HAFEZI: What kind of tips do you have for an ESP, to avoid on-boarding a phisher in advance?
ZINK: So, phishing can be really challenging. At Microsoft – outlook.com and Office 365 in particular – we have people sign up for the service maliciously on a regular basis. It’s challenging to keep them off. What you’re really doing then: it’s a very involved process where you monitor, you filter the outbound email, you monitor complaints coming back, and trace it back to the original sender. And you have to monitor all of your traffic – all of the complaints coming back to you – in a way that you can correlate who’s doing this, so you can take it to shut them down. So, you’re really learning from the people who are signing up maliciously. And then using their own patterns against them.
Phishers are very complex at getting into the system, but once they’ve found a path in, they’re going to get lazy and use the same way over and over again. So, if you can close those loops down, you’re going to make it harder. And cost proofs, that is, things that the user has to do to prove that they are legitimate and not a robot – that’s not quite so simple to automate, so it’s all manual – that really can help repel a phisher. For sure, keeping a very, very close eye on mail and how everybody else perceives it is, I think, key to keeping phishers off your network.
HAFEZI: Phishing is very, very big problem. What if an ESP has already on-boarded a phisher? What measures can they take? What actions can they take to solve that problem?
ZINK: So, if a phisher’s on your network, and you detect a phisher, you definitely want to shut them down right away. But it’s not just about shutting them down, is also learning from it - how did they get on to the system? Can we improve our sign-up processes? Can we have a little Captcha as a sign-in, can we do an SMS as verification on the phone, can you use a phone verification technique with the same phone number over and over again? So, for sure you definitely want to kick them off, but also learn from how they got on in the first place and shut those holes down. There’s also going to be a conflict – there’s a tension between wanting to make it as easy as possible for your service to sign up (that’s for your marketing team), and your security team’s going to want to shut that stuff down. So, there’s always going to be that give and take, give and take. The easier it is to get on board, the more it will be abused. The harder it is to be abused, the less people will sign up if they find that there are too many hoops to jump through. You won’t be able to get away with 55 steps to get on – I’d just give up and go away. So, you have to find that balance, and then watch all the time to make sure you’re not sending out abusive traffic.
HAFEZI: You mentioned in your presentation the Bank of America. Is phishing basically an American problem, a German problem, or is it a worldwide problem? Are there any tendencies?
ZINK: It’s absolutely a worldwide problem. We see a lot of PayPal being spoofed. That’s what phishers use as a standard go-to phishing campaign to pay the bills when other techniques aren’t working too well. And Bank of America is spoofed a lot in the US, but in Brazil it’s about the Brazilian banks, and here it’s about the European banks, China has a lot of hosting providers that get spoofed all the time. So it’s a worldwide problem with brands and things localized. The spear phishing problem is everywhere – North America, South America, Europe, Asia, the Far East, Australia – that’s the same problem everywhere. These phishers don’t care where you are in the world, they want to get in and they want to take money.
Read a summary of Terry Zink’s talk at the 2017 CSA Summit.
Zink also spoke at the 2016 CSA Summit.
Terry Zink is a Program Manager of Antispam and Antiphish in Office 365, one of the world’s largest hosted email services. He has extensive experience in combating online abuse, and is a regular contributor to industry working groups and forums.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry