The majority of attacks are no launched from the web, but this has not stopped email from being abused. Yet new measures are being put in place to further secure email and Tara Seals looks into DMARC and other options.
Email is one of the most popular vectors for attacks by cyber-criminals, and no wonder: the vast majority of those with internet access use it every day, which opens up a ripe landscape of opportunity for nefarious types.
To boot, email was built insecurely and without authentication—which enables cyber-criminals, hacktivists and nation-state actors to impersonate (or “spoof”) legitimate organizations’ identities.
To help combat this, the Domain-based Message Authentication, Reporting, and Conformance (DMARC) specification has been developed for web-based mail, which makes it virtually impossible for attackers to spoof, or fake, emails from a protected domain. Essentially, a DMARC policy combats this by allowing a sender to indicate that its emails are protected, and tells a receiver what to do if none of the accepted authentication methods passes.
The initial spec was published on 18th March 2015, and it’s in the process of being adopted as the official input to the IETF DMARC Working Group. DMARC is now in the final stages of standardization, and 2016 is likely to be a big year for adoption, especially as Gmail Enterprise and cloud-based email providers move forward to integrate DMARC into their email platforms and email gateway solutions. DMARC supporters are also looking to additional use cases for the technology as part of a second wave of protection.
A Problem That Had to Be Solved
Email attacks are most commonly carried out after cyber-criminals hack into user accounts. Hackers can scrape the victims’ address books, and then use a different server to spoof messages from the hacked user to his or her own contacts. They do this for spam and fraud purposes, for phishing and to spread malware.
“Most people don’t know that when the fundamental email protocols for the Internet were designed in the early 80s, functionality was favored over security and the protocols were designed to trust input, which made spoofing incredibly easy,” said Daniel Ingevaldson, CTO at Easy Solutions. “[However], ‘fixing’ email spoofing is a complex problem that requires buy-in from many stakeholders, and the time was right for DMARC.”
There’s little time to waste. In email fraud, the attacks are becoming more virulent. The FBI reported $1.2 billion in financial losses from business email compromise (CEO-CFO spoofing), and found that email is the number one malware delivery method. Similarly, the Verizon Data Breach Report stated that 78% of all data breaches start with email.
It’s very easy to convince someone to open a mail and download an attachment or click on a link if that person believes the mail is coming from a trusted source; and no manner of end-user security awareness has seemed to help.
“For 20 years the industry has been fighting a plague of spam, phishing, targeted attacks and malware with email as the primary vector,” said Patrick Peterson, CEO at Agari. “Despite the blood and money expended, we have failed. DMARC was invented to solve this problem. The inventors of DMARC (Agari, Bank of America, Facebook, Google, JP Morgan, PayPal and others) believed that if email became secure we could dramatically reduce the harm on the Internet.”
Big Mail Providers Lead the Way
DMARC has enjoyed significant uptake in the past year—so much so that 85% of the mailboxes in North America are protected by the technology—and a total 2.5 billion mailboxes are protected globally. This is largely the result of the biggest email providers in the world, including Google, Yahoo, AOL and Microsoft, have thrown their considerable their weight behind the standard and are leading the way.
Google, which alone provides 900 million Gmail boxes, has announced that it will be moving Gmail to a strict DMARC policy starting in June 2016. Also, Yahoo recently expanded its use of DMARC to protect users of the ymail.com and rocketmail.com services, with more coverage to be added to additional domains in the coming months.
Yahoo’s use of DMARC goes back to the nascent stages of the standard in 2014, when it used it to prevent a large-scale campaign of abuse of its Yahoo Mail. At the time a Yahoo executive wrote in a company blog post, “And overnight, the bad guys … were nearly stopped in their tracks.” This was so successful that AOL followed suit later in the same month in response to a similar large-scale campaign targeting its marquee domain.
In all, 10 of the 10 biggest mailbox providers in the world support DMARC validation for inbound messages. Similarly, most major social media companies and banks use the same technology to protect their customers from email fraud and abuse.
Looking Ahead: Expanding Adoption in 2016
Even though the DMARC picture is looking good, it’s important to understand that adoption lags in important areas.
