[Cryptography] phishing attack again - $300m in losses?

Jerry Leichter leichter at lrw.com
Mon Feb 16 20:27:04 EST 2015 

On Feb 16, 2015, at 2:51 PM, Michael Kjörling <michael at kjorling.se> wrote:
> I keep wondering about this; people repeatedly fall for exactly the
> type of trap you are describing (as well as some others, obviously,
> but let's deal with one problem at a time), yet I don't see even any
> real _attempts_ at mitigation. Is there any MUA out there that, say,
> categorizes sender email addresses? I'm thinking something like "red =
> beware, new/unknown/suspicious address", "yellow = an address you have
> had limited dealings with in the past" and "green (or whatever
> standard color) = an address with which you have corresponded several
> times in the recent past". Or some sort of symbols to aid those with
> color-vision disabilities.
The closest I've seen is a feature in  Apple's Mail.app which allows you to whitelist a bunch of, not really domains, but really just suffixes on email addresses - usually something like "@lrw.com".  Any address that doesn't match the list gets highlighted.

Unfortunately, this isn't useful for the kind of thing you have in mind because it only applies to *outgoing* mail - i.e., it lets you quickly check if you're sending mail someplace unexpected.

You could, however, used Mail.app's rule facility to do something closely related:  You can define a rule that triggers if the sender is/is not in your address book; is/is not a member of a specific group defined in your address book; and is/is not in your "previous recipients" (i.e., the addresses you've gotten mail from before).  Based on the results, you can set the color of the message, move it to a separate folder ... all that sort of stuff.

I don't feel like digging through the Outlook interface to see whether its rules can do the same, but I bet they can.  gMail rules may well be able do it as well.

Of course, you have to decide to do this.  It's funny, but I never thought about doing it before.

> That sounds like it could greatly reduce,
> albeit admittedly far from eliminate, the attack vector you are
> describing. If it can be combined with DKIM, SPF and perhaps even
> cryptographic identities like matching up against PGP public keys, all
> the better.
This would eliminate *forged* emails - perhaps slowing the initial penetration.  But the typical modus operandi for expanding from the initial beachhead is to use the account(s) one has to send phishing mail to the accounts of people they already correspond with.

> Something like that probably wouldn't do much to protect against
> directed attacks, but it would probably do a _lot_ to reduce the
> problem of random phishing going on. And even that would seem to me to
> be a big win.
Maybe.  The mechanisms are already there; it would be a worthwhile exercise to start trying them out to see how they work in practice.

                                                        -- Jerry

More information about the cryptography mailing list