The primary target of an exploit, for many hackers, often isn’t a line of code or a system configuration. Instead of tricking a computer, fooling a human into giving up information is often the easier route. Because of this, social engineering attacks (like phishing scams) have been steadily rising in popularity for years.
Cybersecurity analysts’ concern over phishing attacks hasn’t been solely about their frequency. While attacks have become more frequent, they have also become much cleverer. Targeted spear-phishing campaigns, where hackers spoof an email that appears to be from an account within the victim’s organization, have companies re-training staff for privacy protection. Meanwhile, attackers have branched out from email to other lucrative communication platforms, favoring social media sites in particular.
Keeping employees up-to-date on these evolving attack methods and how to protect against them can be a serious challenge. Even seasoned professionals can sometimes fall prey to well-designed phishing scams. Now, with the discovery of a new method called Mailsploit, researchers are worried that in some cases phishing attacks could become indistinguishable from legitimate emails.
Mailsploit, discovered by German security researcher Sabri Haddouche, takes advantage of a number of bugs and software quirks to trick the Domain-based Message Authentication, Reporting & Conformance (DMARC) authentication system. Tricking DMARC, which filters out messages that appear to come from a source that does not match the information in the header, makes it possible for cybercriminals to send messages that appear completely legitimate. This has led some analysts to call Mailsploit “unstoppable.”
Because it relies on unique quirks within email client applications, Mailsploit has required different fixes for different applications. Initial research identified more than 30 popular email clients that were vulnerable to attack; several have released security patches to reject Mailsploit messages. Analysts are recommending strongly that all users keep their email client apps updated and watch for security patches to be released.
In an organizational setting, Mailsploit has an important takeaway for security initiatives. In the face of increasingly sophisticated display-name attacks, employees may need more intensive training on social engineering threats. They must understand that communications can appear to be completely legitimate at initial glance, and further evaluation is necessary to determine legitimacy.
In other words, privacy protection needs to become a more conscious effort in everyday operations, which can take some adjustments to the organizational culture at large.
If you need help making good security a part of your organization’s culture, contact Lunarline today to learn how we can assist you.