A Few day ago, email users received a spoofed mail from @WhiteHouse.gov which infected the client machines. These email users also consisted of government employees and contractors who work on cyber-security matters.
The highlight of this infection was to steal documents from infected systems and upload it on a central repository. Gigs of sensitive documents were stolen.
Now lets go to the root cause:
The problem was not with the recipient servers nor with the AntiSpam / AntiVirus technology but with WhiteHouse.gov domain.
How is WhiteHouse.gov vulnerable?
The first question we should be asking ourselves is :
1: How did the email enter into the system? Ans: Cause the sender of the email was WhiteHouse.gov.
2: Was the email domain validated? Most probable answer by admins: Yes, we have deployed SPF records check.
3: If SPF was deployed then how did your system accept the mail? *Stumped* no answer.
Upon closer inspection of WhiteHouse.gov SPF records , we find that SPF record contains ~all mechanism. But some of the messages are sent using the messages.whitehouse.gov domain, and this domain has a valid and secure SPF record.
Read the previous blog for more detailed version on ~all mechanism Phishing Spoofing Made Easy.
Virus makers are going to find innovative ways of making profit and for which they would be creating exe’s and since for every new attack a new exe will be created its hash is going to change and the moment the hash changes Virus-Total and a few other services are going to report low-detection rates. Hash comparison is a response based technology and it is good for detecting viruses which were tagged as viruses but not for new viruses or new variants but it is not pro-active.
Last year in the month of February an email spoof attack was launched using firstname.lastname@example.org with the intention of stealing passwords. The only thing common between these two attacks was the SPF Record. NSA.Org even after one year doesn’t have a valid SPF record while Whitehouse.gov has a ~all.
One thing which surprises me is that so much is being written and blogged about Social Engineering attacks but still people fall for it. But at the same time, emails are being spoofed even though technology is available to block such spoofs.