
Spoofing emails: The trickery costing businesses billions - hhs
https://www.bbc.com/news/technology-49857948
======
newguy1234
From my personal experience, the efforts being put into e-mail based attacks
is greatly increasing. My guess is low-level attacks that target a massive
amount of people indirectly are turning out to be less lucrative compared to
previous years. Probably due to better filtering and people generally being
more wise to it.

The new attacks I've seen, which happened to me directly as well, seem to use
more direct methods. Instead of just a blanket phishing e-mail, the e-mail
will come in as just being from an "old friend". The e-mail looks legit and
the person doing it even puts in efforts to know where you worked in the past
or your past history (my guess is they grab this data from facebook or similar
social media). They will talk to you and the story they give you sounds
completely legit. A lot of the stories they give you do sound legit and will
check out but they only check out due to being somewhat vague (like they know
where you worked but don't know exactly what you did there). The reason I was
targeted is most likely because I used mtgox (the first bitcoin exchange which
eventually got hacked - database stolen which included my e-mail address and
full name). My guess is they think I have a large stash of bitcoin or similar
cryptocurrencies.

The real shocker is they have a scary amount of personal information about
you. Some of this data I can only see it coming from hacked databases from
compromised websites - date of birth, phone number, full work history, current
address etc. among others.

~~~
55555
What kind of email are they sending you that involves so much PII? Like, what
is their angle?

------
upofadown
>It was left to cyber-security experts to break the bad news to the firm:
emails are not to be trusted.

Well _unsigned_ emails are not to be trusted...

This is another example of people disparaging email while doing it wrong. This
sort of thing was totally solved over 20 years ago.

Perhaps we need to do the same sort of thing that is being done with non-tls
websites. Have email clients show a flag for anonymous emails. While we are at
it we could show a flag for emails sent in the clear as well.

~~~
panarky
Why not just quarantine every email that fails SPF?

~~~
upofadown
I think in this case they are just spoofing the "From:" address, not the
envelope address that SPF protects.

------
ackbar03
When I was in high school one of my friends showed us this affiliate marketing
site with some email function where you could send emails impersonating any
email address you want. Pretty much the next day we used it to spoof his crush
sending him some email hinting she liked him and he wouldn't stop bugging us
whether it was real or whether we were spoofing. He went on about it for a
whole semester. If only we got a bit creative.

Also that friend was pretty a weird guy but he went onto go to Stanford and is
now a co-founder for a large US tech company now which a lot of people here
probably use.

Yup. I'm gonna go back to my dead end job now

------
stock_toaster
I’m surprised more companies haven’t just deprecated internal email entirely
for most employees (who don’t otherwise require a public facing one), as
workforces have moved more and more to chat systems.

------
jrockway
Doesn't DMARC solve this problem?

In my experience, enterprise email systems are pretty paranoid about email
that didn't go through them that claims to, as well.

~~~
jacobr1
DMARC does a great job at stopping direct domain spoofs. Like
jane.ceo@company.com (where company.com is at dmarc p=reject). But it doesn't
address display names attacks "Jane CEO <ceo123@gmail.com>" or as is
increasingly the case: compromises of real accounts, even those otherwise
protected with DMARC. But everyone should use dmarc, just like websites should
use https for the baseline protection.

~~~
jsiepkes
That last problem is probably more of a UI then a protocol thing. For example
if someone isn't in your address book you could make the back ground red or
not display the display name at all.

~~~
est
Email UI problem is an email problem. non power-users have little clue about
how Email works.

------
darkhorn
Use DMARC, DKIM, SPF, and SMIME certificates.

~~~
lowiqprogrammer
This was just a poorly worded title. The article mainly focuses on phishing
and social engineering, not actually spoofing a domain. But you have good
suggestions none the less, all domains should have protections.

------
parliament32
tl;dr: use PGP.

>but it's hard

If you're doing multi-billion dollar transactions with email as your sole
authorization structure, you can afford for it to be hard.

