Ever wonder how that phishing email slipped by your state-of-the-art mail defenses? These days hackers find it’s not enough just to fool users with URL manipulation techniques. In the past, successful phishing campaigns might have yielded hundreds of active accounts just by changing a letter in a URL. This technique will still work on employees but, if you have a high-priced mail/web filter, chances are these emails will be blacklisted in your content filter.
What are Content Filters?
Content filters are a way your mail and web security systems screen or quarantine questionable email or web domains before messages are delivered to your customers or employees. These filters rely on pre-defined categories that can determine if a site is maliciously aligned or not. Usually, these categorizations are actively managed by your security appliance vendor. A newly registered domain might not sneak by the most up to date defenses because it will get flagged in your mail security as questionable content. Attackers look at different ways to fool these filters just as our penetration testing teams do.
Attackers Get Crafty
One of the ways we bypass these security systems and deliver email to your users is to purchase expired domains that might have already been categorized by security gateways as a commonly allowed content. These are domains that other companies around the world may have already used and had since become expired for some reason or another. Attackers, as well as our penetration testers, can re-register these domains for cheap. You can find a list of recently expired sites here: https://www.expireddomains.net/
These domains might have been associated with financial, business or human resource related content in the past. Many times, email and web security gateways are initially set up to only block suspicious domains. When attackers look for a domain that could be associated with your company they make sure it is not blacklisted by the big mail filter brands in the industry. This allows phishing emails to be crafted that have the highest possibility of getting through your security systems. When selecting a domain, our pentesters use sites like “sitereview.bluecoat.com” & “mxtoolbox.com/blacklists.aspx” to check the default category that the email domain will be associated with. Using this technique isn’t always a silver bullet but, developing an effective phishing email is a game of increasing chances.
Secure Your Email
The best defense is to take time to set up your mail or web gateway before you deploy it. It might be faster to use a black-listing methodology when initially setting up your security appliances. However, a white-listing approach always gives you more control and security. I would recommend using a 3 phased approach when implementing these security email/web gateway content filters.
You can start out your filters using pre-defined black-lists of known bad domains during phase 1 of your deployment. After your mail/web filter is processing traffic you can move to phase 2.
Here you can start adding common and known good domains to customized categories or “white-lists.” Every domain in your list should be verified as legitimate traffic during your “bake-in” process. Start adding alerting to trigger on domains that show up as un-categorized to your custom white-lists. This will allow you to catch and provide custom categories to any rarely used sites while shrinking the amount of un-categorized traffic. Run this phase for as long as you feel comfortable with. Just be prepared that if you move to phase 3 and still see a lot of un-categorized traffic, you will generate a lot of angry calls or support tickets. At phase 2, you are still technically blacklisting sites and domains.
Phase 3 is where you put up your white-listed wall. This is where you block all traffic unless it’s specifically allowed.
Security vs. Functionality
Most businesses never get to phase 3 of their content filtering deployment. This is why using expired domains that have already been categorized can be so effective with phishing email campaigns.
Of course, email security gateways don't just rely on domain blacklisting but also content filtering based on keywords. They often give an increased spam scores for words like 'URGENT' embedded in the subject line. Crafting emails with this knowledge can be another way to subvert security. To get in front of these attacks, you might want to consider adding an “External” tag to all email sent from non-trusted external domains. Perhaps the future will find a better solution to deploy these security technologies but, for now, our pentesters will continue to exploit this gap in the email/web security gateway deployment process just like hackers.
Written by Grant Codak
Grant has nine years of IT experience spanning a variety of domains with a focus in defensive security. Grant is currently a Cybersecurity Consultant at TechGuard Security where he performs a wide variety of proactive security services, including penetration testing. He also holds the following certifications: CISSP, CEH, Security+, Network+, A+, and Metasploit Pro Certified Specialist. Recent responsibilities include, a Senior Web Security Engineer at a Fortune 50 organization along with a variety of application administration roles in security operations. His past project work includes, web tool development as well as firewall and web proxy migrations. Currently at TechGuard Security, Grant conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Grant ties his knowledge together with his deep understanding of network operations and security architecture to deliver approachable report analysis to clients. Grant is also a nature enthusiast and enjoys mountain biking, hiking and kayaking with his wife.