This is especially true in other parts of the world outside of North America. Globally, some DMARC uptake is being held up because of privacy and data stewardship concerns. For instance, the data privacy laws in Japan and Germany offer no clear indication that they’re allowed to share information in the form of the DMARC notifications. While DMARC uses aggregate reporting, rather than making specific IP addresses available, there is still confusion and concern when it comes to privacy.
“The question is what to do about messages that don’t pass authentication,” Steven Jones, executive director of DMARC.org. “If you’re a big mailbox provider, and you see that some messages are passing, and some are not, should you do something? There’s a lot of uncertainty and in some markets it’s an issue of liability.”
He added that market education for policy-makers is critical and will be an important initiative for DMARC.org in 2016. “The Japanese concerns about data sharing for instance show a lack of understanding that DMARC is really in accord with those privacy laws when you really look at it,” Jones explained.
Within the US, there’s more work to be done. For instance, some of the largest ISPs in the States, like Comcast, are deploying DMARC; but others, such as Time Warner Cable (RoadRunner), Earthlink, Cablevision and Charter have not deployed the technology yet.
“We continue to evangelize adoption, not just on the sender side but also on receiver end,” said Rob Holmes, general manager of the email fraud protection business unit at Return Path. “More regional ISPs need to adopt DMARC on the receiving side so that the protection isn’t just afforded to people in North America using the big mailbox providers.”
Jones meanwhile believes that the role of email in data breaches will spur the demand for email authentication for B2B communications within the States—forcing some regional ISPs’ hands. This will also be an important factor for gateway providers and smaller cloud mail providers to build DMARC support into their services.
“So many breaches start with phishing—and smaller companies don’t have security resources to protect themselves,” Jones said. “So, inbound message filtering with DMARC for SMBs will be the next wave of adoption—we’re up to over a dozen commercial gateway products so far.”
Next Steps: Focus on ARC, New Threats
DMARC is also taking steps to address the downsides of using the specification. When Yahoo and AOL began protecting their customers from abuse, there were a small percentage of users who were negatively impacted by the change as legitimate mails failed authentication checks. This can happen for a variety of reasons, including improper configurations, and indirect mail flows like the use of email forwarding and mailing lists.
To address these issues, several workarounds were quickly deployed by service providers and mailing lists, but a long-term solution has been submitted to the IETF for consideration. The Authenticated Received Chain (ARC)
ARC is being refined and tested with deployers such as Google, Microsoft and Yahoo, with an interoperability event being organized for the first quarter of 2016. ARC could be deployed as early as late summer; Google will be a first mover, which will make a large market impact.
“We are pleased to be supporting the ARC protocol to help mailing list operators adapt to the need for strong authentication,” said John Rae-Grant, lead product manager for Gmail.
“More and more companies have been adopting DMARC and email authentication over the past few years, with more vendors and service providers adding the necessary support to their offerings in order to make that adoption simpler,” said Jones. “With new protocols like ARC emerging to address the traditional email use cases that were problematic under some DMARC policies, and the leadership of forward-thinking companies like Google, Microsoft and Yahoo, I expect to see the rate of adoption accelerate globally.”
Going forward, DMARC.org is also looking to other long-term pain points for email security, especially when it comes to display names. In an email “sent from” field there are two component: the address that shows the domain, as in user@mailprovider.com. Then there’s the actual name that shows up as being associated with that address, i.e., User One. Senders can set this field to say whatever they would like it to say.
“The limitation of DMARC is that it blocks domain spoofing,” said Holmes. “But I don’t need to spoof a domain to convince a person that I’m someone else—the most important identifier is the display name. It’s an editable field. So while I can authenticate the address I can still put anything, say JP Morgan Chase, as the name.”
This is an increasing issue as more and more email is read on mobile devices, where mail clients often just show the display names.
There are also Issues around cousin domains—i.e., lookalike domains where one letter or number may be changed in the URL, but is otherwise identical to a legitimate domain.
“We are hopeful that we can come up with some best practices for organizations to combat these issues, to be able to flag discrepancies for attention,” Jones said.
In all, 2016 will be a big year for email security. “DMARC will become the standard for Internet-scale email spoofing protection in 2016,” said Easy Solutions’ Ingevaldson.
“By the end of 2016 most, if not all, of the major enterprise and cloud-based email providers will support DMARC. DMARC is truly only effective if it is deployed widely. This scale of global deployment will correct a major weakness in a fundamental Internet email security weakness that has existed for decades.”