Home Depot, have shown vulnerabilities that exist at various points along the payments processing chain. But a breach is not the end of the damage that retailers and their customers suffer. Information stolen in these breaches is used to launch phishing attacks against the victim, oftentimes with the brand of the retailer at which the breach happened prominently displayed, offering help to mitigate the damage. But it's not just companies that have suffered a breach that could be affected. Fake s leveraging retailer brands offer discounts, promotions, coupons, promises of salacious content, and any other incentive they can think of to goad users into clicking on what is really a phishing message. By the time the customer and retailer realize what has happened, cybercriminals have claimed another victim and the retailer's ability to engage customers through has been battered. DMARC can maintain retailer brand reputations and their customers by shutting down these kinds of s before they ever arrive in an inbox. ⁵ 6

7 Why DMARC Matters 3 Marketers Ever wonder why your marketing campaign doesn't seem to be showing any results? You've spent the money, collected the addresses, and crafted a compelling message, but nothing seems to be coming from it. Before DMARC, marketers had little idea of the level of risk they might be exposed to from phishing or spoofed s. But with all the data DMARC provides about authentication, marketers can be more proactive in singling out and stopping attacks while making sure that their legitimate messages are the ones their targeted customers actually open. Spam s don't even get delivered, and open rates for your campaigns will go up as your customers will click on fewer spoofed s and have more trust in the s your organization actually does send. Bottom line: if you communicate with your clients over , DMARC provides a clear path to being able to preserve a monopoly on s being sent in your organization's name, so that the trust crucial to making thcat ommunication effective is protected. 7

8 Challenges with Standalone DMARC Solutions 4 Contracting a security provider to help implement a DMARC policy can be helpful, especially during the process to calibrate compliance with the policy. The process to organize internal flows to the point where an organization can be confident that its DMARC policy is only deleting unauthorized messages can take from one to two years for a large company, and adjusting an effective DMARC policy requires a lot of precision. DMARC compliance encourages a number of excellent best practices regarding hygienic and trusted flows, including increased use of signing and stronger domain management processes. The value of any DMARC analytics solution is that it provides clients the tools to further adopt DMARC, reach 100% compliance and eventually move to what is called p=reject, where any sent in the organization's name and domain can be safely rejected without having to worry about genuine communications being rejected by accident, and permitting a consistent policy to be applied to unauthenticated messages. But the benefit of a standalone DMARC tool purchased just for this process diminishes sharply once full compliance is reached. When an organization adopts a policy that can tell the global Internet to delete all unauthenticated s, the value of a standalone DMARC tool that offers no further benefits will be called into question, especially if the cost of such a tool is high. DMARC is not a complete solution to the problem of -based fraud and phishing attacks. One issue that DMARC doesn't solve is that cybercriminals could conceivably create domain names that are similar to the target they are attempting to leverage in an attack, so-called sister or cousin domains. The deceitful domains could even be DMARC compliant, ironically enough. But because they are not attempting to spoof the full original name of the organization, DMARC can't catch them. And if DMARC can't catch them, a tool that only offers DMARC compliance can't stop such attacks either, and your organization can remain vulnerable even while paying an exorbitant price for a tool that just puts a dent in the amount of attacks. Another issue is full adoption by all providers and potential phishing targets. It is unclear when smaller banks and brands on the sending side of the equation will comply, or when smaller receiving organizations will do the same. In the meantime, DMARC can't authenticate what non-compliant organizations won't allow it to see. There is no way for a DMARC policy that is not universally adopted to block fraudulent s unless sending and receiving organizations make the effort to identify which messages should be rejected. In addition, there is no standardized way to respond to DMARC reporting; as noted earlier, compliant organizations may monitor, quarantine or reject s, and many organizations worried about rejecting legitimate messages have not been able to calibrate their policies confidently enough to go the full p=reject route. That means fraudulent messages can continue to cause trouble, even on DMARC compliant domains. Standalone DMARC solutions are often inefficient, incomplete and expensive. DMARC compliance is much more valuable as a feature of a comprehensive threat detection and mitigation approach. DMARC will not be a cure-all that eliminates all attacks, and when attacks still get through, a standalone DMARC tool will have nothing else to offer. A more holistic security strategy can comprehensively fight fraud and phishing attacks however they are delivered. It is helpful to think of fraud as a concept in three separate stages of its life cycle. The first stage is planning, where a cybercriminal begins searching for vulnerabilities in an organization's infrastructure to exploit. Then there is the launching stage, where a criminal is able to infect an unsuspecting user with malware or steals user passwords for access to sensitive information and accounts. Finally, a typical attack ends with the cashing stage, when a cybercriminal is actually able to remove money from an account. 8

