How to stop spear-phishing cold

How do I hack thee?   Let me count the ways. Among others, I hack thee to the depth and breadth and height of a spear-phishing attack (apologies to Elizabeth Barrett Browning).

By now, you may be aware that many of the most devastating hacks that have occurred in recent history—the Democratic National Committee (DNC), Yahoo, the W-2 scam—have been launched from a base of information or access garnered by sending a poisoned email with tailored details to a specific individual, who then becomes the vector for the rest of the attack.

FireEye, a cyber defense company, says it this way on its site, “A spear-phishing attack is a popular and effective precursor to advanced cyber attacks.” The InfoSec Institute puts it like this: “As much as 80% of all malware attacks come from phishing attempts using different variations of social engineering techniques …”  

A company that I’m affiliated with, Inky, recently pivoted its focus from email management (“All your accounts in one place on all your devices”) to spear-phishing protection (“cryptographically verified identity”). It wasn’t such a far reach. In between, the company turned its email suite into a secure messaging platform using standard public key infrastructure (PKI). Unlike other protection systems, which gather knowledge about the nature of previous spear-phishing attacks to flag suspicious email, Inky eliminates spear-phishing attacks completely by employing end-to-end cryptography to ensure that the person on the other end of that email address is really who they say they are. PKI is most commonly used to keep secrets as they are passed digitally from one place to another.   Identity verification is a new twist.   The product is called Inky Phish Fence.

To be effective, a spear-phish must be well crafted, have an artist’s touch for similitude, and likely camouflage.  Spear-phishing emails are getting more sophisticated all the time.   One that Inky would have prevented, had it been deployed, was the DocuSign vector attack. DocuSign—which, among other services, vouches for electronic signatures—sends email notifications to parties to a contract, letting them know what steps they need to take next (e.g., review and sign). In this case, a hacker set up a domain that looked like DocuSign but was actually sent from a “typo domain”—docusgn.com (missing the “i”).   Previously, the hacker had penetrated servers at DocuSign itself to obtain names and email addresses of actual DocuSign users, who then made perfect targets for a DocuSign spoofing attack.

The typo-domain attack is similar to a whole family of attacks called Internationalized Domain Name (IDN) Homograph Attacks, in which, for example, a Latin “i” is replaced by a Cyrillic “i,” or a Latin “B” is supplanted by a Cherokee letter that looks identical. Thus, even an expert scrutinizing the address bar of a domain visually could not detect this type of spoof.   But underneath that masquerading Cyrillic “i” is an entirely different string of bits, leading who knows where. Inky may be the only solution that detects IDN Homograph Attacks.

Recently, the podcast Reply All, which runs on a site called Gimlet, highlighted how easy it is to spear-phish people, and even demonstrated that the bigger they are, the harder they fall. The episode — called “#97 What Kind of Idiot Gets Phished?”—answers its own question by inducing a white-hat hacker to spear-phish the company president (after he mocks one of his underlings for having fallen for a similar pitch). It’s pretty good listening.

The principle lesson that comes out of the show is: anyone can fall for a well-crafted spear-phishing attack. But right behind that is an understanding of people’s attitudes: everyone thought a priori that they couldn’t be spear-phished. Eerily, the higher up the corporate hierarchy, the easier it seemed to be to spear-phish the target. The big clam was more easily popped open than the little ones working at the bottom. One explanation is that CEOs see themselves as smarter than others and are therefore less cautious. Another is that CEOs just don’t have that much practice using work tools like email because employees do these tasks on their behalf most of the time. Whatever it is, the corporate reputation, not to mention the company’s competitive position, can be severely damaged if the CEO’s email is compromised, and he becomes the vector of attack.

Unfortunately, the current widely implemented standard, DomainKeys Identifed Mail (DKIM), can only verify the server, not the individual, from which an email arrived. DKIM specifies one key per server. That’s fine if the server is, say, gm.com (General Motors’s site), but what if a spoofer sent from grn.com? The “r + n looks like m” spoof works particularly well in some san serif fonts, like Arial. So, if you get an email from what looks like General Motors, you tend to trust the server and let your guard down. Inky uses the more definitive standard, Secure/Multipurpose Internet Mail Extensions (S/MIME), which issues one key per end user. But S/MIME has yet to proliferate because it is immensely complicated and requires something to happen on the end-user’s device (or devices).

Despite these hurdles, the Inky team is working on making deployment nearly painless. In a world that makes any kind of sense, big mail providers like Google, Microsoft and Yahoo would support this effort. It could stop spear-phishing cold.