The spear phishing experiment, where a fake LinkedIn invitation was sent to specific users, had such a high rate of success, as this sort of message is hard to detect.
Following the story last week where it was revealed that various email services including Microsoft, Cisco and Verizon had failed to block a spear phishing message sent by PacketFocus CEO Joshua Perrymon, Proofpoint has claimed that the fact that there was a 100 per cent delivery rate is no surprise as ‘these sorts of messages are extremely hard for email security solutions to detect'.
In a blog posting, Proofpoint said that like real spear phishing attacks, the content of the email and its basic structural components contained little to no clues about the message's legitimacy.
It said: “Typically, spam and broader-based phishing attacks contain at least a few different clues that email security systems can latch on to and determine whether the message is legitimate or not (these include things like reputational factors such as whether the sending IP is malicious, the presence of known malicious URLs in the body of the message, and other ‘spammy' or ‘phishy' content in the message).
“But true ‘spear phishing' messages are carefully crafted, not sent in high volumes and would use payloads that would not have already been identified as malicious.”
It also posed a question on email authentication that PacketFocus did not. It said: “The goal of email authentication systems such as DKIM and SPF is to solve this inherent weakness in SMTP email that makes it easy to ‘spoof' source addresses.
“One of the weaknesses of both email authentication systems is that adoption of these tools is still far from universal. Not every domain has published the correct records (in the case of SPF) nor is every legitimate email that could be signed with DKIM sent with a DKIM signature.
“On the receiving end, checking the validity of SPF records and verifying DKIM signatures is something that email administrators have to spend at least a little bit of time configuring. I'm guessing from the results of this test that none of the organisations that participated in this experiment have either form of email authentication turned on. (Not that this necessarily would have helped... I'm unsure whether legitimate messages from LinkedIn are DKIM signed, but it does seem that linkedin.com has a published SPF record.)”
In conclusion, Proofpoint recommended adding basic email authentication to a list of security New Year's resolutions and consider setting up personal safelists and blocklists.