Phishing spam sent from specifically registered domain names bypasses email authentication

November 12, 2016
Domain name spaming

Phishing spam is often sent from specifically registered domain names and domain zones to increase the efficacy of the phishing attack. This means that current email authentication systems are readily bypassed.

Phishing spam forms the first component of the social engineering attempt. The phishing message must appear like it has come from a legitimate and trusted source. The victim must believe and buy into the narrative.

To achieve a high level of trust the criminal will often send the phishing spam from a “trusted” domain.

Email Authentication Fail?

In the past, criminals often the spoofed the from address in the email with the genuine domain. Email-validation systems such as Domain-based Message Authentication, Reporting and Conformance (DMARC) can readily detect and prevent email spoofing. Phishing using a spoofed domain is further thwarted with the implementation of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Such underpinning technologies allow detection at ISP gateways to prevent the phishing spam email from being delivered.

However, the criminal can easily circumnavigate detection / authentication methods via sending the phishing spam from a fake domain that appears “trusted”. Instead of spoofing the from address with “genuinedomain.com” the criminal can easily send the spam from “genuinedomain.website” or genuinedomain1.com.

We have seen a recent surge in the number of new top-level domains used for distributing mass mailings. This has been caused by the readily available and cheap new generic top level domains – gTLDs.

When gTLDs were first marketed a few years ago there was some logical connection between the theme of the spam and the domain name. We still see isolated cases where the connection is noticeable, such as .bank, .shop.

More recently we have observed a lack of any connection between the domain name and spam theme due to the cost of new domains. The attackers try to choose the cheapest possible registration and hosting because the sites will often be used just once for a specific spam mass mailing.

Spammers have come up with numerous ways to hide the source domain from anti-spam filters by using redirects to hacked sites, generation of unique links to short URL services, the use of popular cloud services as redirects, etc.

Due to the now cheap source of domain registration and hosting – we continue to see a rise in specific domain name and domain zones being used to send phishing based spam. This raises the question – is traditional email authentication now failing us?

About the author

Leave a Reply