Protecting Users from Fraud
my experience combating phishing and fraud using DMARC…
and assorted other techniques
First Up, What do I know?
• Barry Jones• Software Architect for ACS Technologies, Inc• Previously– Director of Application Development for a 14 year
old, high end electronics resale marketplace– Basically ebay for a niche market
Now imagine…
• That the entire thing gets rebuilt without any of the previous security tools
• And users want features that are missing• And phishers, fraudsters and spammers
capitalize on the chaos
• And you get hired to fix it
Phishing
• Sending emails that appeared to be from us– Using our domain– Using variations of our domain
• Linking to a fake login page hosted with a free company– Steal usernames and passwords– Login to the user’s account and change the contact info
before they can reset the password
• Launch these phishing sites at times when our staff was less likely to be available to request takedowns
Western Union Scam
• Buy things in the marketplace…anything• Send a fake overpayment via Western Union• Discuss the problem and have the seller
deposit the check and then wire back the excess amount
• When the original check bounces, the seller is still out the amount wired back– And potentially the merchandise
Spam
• Bombarding users through the system• Marketing sometimes• Others trying to bait somebody into a
transaction
Fake Listings
• Putting up appealing items at steep discounts• Paying for the listings with stolen credit cards• Payment gateway issues cost per chargeback
fees when people challenge the transactions from stolen cards
• Users fall for the fake listings and get ripped off
Multipart Process
• Secure YOUR domain’s email (with DMARC)• Make phishing more obvious• Identify compromised accounts• Bring dialog within the site to identify spam• Add more difficult user verification steps• Identify potentially fraudulent credit cards• Educate users• Don’t let the bad guys know they’re caught
Email Sender Verification
SPF
• Sender Policy Framework• DNS record
– Identify where your domain email comes from
• Easy to implement• Bus analogy
– Only allow busses from Tulsa
DKIM• DomainKeys Identified Mail• Public/Private Key in an Email• DNS Record• Header with Encrypted Key• More complicated, must
control where email originates • Bus analogy
– Verify each person on the bus came from Tulsa
DMARC
• Mail servers have no idea how strictly you’ve implemented SPF or DKIM– So they guess
• DMARC lets you remove the guess work– Declare what you’ve implemented– You decide how failures are handled
• Flagged as spam (quarantine)• Discarded completely• Only implemented on a percentage of failures
– Get reports on exactly what happened– Even get copies of emails that failed
DMARC Reports
• Emailed zipped XML• You can parse them if
you want but they’re easy enough to read
• When setting up, all you care about is verifying YOUR email is passing checks
<?xml version="1.0"?>
<record>
<row>
<source_ip>207.126.144.129</source_ip> <count>1</count> <policy_evaluated>
<disposition>none</disposition>
</policy_evaluated>
</row>
<identities>
<header_from>stefanomail.com</header_from>
</identities>
<auth_results>
<dkim>
<domain>stefanomail.com</domain>
<result>pass</result>
<human_result/>
</dkim>
<spf>
<domain>stefanomail.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
Sample DNS Records
• SPF (TXT &&/|| SPF)– v=spf1 a mx include:mailgun.org include:spf.mtasv.net ~all
• DKIM (TXT)– k=rsa; p=MIGfMA0<A HUGE HASH>aBc3
• DMARC (TXT)– v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com
Getting Setup
• SPF– DNS Record
• DKIM– Email senders must include DKIM• Gmail, Sendgrid, Postmark, Mailgun, etc
– Will provide the DNS record for you
• DMARC– DNS Record
Resources
DMARC
Understanding DMARChttps://support.google.com/a/answer/2466580?hl=en
DMARC Analyzerhttps://www.dmarcanalyzer.com/
Kitterman SPF Testing Toolshttp://www.kitterman.com/spf/validate.html
dmarcianhttps://dmarcian.com/
==========================================Summary of Results
==========================================SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
==========================================Details:
==========================================
HELO hostname: mail-yh0-x229.google.com
Source IP: 2607:f8b0:4002:c01::229
mail-from: [email protected]
Combined that will ensure…
• Real email– Gets through
• Phishing email– Doesn’t
But…there’s more•Fake other domains•Spelling variations•Shuffling interior letters
But…at least this is easier for users to identify
To stop that you can…
• Notify the owners of those domains– Have them setup SPF and DMARC
• Contact registrars regarding the activity• Purchase the domains and setup an empty
SPF record– indicates no email sent from the domain
Take down the endpoint• Phishing emails inevitably link back to a site
– Take down the site, you eliminate the risk• Contact a host abuse team to notify them
– Response times will vary by company• Have the user report the site to
– Google– Microsoft– PhishTank (OpenDNS)– McAfee– US Government
• Doesn’t hurt to use a honeypot either– Try to login with a fake user and password– Look for those fake credentials on login to spot the phisher using his
list
Identify users who fell for it
• Track login history by IP address– Record geolocation of IP
• Nginx GeoIP• Maxmind database/services• Cloudflare
– Identify logins by distance from normal center point• Lock the account• Notify the user of where the login came from• Give them a link to unlock it
– disable the check if they’re travelling• If not, tell them they need to change their password• Users respond well to this, makes them feel safer because
you’re looking out for them
Track email changes
• Maintain an entire email change history per account
• Notify users when their email address was changed and provide a link to reverse the change
• If a user reverses the change– Invalidate all reversal links AFTER that email
• but not before…so the original change is always valid
– Otherwise a hacker will change the email multiple times and keep reversing it back
Verify Users• Trust scores for completed transactions
– Aka – user ratings• Let new users verify themselves other ways
– Text verification• Can be prone to fraud• Still harder to fake than email
– Phone verification• APIs can identify TYPE of phone
– Land line, cell, disposable cell, pay phone
– Credit Card verification• Run a transaction• Use MaxMind minFraud service to flag risky cards
• Consider verification steps in a trust formula– Degrade strictness based on activity and trust scores– Don’t hassle your good users
Bring Communication In House
• Internal user message / dialog systems• Track targets and actions of flagged accounts• Identify patterns of bad behavior• Automate flagging based on those patterns
Use CAPTCHA
• When users try to send a lot of messages– Define “a lot” by trust scores
• Look for near identical messages– Levenshtein Distance Algorithm
• Excellent for calculating string similarity• Adjust similarity thresholds by trust scores
– Review stopped messages automatically• Typically spammers keep sending• The ones that didn’t are probably fine to deliver so a catch
and release policy for “probably not spam” is a good idea
Fark’s Banning System
• You’re banned…– But you don’t KNOW you’re banned– So you keep posting like an idiot• And nobody else can see it…
This is important and works
• When you catch a spamming account• Banning it will just result in a NEW account– So don’t let them know– Let them keep manually filling out CAPTCHA• For hours…
– And hours and hours and hours– Daily– Keep a dashboard of time wasted for your own amusement
• Then every couple of weeks, ban them so they think you “caught” them
Send emails with hashed links
• Emails with a link to bypass login for one use• Gets users used to NOT entering their login– If clicking emails from your site never results in
seeing a login screen, getting a login screen will seem strange
• Phishing sites can’t fake an automated login
Evercookie
• A virtually undeletable cookie– Track it with logins so you can trace multiple accounts and IPs
back to a single computer– https://github.com/samyk/evercookie– http://samy.pl/evercookie/
• MaxMind’s IP Service will identify Tor/Proxies with great success– Don’t let people do important things from an anonymous
connection– https://www.maxmind.com/en/geoip2-services-and-databases
• Also track with etag/if-none-match headers– Every ad system trick out there works for tracking fraud– http://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags