With the world preoccupied by retrospectives on the calendar year gone by, a particularly problematic news story slipped out in the waning days of December. This Microsoft announcement smacks down domains associated with yet another state-backed cyberthreat. It’s one more warning to users of the continued threat posed by so-called spear-“phishing” attacks. Could 2019 be the last year we have to worry about this?
Persistent Phishing by State Actors
Spear-“phishing” (spelled with a ph instead of an f) is the practice by cybercriminals of sending e-mails that simulate the trade dress of a known brand (in this case, Microsoft), with the goal of tricking users to reveal their personal information and credentials. If the reader is too casual in their review of the e-mail, trusting it’s veracity without scrutiny, then they could fall victim to identity theft, or giving up their credentials to the criminals. These e-mails often con readers into giving away their information by citing some reasonable-sounding pretense such as:
- “You have signed in from an unrecognized device,”
- “There is a problem with your account,”
- “You need to change your password,”
They may also include language to impart a sense of urgency or time-pressure, or mention the name of a friend or family member that a fraudster could easily obtain from one of your social media profiles. Attackers will often have a convincing-looking website that will try to gather your username, account number, password, answers to security questions, tax identification number and other information.
Look-Alike Domain Names
You are probably sure this couldn’t happen to you, because you’re observant and always double-check where the e-mail has come from and the URLs behind any links within the e-mail. In this case, the attackers made the domain name they registered look like “microsoft.com” by putting r and n together at the beginning of the domain name to resemble an m. Depending on your screen resolution and font metrics, you rnight not notice this chicanery.
We would see this problem less often if companies took advantage of capitalization in their domain names, instead of always writing their URLs in all-lowercase. Is it so difficult to say Microsoft.com? It would just be harder to trick users with IVIicrosoft.com because capitalized letters don’t have the same ligatures of lowercased type. But companies adopting this practice is not going to stop all phishing attacks, there is an actual technological solution that can save the day.
Senders Authenticate E-Mails
Phishers would be shuck-out-of-luck if companies would simply authenticate all e-mail that they send out. This is actually easy to do, and the technology has existed since the last century. Microsoft would keep a private key secret, and encrypt a signature for their e-mail’s content with this private key that would be included on the e-mail for the receiving e-mail client to verify. It could verify that the e-mail has certifiably come from Microsoft (or somebody who has stolen Microsoft’s private key) using a public key that’s widely distributed. Public-private keys used for authentication of messages like this is a well-known technique, in this context companies need to employ DomainKeys Identified Mail (DKIM).
Code Gets Authenticated, Why Not E-Mail?
Microsoft Windows 10 will not install kernel mode drivers that do not pass a similar signature verification (although users may deactivate this protective measure, sometimes for debugging purposes, but generally at their peril). This response is long overdue for the e-mail the world relies upon, and it could kill spear-phishing dead.
Google Added Verified SMS to Android Messenger
Earlier this month, Google announced the rollout of a new feature that is now turned on by default (secure-by-default) in Android: Verified SMS. As they themselves explain in their announcement, this has been done as an anti-spam, anti-phishing safety measure. Only a handful of senders have adopted support for this new verification mechanism (which works essentially as described above) at the time of its initial launch, but I look forward to it being more widely adopted in 2020.
Usual Suspects
If you’re curious what country was identified as being behind this particular spear-phishing campaign Microsoft has broken up, in this case it was traced to a North Korean group given the name: Thallium. Microsoft gives advanced persistent threat (APT) actors names from the Periodic Table of Elements. Here is a table of some other groups whose phishing attacks will hopefully be rendered harmless through greater use of e-mail authentication in the new year.
Country of Origin | Element Name | Diminuitive Name |
North Korea | Thallium | Riccochet Chollima |
China | Potassium | Red Apollo |
Russia | Strontium | Fancy Bear |
Iran | Phosphorus | Charming Kitten |
Who comes up with some of these names? Charming kitten, I don’t know if I should black list their IP addresses, or leave out a tin of tuna on my stoop.
Happy new year!