9 Challenges with Standalone DMARC Solutions 4 If phishing s are arriving to your customers' inboxes, then cybercriminals are already well on their way to accomplishing the second phase of the attack cycle. Your customers are only an ill-advised click away from allowing their devices to be infected. DMARC allows you to remove s from the Internet before your customers receive them; ultimately stopping attacks at the planning stages. But as was mentioned before, DMARC can only stop attacks that attempt to spoof your domains. Phishing attacks using sister domains, or sent through social networks and mobile application stores will still get through to your end users even if your p=reject policy is calibrated perfectly to stop spoofed domains from sending s in your organization's name. Rudimentary DMARC solutions have no way to stop these kinds of attacks, and are only solving a small, if important, part of the phishing and fraud equation. DMARC is great as a control that can reduce the number of attacks delivered to your customers, but most solutions bolt on thirdparty threat mitigation, and can't handle it strategically. But that's not something you can tell your customers if they get phished using a spoofed domain outside of DMARC's protective abilities. DMARC is just the beginning of getting control of phishing attacks targeting your organization; it must be complemented by other multi-layered security strategies that stop attacks that DMARC is not designed to deal with. 9

10 TM DMARC Compass with Detect Monitoring Service: Compliance and Attack Takedown 5 DMARC Compass gives your organization the power to gain visibility into all message flows, proactively filtering attacks and restoring trust in your channel. Your organization can see analytics on all sent associated with your domain using the intuitive DMARC Compass portal, which lets you follow up on the results of SPF and DKIM validation tests as they are happening and provides an array of dynamic charts and graphs that give you an instant snapshot of your current DMARC compliance. With the data-driven DMARC Compass readiness workflow, you can accurately measure the gaps that your organization must still fill to get to full DMARC deployment, identify any configuration errors, see which domains sending s have the most authentication problems and stop any unauthorized 3rd-party vendors that might be sending s on your behalf. Integrated policy generation tools let you quickly and easily migrate to global blocking of fraudulent s and make sure that your customers only receive genuine messages from your brand. There is no new hardware or software to install since DMARC Compass runs entirely in the cloud, and it can go live start blocking attacks immediately. Once DMARC Compass is in place, you will be able to publish a DMARC policy that can parse RUA and RUF reports on a daily basis, leading to a dramatic reduction in attacks to mitigate and greatly reduced attack takedown times. How does the calibration of a DMARC policy developed by DMARC Compass work so that your organization is able to block spoofed s and enable the sending and receiving of legitimate messages? Easy Solutions initially recommends the deployment of a DMARC Monitor policy when first testing the waters of the standard. This policy only provides reporting and doesn't have any receiver-side enforcement, which guarantees no interruption of your mail flow, but still allows data to still be collected from participating receivers. DMARC Compass is still fully operational without 100% DKIM deployment and without SPF, and Easy Solutions recommends that DMARC be deployed first in order to gain complete visibility into the state of your internal DKIM and SPF policies. As the data shows that legitimate traffic is passing authentication checks, organizations can change their policy to request that failing messages be quarantined. Then, as organizations grow confident that no legitimate messages are being incorrectly quarantined, they can move to a "reject" policy, with full DMARC readiness and 100% adoption of SPF and DKIM for all internal and 3rd party senders. Your Organiza on s Spam, malware, and phishing a acks are eliminate Only genuine messages arriving to your customers on: Yahoo, Outlook, Gmail, Hotmail, LinkedIn, Facebook and more 10

11 TM DMARC Compass with Detect Monitoring Service: Compliance and Attack Takedown 5 DMARC Compass combined with our fraud monitoring solution Detect Monitoring Service (DMS), goes several steps beyond any other DMARC providers, stopping a wider range of attacks. Other DMARC solutions provide reporting, but DMS offers you the ability to glean intelligence from that reporting and use it to shut down attacks. Essentially, DMARC Compass limits the attacks delivered, and DMS cleans up the ones that still manage to sneak through. DMARC Compass with DMS provides complete visibility into streams, with real time attack monitoring, reporting and takedown, something other DMARC solutions are not equipped to deliver. Unifying the compliance of DMARC Compass with the proactive threat intelligence of DMS gives your organization a truly comprehensive way to combat fraud against your brand. 11

