Why Have Email Clients Left us to Deal With Phishing?

Monday, July 07, 2014

Tripwire Inc


By: Andrew Wagner

I don’t know about you, but I sometimes find myself longing for the days when people using email for shady purposes couldn’t string together grammatically correct sentences.  A few weeks ago, John Shier of Naked Security posted an article comparing two emails – one from a legitimate source and one from someone phishing.

As the article points out, these days it can be very difficult to visually tell the difference.  Not only have the criminals learned English, they have learned how to copy company branding and communication style.

When I think about issues like phishing, I think about my parents and my children.  Because let’s face it – if you’re reading Naked Security or Tripwire’s The State of Security, you’re most likely a security professional or at least well-informed and interested in the topic.  My parents and children are neither.  If validating an email takes technical savvy, like checking the email header, they’re unprotected.

Now, I can (and do) give everyone I know great advice and scold them when they don’t follow it, but so far that doesn’t seem to have saved the world from phishing.  And if you look at some of the steps John Shier used to analyze his candidate emails, you can see at least a couple of steps that seem like easy candidates for machine analysis. So why, when I search for Outlook plugins, am I not able to find any kind of phishing protection?

Let’s think about what an email tool would look like that might help my mom.  First, I’m not thinking of junk mail filter rules – “junk” seems like too binary of a concept.  If I’m going to automatically throw away my email, I’m going to need to be really sure about my designation of “bad”.

In today’s Internet, it’s going to be hard to avoid junking legitimate emails or forcing my poor mom to look through the junk folder anyway, where she’ll probably see the legitimate-looking emails and get phished anyway.

No, I’m thinking more about two sets of functionality: one to tell her when she should consider being suspicious, and one to help her explore her suspicions when she decides to be careful.

Identifying Suspicious Emails

Helping my mom know when to be careful should not be rocket science.  An engineer could be as creative as they want here, but let’s start with two easy automated checks: does the header look right, and does it contain any links that don’t go where they say they go?  Browsers have gotten smarter about validating certificates, etc, and letting users know that they may want to be careful. Why can’t an email client do the same?

If you wanted to get more sophisticated, do some analysis looking for call-to-action language or language around time pressure and consequences.  Use crowd-sourcing or reporting out by phishing services to identify common templates.

But however you do it, please put a warning nice and clearly in front of the users letting them know that there is reason to proceed cautiously.  Maybe give it a score and tell them why the email has been flagged.

Helping to Explore Suspicions

Now my mom has received an email asking her to click something and her email client has told her to be cautious – great first step.  But if we stop there, I’m going to get a phone call every time her email client flags something, and I don’t have that kind of time.  Let’s help her explore.

Let’s start with all of the links in the emails – what domains do they go to?  In what countries are those registered?  Do the different links match each other?  Do they match where the email came from? Now let’s include some simple search capability to see if the email matches any known campaigns that are out there.

Let’s include some simple guidelines for the user so they know some of the key tactics that the phisher is likely to use – an un-personalized greeting, some kind of threat or opportunity, a call to action.  Help them make a decision without having to be well-read on security blogs.

And of course, we ought to have a button that allows the user to submit the suspicious email so that it can be compiled into known suspicious emails for the benefit of other users.

Build It In

Oh, and one last thing – don’t make my mom have to go find a plug-in.  If she’s going to do that, she’s going to do it because I gave her awesome advice or because she has already been phished.  Build it into the email client or at least have the email client tell her it’s an option.

If my mom had a tool like this, it would reduce the likelihood of her getting fooled significantly.  It would even help me when I’m in a hurry.  So why doesn’t it already exist?  Or if it does, why is it so hard to find?  Why are our popular email clients leaving us to figure this out on our own?

Someone ought to provide these tools, if not for profit then just for the common good.

This was cross-posted from Tripwire's The State of Security blog.

General Impersonation Phishing Phreaking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.