Why do phishing attacks still work?

Jul 15, 2019  - written by  in Domain names

It’s a trick older than the internet—get someone to give up private information by pretending to be someone they should trust with it.

Online anonymity just creates the opportunity for scammers to better mask their true identity. On the internet, people will just take someone at their word that they are who they say they are. That’s often all they go off of anyway.

It’s called phishing. And it’s a remarkably simple trick.

People have been getting away with it online since the early days of the internet. One of the earliest instances was recorded in January 1996 in a Usenet group when users reported other users posing as AOL employees and requesting account information and billing details.

That’s not so different than what Gandi customers have been getting this past month—emails pretending to be from our Customer care team asking them to click a link to renew their domains or risk losing them.

In a phishing attack, the attacker is simply pretending to be someone they’re not, and domain name owners can be especially targeted both because of the potential value of a stolen domain name, and because attackers can often easily guess or otherwise discover the email addresses of domain owners without having to acquire the emails illicitly. Attackers can also tell which domains are registered with which registrar using the WHOIS, and so these attacks are carried out without compromising a registrar’s database.

While no data breach is required to carry out a phishing attack, they are often the point of entry. According to Verizon’s 2019 Data Breach Investigations Report, phishing is the number one cause of data breaches.

So how has phishing stuck around for more than 20 years? Shouldn’t we have fixed the problem by now?

There are a few reasons why these attacks are still effective.

1. Low cost, high yield

Just the name ‘phishing’ perfectly evokes the key appeal for attackers to keep using it. Like dropping a baited line in water and waiting for a fish to bite, phishing oftentimes consists of sending out hundreds of thousands of emails and waiting for someone to click.

It doesn’t really cost you much more than your time to bait a line and wait, and since even just one bite could be a big fish, it can very quickly be worth the relatively small investment for an attacker.

2. Emails are easy to spoof

Email spoofing is when you change the sender name or address of an email to one that it actually isn’t from.

Like a lot of the underlying protocols on the internet, email is a pretty old protocol, and those who initially built it didn’t think that faking the name of the sender of an email would be a big enough problem to make doing so impossible or even hard.

There’s even such thing as “legitimate spoofing,” where some applications or some uses of email might require setting the sender address to something other than the actual sender of the email.

This makes it very easy for phishers to make their email look like it comes from a legitimate source.

3. PEBCAK

The weakest link in computer security is almost always the user. This is not to say that users are dumb. On the contrary, scammers are very good at exploiting not just the weaknesses in protocols like email, but also the psychological weaknesses of individual users.

One way is to pretend to be a common, trusted source. In a work environment, that could be a coworker, or especially your boss. These are effective because if you think your boss is asking you for important documents, you might not ask questions.

Other types of phishing emails that also play on urgency, like travel notifications and package deliveries also work very well.

When you feel the anxiety of worrying about something important expiring and having to be removed, you might take your guard down and you might not scrutinize the source closely enough.

What we can do about it

It’ll be hard to reduce the effect of the low cost/high yield economics of phishing, but there are things we can do to fix the other two reasons phishing is an all time favorite attack.

Email senders have a few defenses against email spoofing.

The first defense is SPF. SPF stands for Sender Policy Framework and it lets owners of domain names define the IP addresses from which they will send email. If SPF is activated a domain, an email server receiving an email from that domain, then, can check to see if the domain has an SPF record, and if it does and the IP address that the email came from doesn’t match what’s in the SPF record, it can mark the email as spam.

Next, there’s DKIM. DKIM is a way of “signing” an email. It puts a specific cryptographic signature (created using public key cryptography) in each email that goes out and a key for verifying it in DNS.

At Gandi, we currently use SPF and are working on implementing DKIM.

Going even further, DMARC is a protocol that integrates SPF, DKIM, and a reporting function that might be used to measure policy efficiency.

Finally, there’s education. It can’t be stated enough because the more the message gets out there, the more people will remember it: if you get an email asking you to log in to an account or provide account information, verify the link uses HTTPS and goes where you think it goes before you click it. If everything seems to check out, make sure that the corresponding TLS/SSL certificate was issued to who you expect it to be.

We don’t expect phishing to go extinct any time soon, and we’ll continue to keep you up to date when we find out about new phishing campaigns targeting our users. In the meantime, we’re working on fully implementing DKIM.

In the meantime, we encourage everyone to keep educating others on phishing and to stay vigilant.