12 TM DMARC Compass with Detect Monitoring Service: Compliance and Attack Takedown 5 Additionally, when DMARC Compass parses RUF and RUA reports, which include detailed information about fraudulent s and/or phishing attacks, they are sent to the DMS platform for analysis and response. If phishing sites are found in these s, they are taken down. This means that DMARC Compass can even stop attacks that DMARC compliance checks miss, either because they are not spoofing a protected domain or because they are sent to mailboxes that are not using a DMARC policy. In fact, increased use of maliciously registered domains and subdomains is one of the main reasons that phishing attacks are on the rise.⁶ By taking phishing sites off the Internet entirely, DMS gives DMARC Compass a set of tools to pull out phishing attacks by the root and stop attacks that the most properly-adjusted DMARC policies are not meant to shut down. DMS can take down phishing attacks from any domain, not just those covered by DMARC, in an average of 3.6 hours, with attacks shut down proactively 76% of the time, meaning before our customers or their clients even knew an attack was happening. The DMS portal also provides advanced analytics to help clients visualize DMARC aggregate reporting data and work towards full DMARC compliance. No other DMARC platform or vendor can deliver monitoring of all phishing analytics and complete attack takedown in one place. DMARC compliance and attack takedown are just the beginning of the fraud prevention capabilities that DMS can provide. DMS also contains a number of other unique features for stopping cross-channel fraud, including: Black Market Monitoring DMS keeps tabs on black markets where stolen credit and debit card information and credentials are sold, so that organizations have a head start protecting customers after retail breaches. Once we recover this information, it is immediately relayed to our clients so that they can proactively safeguard their customers' accounts from possible fraud. By preemptively detecting cards that have been stolen but not yet used by fraudsters, DMS makes sure that banks can pinpoint the cards they need to reissue and avoid the customer losses that happen when they are cloned. There is very little banks can do to prevent these breaches, since they happen on infrastructure out of banks' control, but DMS can give your organization the tools to insulate your assets from the fallout and reputational damage that usually accompany such breaches. Brand Intelligence Convert brand mentions into strong fraud intelligence. DMS goes beyond phishing, pharming and malware detection and deactivation, also monitoring mentions of your brand across thousands of social media platforms, blogs and mobile app stores, giving your business an easy way to comply with FFIEC guidelines for managing risk in social media. DMS also monitors for malicious sister domains, in addition to identifying and stopping deceitful activity that aims to goad your customers into clicking on fraudulent websites or download malicious attachments. By constantly scanning all of these potential fraud environments, you can be sure that anytime your brand is mentioned you will be aware of it first. Collaborative Protection When DMS is integrated with Detect Safe Browsing (DSB), Easy Solutions' secure navigation platform, it offers collaborative protection that safeguards your entire customer population. Information collected from malware detected on customer devices running the DSB client can then be used to shut down the sites spreading the malware using DMS. It is not a matter of if your brand will be phished, but when. If you are not protecting your brand with every available tool at your disposal, you are inviting cybercriminals to phish it. While there is no doubt that the hackers will advance and come up with new social engineering schemes and methods to continue to perpetrate phishing attacks, DMARC has remarkable promise to shut many of them down. If and when it is fully standardized and deployed globally, it can fix an underlying defect in the technology that has underpinned the Internet from the very beginning to let anonymous hackers send spoofed s from another person's domain. Opportunities like this do not come along very often, and it is up to the security community at large to rally behind this standard's adoption. Information security, online trust, and anti-fraud are all adversarial pursuits and, like American football, a game of inches. Any chance we get to complicate the efforts of our adversaries while simplifying ours -- making theirs more expensive and more time-consuming -- is a small victory in a long game. The compliance assistance offered by DMARC Compass is the first step on the road to making your organization a harder target for phishing and other -based attacks, ensuring reliable risk management no matter how the fraud environment evolves. ⁶ 12

13 About Easy Solutions 6 Easy Solutions is a leading security provider focused on the comprehensive detection and prevention of electronic fraud across all devices, channels and clouds. Our products range from anti-phishing and secure browsing to multifactor authentication and transaction anomaly detection, offering a one-stop shop for multiple fraud prevention services. The online activities of over 60 million customers of more than 220 leading financial services companies, security firms, retailers, airlines and other entities in the United States and abroad are protected by Easy Solutions fraud prevention systems. Easy Solutions is a proud member of such key security industry organizations as the Anti-Phishing Working Group (APWG), the American Bankers Association (ABA) the Bank Administration Institute (BAI), the FIDO (Fast Identity Online) Alliance and the Florida Bankers Association (FBA). For more information, visit or follow us on Latin America Tel APAC Tel Headquarters Tel EMEA Tel. +44 (0) info@easysol.net Easy Solutions, Inc. All rights reserved worldwide. Easy Solutions, the Easy Solutions logo, DetectID, DetectID in the Cloud, DetectID in the Cloud for SugarCRM, DetecTA, DetectCA, DetectID Web Authenticator, Total Fraud Protection, Detect Safe Browsing, Detect ATM, Detect Monitoring Service, Detect Vulnerability Scanning Service, Detect Social Engineering Assessment, Protect Your Business and Detect Professional Services are either registered trademarks or trademarks of Easy Solutions, Inc. All other trademarks are property of their respective owners. Specifications and content in this document are subject to change without notice. 13