Wednesday, January 10, 2007

phishing alarmism

there's a new post over on the securiteam blog that seems to be just a little too concerned about a bank of america suggestion to add an email address to customer's address books... the author seems to believe that following the suggestion will make customers more vulnerable to phishing, that the bank is asking them to lower their defenses...

now, it's not like they're telling people to lower the security settings on their browsers in order to view the bank's website (though perhaps they do that too, i don't know), they're just telling their customers to whitelist them so that their emails don't get rejected by spam filters... the author's contention is that phishers will then start using the same address the customers whitelist as the From: address on their own phishy emails and because the address is whitelisted the customers will be exposed to each and every one of those phishing emails...

but here's the thing, even if bank of america didn't advise their customers to whitelist the email address, the phishers would have used it anyways... phishers posing as bank of america will use any address bank of america uses, regardless of what customers do with that address... there's nothing bank of america can do to stop that and there's nothing customers can do to stop that so it makes little difference whether the customers whitelist it or not... whitelisting the address doesn't mean they can start implicitly trusting email apparently sent from that address, it just means that bank of america's legitimate correspondence won't get lost in the junk mail folder...

of course the phishing emails won't get lost there either, perhaps that's the problem? unfortunately, spam filters aren't really any good at stopping phishing emails... the phishers work hard to make their emails look legit (otherwise they wouldn't fool anyone) so they should be equally affected or equally immune to spam filters as the legitimate bank of america emails are... if the legit emails get through then so will the phishing emails, and if the legit emails don't get through then the users will have to look in their junk mail folders for them and then wind up being exposed to the phishing emails anyways...

basically it's a zero-sum situation as far as phishing goes - nothing the legitimate sender or the receiver do with the From: address can increase or decrease the exposure to phishing so the bank of america customers might as well whitelist bank of america's email address - and security folks might as well wake up to the fact that just because something can be used to a phisher's advantage doesn't mean the user is put at greater risk... spam filtering and anti-phishing are not the same, even though we don't want to see either spam or phishing emails in our inboxes, defenses against one are not necessarily appropriate or applicable towards the other... the officially whitelisted email address just means the phishers don't have to work so hard to figure out what email address to forge on their phishing emails - their convenience does not equal lower security for others...

(and if you're wondering why this isn't a comment on the securiteam blog, it's because i can't leave comments there anymore... they've been consistently rejected as spam for months regardless of content, email address used, or the presence of a url - and the blog admin who's supposed to be alerted to the comment in order to correct the issue if it was misclassified never does, nor is there any obvious way to follow the directions which say to contact him/her about it... they sure know how to make a guy feel welcome...)

4 comments:

cdman83 said...

First of all I would like to thank you for commenting on my blog. I'm in the phase of evaluating co.mments.com currently.

Now back to the matter at hand: imho this (a bank contacting its customers by email) is a mistake. The most important thing in security is user education. And for education you have to be consistent. We've been trying for years to hammer in the head of the users that "banks don't contact you by e-mail" and such actions lower the effectiveness of the message. Also there is no real need for e-mail communication between a bank and its clients, unless you consider the fact that they (the bank) can send out "advertising" (=spam) in an automated way for low cost as an advantage.

BTW, about the spam issue: I had the same issue with the security team blog, but after e-mailing the administrator, the problem was solved in less than 24 hours, so maybe you should try the same.

kurt wismer said...

i see, so you think the very fact that banks are using email to contact customers at all teaches the customer/user bad habits?

that seems to go far beyond what the securiteam blog article was talking about...

if anyone has been trying to teach people that banks (even banks you do business with online would never legitimately send users email then that person has been doing users a disservice as that was never a reasonable heuristic for users to employ...

as to the need for banks to send emails - i'm not going to go as far as you do and say there is no need... i'm not going to pretend i know all the online services a bank may offer and/or the appropriateness of email communication in the context of those services...

and as far as the securiteam blog itself, i believe i've already stated i could find no contact info that was clearly labeled as being for the admin... clearly you've been more successful so what should i have been looking for?

Aviram said...

Kurt, thanks for your comments! I'm not sure why you weren't able to post a comment on our blogs site, I searched through the 'spam' folders and couldn't see it either. It might be spam karma acting up.
If this ever happens again, feel free to contact me at my first name @beyondsecurity.com.

As for the BoA, I disagree that whitelisting has no effect. Many spam filtering programs are able to detect phishing emails, by their specific use of headers, by the IP's they come from or by the use of several exploits in the email itself. Once you whitelist the BoA, all those will pass undetected and when the next Outlook code execution exploit comes out, anyone who sends with that "from" address is likely to bypass a lot of filters - that's not good.

Also, like cdman83 mentioned, from a user education point, someone with the reputation of a bank shouldn't tell you "hey, put me in your whitelist. Don't worry about it, it'll be fine". This cancels out years of user education not to trust emails just because they seem to be sent from a certain address.

Anyway, I appreciate the discussion - I agree it's not a black or white issue and it's hard to say when the line is actually crossed between making the user's life easier and lowering his/her defenses.

- Aviram

kurt wismer said...

@aviram:
thank you for giving me info on who to contact in future about posting comments on the securiteam blog...

as to your comments, you bring up 3 issues - headers, exploits and trust...

virtually all the headers in an email can be forged and are forged on a regular basis by the bad guys... if phishers are going to forge the from address to avoid spam filters it stands to reason they'll forge whatever other headers they need to for the same purpose... even the IP address isn't going to be helpful if the phishers are using botnets to send their phishy emails...

in my original post i think i made it pretty clear that there is no trust issue here - adding addresses to a whitelist doesn't tell people that that they can trust the emails it just makes sure the emails don't go in the junk folder... i agree that the "safe sender list" is inappropriately named, but that's not something BoA have any control over...

i'm not sure email born exploits are a phishing issue at all or that increased exposure to them qualifies as increased exposure to phishing... it certainly is an avenue that cyber-criminals may use to compromise a machine, but it doesn't help the phisher convince the victim that the site it links to is legitimate and should be used...

at any rate, as i said in my original post, if you don't whitelist BoA it will force the user to go through their junk mail folder to find missing BoA emails and then they will potentially be exposed to even more threats...