From: customercare@amazon.com

To: Bill

Dear Bill,

Thank you for your order 366920879. I’m sorry your order is delayed due to money transferring issues.

I’ve checked and can see the payment hasn’t come.

Please, follow this link to repeat the payment. https://www.amazon.com/366920879/payment/

If you don’t proceed within 24 hours, your order will be canceled.

Best Wishes,

Lee

Amazon Customer Care

Seems like an ordinary email from Amazon, doesn’t it? But it’s not.

It is executed entirely correctly and uses the mail of the sender customercare@amazon.com— which is similar to the real corporate address of the Amazon employee. When you click on the link, the user leads to the site where the zip-archive with the virus is downloaded.

Such type of cyber attack is called phishing, and today I want to tell you how to protect your company from it.

A small introduction to phishing

Phishing — the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity in an electronic communication (source Wikipedia).

In lay terms, a malefactor pretends to be a legitimate party (bank representative, support manager, colleague, friend) to make you upload a virus to the device or lead to the fraudulent website where personal data will be stolen — logins and passwords, credit card data, and phone numbers.

Phishing is used in all industries that involve payments and exchange of private data including banks, payment systems, cellular operators, social networks, and large online stores. Phishers forge legitimate websites so even the owners can’t tell the difference at once.

The result of such an attack is the infected computers of users, stolen personal data, and reputational damage to the company whose domain name is used by fraudsters.

A company can protect itself from such a mailing by setting a reject policy for DMARC — then the mail provider will reject the phishing email at the analysis stage for spam, and the letter will not fall into the users’ boxes.

About DMARC

DMARC is the abbreviation from Domain-based Message Authentication, Reporting, and Conformance; it’s one of the mechanisms to protect the company from phishing using its domain name.

DMARC works on the basis of the SPF and DKIM authentication protocols and checks the correctness of passing email checks for SPF and DKIM, as well as the fact that these letters were actually sent from the domains under the control of the organization. The key features of DMARC are authentication verification and reporting.

What DMARC checks (some technical info)

Once a day the aggregated report on the result of the check is sent.

DMARC allows the sender to specify how to deal with the email after the check. This is done by determining the DMARC policy, which can be of three types:

  • None — policy for monitoring. It is used when you first start working with DMARC, and you need to understand on behalf of which domains emails are sent.
  • Quarantine — policy when, depending on the email provider, emails will be sent to spam, marked for more rigorous scans or marked as suspicious for the user.
  • Reject — the most stringent policy and the highest level of protection. Under the reject policy, the sender tells the mail provider to block all emails that have not passed the SPF and/or DKIM checks.

In short, when using DMARC, the recipient can be sure that the letter was indeed sent from the email address specified in the “From” email field.

Mind! In the event of a negative response (DMARC check failure), an email is sent notifying of the failed verification. Such notification is left at each failed check (if there are 1000 phishing letters, the check generates 1000 report submissions to you). Therefore, it makes sense to use a separate email address to receive these reports as there may be a lot of them.

What to consider when switching to ‘REJECT’ policy

The main thing when you turn on the reject policy for DMARC is not to cut delivery for letters that are important to your business. Therefore, before switching to a reject policy, you must first monitor all reports for at least two weeks to find all sources of letters on your behalf. This may be your corporate correspondence, letters from the CRM-system, task manager, user support systems and other sources. Aggregated reports will help you find sources — they can be seen from which IP addresses and domains emails leave.

An excellent technical reference for correct authentication for DMARC can be found here.

It’s advisable to set up a DMARC policy at least for the monitoring mode to understand what happens with mail on behalf of your domain.

We at Rokkex care about the reputation of our company and the safety of our users, that’s why we don’t want you to receive phishing emails from our domains. Thus, we won’t forget to enable DMARC as soon as our crypto exchange is launched.

At ROKKEX, we take security extremely seriously and our crypto exchange is built on ‘Security First’ principle. We want to share our expertise with the broader public for the world to become happy, safe, and wise.

If you have any ideas and suggestions, contact us at

Website . LinkedIn . Facebook . Twitter . Telegram . Reddit . Instagram 

Leave a Reply