>> Wessland says such attacks are impossible to pick up with basic spam-filtering technologies, noting that hackers will simply keep creating new fake domains from which to send their targeted messages.
Haha, yes that's true: we still do not have the universal fraud detector and stupidity prevention algorithm. Seriously, this is not a system security problem. If you have high-level employees in the finance dept. of your company that will initiate a wire transfer on the basis of an unsigned, unencrypted email from an un-trusted domain, that is a policy/standards/personnel issue.
Probably not many, but simply acting on the authorization of any email, not to mention one that is not from the CEO's corporate account is astoundingly credulous behavior. It shouldn't actually _be_ astounding, I suppose, given the number of people who fall for online scams, but we're talking about people within a corporation who have the authority to move large amounts of money between accounts. So yeah, still astounding to me :).
On a totally segregated classified messaging system. Who knows if it's protected by more than obscurity, but it's definitely protected by obscurity.
Government officials commonly have 2 computers and 2 phones, one classified and one unclassified.
Hilary is alleged to have handled a little bit of classified information through her unclassified system, but it's not like she was routinely moving state secrets through civilian email.
If this is happening then internal audit procedures are non existent as any significant finance decisions should involve a minimum of two people to authorise transactions to minimise fraud in the first place.
That's embarrassing. Isn't it the CFO's job to use his or her discretionary judgment when approving transfers? I think we need to fix business cultures rather than build tools to think for us...
We've had a spate of fake emails between our CFO and CEO in our company.
Seeing as we use google apps for our email, it would be really nice if google could warn in their interface that this email may have the CFO's address, but it did not come from internal mail...
I believe if you publish a DMARC policy for your domain, to reject unauthenticated email from your domain, then the forged emails wouldn't ever land in the inbox.
DMARC is a message to other entities about what you want them to do in case DKIM/SPF fails. In this case that wouldn't help as the problem is with your entity. So you would just have to reject things that fail your DKIM (or more practically, add a warning to the subject line).
In this case, the parent is using Google Apps, and is receiving forged outside emails "from" their own domain, to recipients within that domain.
The way to tell Google apps "don't accept outside forged emails from my domain" is a DMARC policy, combined with the pre-reqs for that. Google apps happily puts forged emails (from your own domain) into your inbox if you don't.
>>DMARC is a message to other entities about what you want them to do in case DKIM/SPF fails
Yes, but it also drives what your hosted Gapps/Gmail instance does with incoming forged email for your own domain.
Google could provide a toggle or functionality to say what to do with failed DKIM and/or SPF more generally, for all domains...but they don't. I can tell you for sure that messages with failures for both regularly land in the inbox within my Google Apps Gmail.
Haha, yes that's true: we still do not have the universal fraud detector and stupidity prevention algorithm. Seriously, this is not a system security problem. If you have high-level employees in the finance dept. of your company that will initiate a wire transfer on the basis of an unsigned, unencrypted email from an un-trusted domain, that is a policy/standards/personnel issue.