(IN)Secure Mail

You will have all seen a phishing email, or two. But what about a targeted phishing email, where the attacker is targeting some specific information (typically credentials) for certain users? If you were to see one, you would notice that:

• The sender, most likely, appeared to be someone you knew, or trusted
• The body of the email was plausible
• It contained a link for you to click on, that takes you to a system you recognise, but is outside your own domain

For you to see such an email, it must be able to negotiate through your technical defences. This limits the extent to which fake email addresses can be used, so it is likely that the actual “from” is a real address, external to your domain, but that the recipient display name is the “recognisable” bit. Meaning, a targeted phishing email must be a genuine external email to your mail filter but convince users that it is a genuine trusted or internal email.
Internet email is recognised as being largely insecure, unencrypted, and with no guarantee that the sender or recipient are who they say they are. It’s also easy to misaddress an email and send it to someone else. To solve this setup, there are an increasing number of “secure mail” systems in the market. These tend to have a web interface, hosted by a third party, providing a restricted and closed environment for sending messages. No doubt they do properly encrypt attachments and so on, however, as it is a closed environment, you have no idea that a new email message has been sent unless you log on. So, invariably, these systems send a notification message to the recipient.

These notification messages tend to have the following:

Come from a known recipient (e.g., your boss), but with a from address that has nothing to do with their actual email, but is, instead the notification address of the system
The body tells you that you have received a new important and secure email message
It provides a link to an external system, probably with a note that states not to click on it if you don’t trust it, but to copy and paste it into your web browser
Now, you don’t have to be an expert to work out that this has the same structure as the targeted phishing email and despite the security of the cloud-based system, the chances are it just needs a single username and password to get in. The users don’t see these secure emails that often, so are unlikely to remember the name of the external site and as a result, these systems make excellent targets for phishing attacks.
In a recent test, ECSC sent out just five emails to different people in a large organisation. That was enough to gain credentials to the secure email system. Going forward, ECSC could log in (the system is accessible from anywhere) and send “real” secure emails, asking for confidential information (easy as the credentials ECSC had were for those of a director of the company), or for system access to be granted etc.
Be very careful when implementing these systems.