Crypto Ransomware such as Locky disguises itself as a script (macro) within a document. When the document is opened the script runs resulting in all your files being encrypted and a ransom demanded to decrypt your files.
As the number of Crypto Ransomware occurrences occur, users are becoming more aware and careful of opening unknown attachments such as MS Word documents or Excel Spreadsheets, says iSheriff.
To fool users into opening these attachments a technique known as e-mail spoofing is used. E-mail spoofing is where a user is fooled in thinking the email is from a friend or business college, perhaps even your boss, by falsifying the "From" e-mail address. This is done by manipulating the return path in the header information of the e-mail. Traditionally Spoofing was used to try and obtain personal information from the user or to request the user to perform an action such as transferring funds to pay a bogus bill.
E-mail spoofing is now also being used to gain the user's confidence in the safety of the attachment. After all, who will ignore their boss's instruction to open and print the attached document?
The best defence against spoofing is a SPF (sender policy framework) record.
Simply put, sender policy framework is a method for preventing sender address forgery. Mail servers do not typically care what the header sender address is when delivering a message.
An SPF record protects the envelope sender address which is used for the actual delivery of the e-mail message. This allows the owner of a domain to specify the IP address/s that are allowed to send e-mails on behalf of their domain.
First, the domain owner publishes information in an SPF record in their domain's DNS Zone. When another mail server receives a message that claims to come from that domain the receiving server is able to check whether the message complies with the domain's SPF record. Thus it will know whether the message is a forgery or not. This will protect the owner from having his domain used for spoofing other mail servers.
Secondly, the domain owner must enable SPF checking in whichever security solution they have in place between the mail server and the internet. This will protect the domain owner from being spoofed.
If we use the example above where a user receives an e-mail from the "boss" asking them to open the attachment. An e-mail will be receiving by the security solution, a SPF lookup is made to determine the IP address/s allowed to send for this domain, and in this case it would be the IP address of their own mail server. Immediately the security solution will identify that the e-mail has not come from their own server but rather an external unknown IP address and the e-mail will immediately be blocked. Depending on the security solution used this type of activity will also result in the blacklisting of the senders IP address.
Unfortunately, there are still domain owners who do not publish a SPF record which creates a security vulnerability to other domain owners as they are unable to perform a SPF against emails from that domain.
Establishing a reputation based on the domain is no longer a good to have but is vital in the defence against targeted attacks. If you are a domain owner it is your responsibility to add a SPF record to your domain.
Share
Editorial contacts