Increased email security using DMARC

Email is the most commonly used attack vector for phishing and fraud on the internet. Technical security measures are needed to prevent internet users from being left at the mercy of the risk, but while they do exist, introducing them is no trivial matter.

Text: Michael Hausding, published on 04.01.2022

Every December, the number of parcels delivered containing gifts and Christmas shopping increases. At peak times, the postal service sends out up to one million parcels every day. The number of phishing emails that land in our electronic inboxes is also significantly higher during this period. They typically ask the recipient to pay a small fee for a parcel that has apparently been held up at customs or the transport company. There’s a very good chance that someone will be waiting for a parcel and will pay the fee without a second thought. However, the perpetrators receive not only the money, but also credit card details including the CVV number.

The perpetrators are succeeding, which is why the flood of phishing emails is not stopping. More than half of cases reported to the National Cyber Security Centre (NCSC) concern phishing or fraud, with email being the most commonly used attack vector. But while it has been a well-known problem for years, defence mechanisms only seem to work to a limited extent.

User deception

What makes it so difficult for internet users to recognise phishing attempts? The email program or webmail service displays the sender of an email in the ‘From’ field, which allows their identity to be established. For convenience purposes, developers program email clients so that this field almost exclusively shows what is known as the ‘display name’. This standard, which was introduced in RFC 822 back in 1982, allows a freely specifiable name to be provided in the From field next to the email address and most email clients show this name exclusively, without the email address. As a result, recipients of phishing emails may see ‘Swiss Post’ or ‘Swiss Customs’ as the sender, even if the email address behind it would clearly be recognised as suspicious.

Tackling domain abuse

However, phishing emails or attempts at fraud cannot always be recognised by an incorrect sender domain. Many phishing emails from domain names such as schweiz-zoll.ch or ezv-admin.ch also find their way into inboxes. But how is that even possible, and are there no defence mechanisms in place to prevent this? Why does SWITCH, as a registry, not just shut down these domain names if they receive a report from the NCSC?

SWITCH actively works to tackle any abuse using .ch and .li domain names and cooperates with the authorities to deactivate domain names such as ‘paket-wartet.ch’ if they are misused for phishing purposes. Once they are deactivated, the domain names are no longer accessible.

Registration protects against abuse

However, if a domain name is only used to provide an email with greater authority, shutting it down proves ineffective. By contrast, it can even result in more damage. One example here is ‘schweiz-zoll.ch’, which the registry receives countless reports about. The Swiss Federal Customs Administration (FCA) even issued a warning about it at the start of the year. SWITCH security experts quickly established that the domain name wasn’t even registered and had simply been misused as a sender for phishing emails. Unfortunately, not all email providers automatically filter emails from invalid domain names. Following the attack, the domain name was registered by a Swiss provider of anti-spam solutions and published with a DMARC policy. DMARC helps to authenticate emails and allows receiving email servers to reject inauthentic emails. Unfortunately, too few email providers use DMARC, meaning the registry and domain name holder continue to receive requests to shut it down.

Some Swiss email providers, along with Gmail and Microsoft, observe the published DMARC policy when receiving an email. For some time now, attackers have also been abusing the domain names ‘ezv-admin.ch’ and ‘douane.ch’, which have not yet published any DMARC policy.

Awareness among trademark owners

Pages belonging to trademark owners only display a limited awareness of technical measures to protect their trademark against phishing. Currently, only 12% of the top 1,000 .ch domain names have published a DMARC policy. However, very often, perpetrators do not use the primary domain names, preferring to fall back on unused ones acting as ‘defensive registrations’ for trademark protection.

One company that has assumed a pioneering role here is Credit Suisse. When introducing DMARC, it not only assigned a DMARC policy to credit-suisse.com, but also to other domain names such as credit-suisse.ch.

Joint efforts for greater security on the internet

Since emails remain a primary vector used to attack businesses and internet users, it is essential that this communication channel is secured using available resources as part of Switzerland’s digital transformation. It is a task that can only be handled through joint efforts, as email is a distributed system. Email infrastructure operators, trademark rights holders, authorities and associations have to coordinate and deploy the available technical and communicative resources. Swiss email operators do not have it easy here. An email address is usually a free service offered in conjunction with web hosting services or internet access, meaning they have little leeway to invest in security. As a registry for .ch domain names, SWITCH has provided a financial incentive here for the future on behalf of the Swiss Federal Office of Communications (OFCOM). Registrars will pay different prices for .ch and .li domain names depending on whether they offer open security standards such as DNSSEC and DMARC. If they do, they will also receive a proportionate share of the additional revenue generated.

But internet users, too, have an obligation: they need to not only read each email they receive with a healthy dose of distrust, but also choose an email provider that offers adequate protective measures, uses current security standards and filters phishing emails.

Swiss email hosts have recognised the problem and are continuously improving their security measures. At the Swiss Web Security Day 2021, the topic was discussed in a panel with representatives from hosts, authorities and legal specialists who deal with email security and awareness.

Links

Federal Customs Administration warning against phishing messages:
https://www.ezv.admin.ch/ezv/en/home/teaser-homepage/focus-teaser/warning-against-fraudulent-messages.html

Dashboard of the .ch resilience report:
https://www.hardenize.com/dashboards/ch-resilience/

Panel at the Swiss Web Security Day 2021:
https://tube.switch.ch/videos/R8VaHHvnVC

About the author
Michael   Hausding

Michael Hausding

Michael Hausding studied computer science at the Technische Universität Darmstadt and graduated in Management, Technology and Economics at ETH Zurich. He has worked as a security expert in the SWITCH-CERT team since 2008 and is a specialist in DNS and domain abuse.

E-mail

#Security

This article was first published at inside-it.ch and inside-channels.ch (in German only) as part of SWITCH's #Security column. The column appears six times a year. Security experts from SWITCH independently express their opinions on topics relating to politics, technology and awareness of IT security.

Other articles