The intent of fraudulent Email is to dupe the recipient into taking some action that will ultimately compromise their computer or steal personal information via some means so as to commit fraud. This is often achieved by directing the recipient to a fraudulent website which will then attempt to steal details, often by suggesting the recipient must provide personal information so as to perform a security reset, to apply for a tax refund or to enter a competition.
The key approach to control this type of attack embodied by the technical controls described in this paper (SFP, DKIM, ADSP & DMARC) is to improve trust in a message by identifying and deleting fraudulent messages. The implicit thinking is that if fraudulent Email can be identified and removed from the mail chain, then mail can be trusted and by inference, the content of mail becomes trusted.
A key limitation to this approach, however, is that the controls are ineffective against fraudulent Email sent quoting domain names an organisation does not control. All the controls rely on the publishing of DNS text (TXT) records to permit message verification, and this can only be done on a domain owned and managed by the organisation. Hence if a fraudster can register a domain name that appears to be related to the organisation or brand, or indeed simply send mail under the name of some compromised server as if often the case, these controls are completely ineffective.
Section 4.6 Domain Registration & Parking describes the policy of buying-up domain names to secure them against potential future misuse. However, this approach is limited by the number of domain names you wish to ‘park’ and the creativity of the fraudster. After all, you may own brand.com and you might ‘park’ brand-offers.com, but that doesn’t prevent the fraudster registering brand--offers.com or brand-2014-offers.com. How then do you protect against this kind of attack?
The technical controls described above are based on the principle of securing the message, or more specifically, in attempting to prevent the delivery of fraudulent messages. From this ‘better qualification’ of messages, there is an implied trust in any received message and its content including any links the message might contain. This basis falls-down though, when Email is sent using a non-controlled domain or where SPF/DKIM/DMARC are not employed by the receiving Email infrastructure as often can be the case with many ‘owner-operated’ Email systems such as small business or smaller ISP infrastructures.
An alternative approach is to secure not the message, but its contents, or more specifically, any links the message might contain. Of course a typical approach as described in section 6.1 is to employ a policy of not sending HTML messages nor including hyperlinks, however, as explained, these controls are both ineffective and inconvenient for both the organisation and user, both of whom would benefit from the use of links to take them to related information or actions, just so long as those links could be trusted. How then can hyperlinks be secured in an easily understood way such that ‘an average user’ can clearly distinguish good from bad, legitimate from false links?
A technique known as Safe-Linx uses unique link URLs per individual, per message, per link for every communication sent. When used by the recipient, the unique URL is used by the legitimate organisation’s systems to:
- Identify the legitimate recipient
- Identify the message in which the link was included
- Identify the target to which the link refers
- Apply any rules about one-time or time-limited use of the link
- Provide the recipient some non-personally identifiable information, shared between the organisation and the customer, that confirms to the customer that they must have connected with the legitimate service as only this could display their shared secrets correctly
- Provides the user an onward link to the intended target once they are satisfied they have connected to the legitimate service
- Optionally, record the use of the link by the recipient, relevant if the link refers to a legal notice or similar
The shared non-personally identifiable information described in step 5 enables the customer to easily verify the site to which they have just connected before they divulge any information such as login credentials, credit card or other personal information to the site. More importantly it does so in a very self-evident way, is applicable across all browsers and device types and does not require any plug-in or special technology. It is also effective no matter what anti-spam mechanisms the receiving mail server may or may not employ.
Once the customer is confident they have connected to the legitimate service, they can then progress, if appropriate, to a login, or be linked to other site content as may be appropriate. The key point is that the user is always provided an easy to understand means by which to confirm whether the site is legitimate and will become accustomed by positive reinforcement to always receiving the link confirmation screen and their shared non-personally identifiable information before progressing to provide any information to the service to which they have connected. Once this is established it becomes much harder for a fraudster to dupe a customer with any fraudulent site, no matter how well constructed, as they can never provide the correct shared secrets for an individual user. Hence a well-crafted fraudulent message sent under any domain name, controlled by the organisation or not, can never provide this first step verification to the customer ensuring they cannot be easily duped into providing private information to a fraudster.