SwiftOnSecurity
Worse, even if you get an email from your mastodon instance (or ANY web service), an authorized SMTP system could have been hijacked and the link directed to a phishing page, potentially even hosted on a hijacked subdomain.
Layers and layers of caution are required whenever you are prompted to take an unusual action.
https://mstdn.social/@stux/109603992325592066
sΡ‚Ο…xπŸŽ„ (@[email protected])

Attached: 1 image ⚠️ WARNING! ⚠️ I just received this email in a catch-all that was addressed to a user. Mastodon does NOT such mails and this leads to a malicious login page! Please make sure you are on the correct instance URL before logging in! Also make sure the emails are send from the instance you are on! Often this email can be found on the /about page #Mastodon

Mastodon 🐘
Dec 31, 2022 at 6:57amWeb
Show threadSwiftOnSecurityDec 31, 2022
NOTE: Humans reduce their ability to detect/resist fraud when under time pressure. See how the email puts the victim under duress by threatening to delete messages. To act as quickly as possible. This is a huge red flag that will help you if you know to look for it in attacker communications (or life in general). Because attackers know this is a shortcut to better results.
Show threadSwiftOnSecurityDec 31, 2022
At my work we are planning for this kind of nightmare scenario by moving to tightly-governed and logged SMTP relays. It will take a lot of work but giving vendors SPF/DKIM, although MUST be done in interim as soon as possible so you can get DMARC to enforcement, is a blank check when you are an incredibly sensitive service/huge target.
Most should not worry about this there's a 100 things more important but understand the exposure.
Show threadMathiasDec 31, 2022
@SwiftOnSecurity Could you elaborate the "DMARC enforcement" part, please. I never fully understood it tbh.
Show threadCarey DrakeDec 31, 2022
@matthegap @SwiftOnSecurity See the bottom right in the DMARC flow below. You setup a policy that says the receiver should "reject any messages that fail", "quarantine any messages that fail", or "let failures thru". The first two would be enforcement.
(Image courtesy of https://dmarc.org/overview/ . Many more details found there.)
Overview – dmarc.org

Show threadMathiasJan 1, 2023
@yackreader @SwiftOnSecurity Ah, so the policy is read and enforced by the receiver. That makes sense, didn't know this was possible.
Show threadSean Whalen πŸ‘¨πŸΌβ€πŸ¦ΌπŸ³οΈβ€πŸŒˆπŸ‡ΊπŸ‡¦πŸ•ŠοΈDec 31, 2022

@SwiftOnSecurity #DMARC can definitely be a PITA to implement, particularly for large organizations with many domains and email sources, but it is well worth the pain. That's why I wrote a complete guide and open source software to send DMARC reports to #Splunk and #Elasticsearch. I included pre-made dashboards too.

https://seanthegeek.net/459/demystifying-dmarc/

https://domainaware.github.io/parsedmarc/

Demystifying DMARC: A guide to preventing email spoofing

Learn how the SPF, DKIM, DMARC email authentication standards work together to prevent unauthorized email spoofing β€” and how to use open source tools to deploy DMARC for free

seanthegeek.net
Show threadnobodyDec 31, 2022

@seanthegeek @SwiftOnSecurity DMARC isn't as much the pain as discovering how many domains you have and how many people in entire org actually know what they are used for. unfortunately gaining that knowledge is pre-requisite to implementing DMARC. enforcing domain mgmt practice and onboarding legacy domains .... ya know... the ones that bob or jane in marketing bought decade ago with their credit cards and expensed because of some marketing campaign they wanted to run, now that is fun part. especially when jane retired 8 years ago and bob left the job for greener pastures shortly after...

DMARC? that shit is easy... it's preparing for DMARC that will kill ya...

Show threadDec [{()}]Dec 31, 2022

@Rajiv @seanthegeek @SwiftOnSecurity
I have done a lot of legacy domain work on behalf of customers, mostly chasing the correct responsible persons down and convincing them to take action.

One of the domains had NS records that included these 2 servers:

uucp-gw-1.pa.dec.com
uucp-gw-2.pa.dec.com

When H-P decided to sell off the dec.com domain, they never checked with anyone in HP Labs (Palo Alto), and those 2 hosts were still widely in use.

Show threadDec [{()}]Dec 31, 2022

@Rajiv @seanthegeek @SwiftOnSecurity

Most of the NS records that used these servers had already migrated to the equivalent hostnames under .hpl.hp.com or .labs.hp.com but a significant number had not. Nobody thought that dec.com was going away.

The auction happened in July 2014 and it took a few months for the domain registration to be transferred (to GoDaddy, of course).

Show threadGreg ThomsonDec 31, 2022
@seanthegeek @SwiftOnSecurity DMARC certainly is a test of an orgs domain governance.
There are some quick wins.
1) Just getting the report set up without enforcement provides great visibility.
2) Slapping a simple reject policy on any parked domains protects them from being abused.
Show threadSean Whalen πŸ‘¨πŸΌβ€πŸ¦ΌπŸ³οΈβ€πŸŒˆπŸ‡ΊπŸ‡¦πŸ•ŠοΈDec 31, 2022
@gregthomson @SwiftOnSecurity Absolutely! #DMARC is also a fantastic tool for uncovering "shadow IT": the undocumented and/or unauthorized services used by different parts of your organization.
Show threadTHIS ACCOUNT HAS MOVEDDec 31, 2022
@SwiftOnSecurity check out RedSift
Show threadINCODec 31, 2022
@SwiftOnSecurity I've seen an org take on the effort of training the userbase to recognize DKIM signature failures, only to then discover that someone high up the foodchain used a strange setup for their 'employee newsletter' distribution which modified the email content, thus breaking DKIM.
Show thread*sigh*Ber nardDec 31, 2022
@SwiftOnSecurity I recall CSC "brand protection" not setting DMARC/DKIM/SPF on our rebrand domains.
Sure got a lot of attention when I emailed the MT with the new brand's domain name during the CEO's reveal.
And fixed it in 2 days. Record speed in glacial enterprise timeline territory...
Show threadNot a doctorJan 1, 2023

@SwiftOnSecurity

As a #GlobalAdmin at my work, I get #notifications when my people do certain things...

- impossible travel
- click a suspicious link
- send suspicious email

I will testify that it is extremely difficult for members of our organization to notify sweepstakes winners without generating a notification and having the sending email blocked. The first and second year we ran it, I was flagged multiple times.

I should not have been able to unblock myself.

Show threadLuis CrespoDec 31, 2022
@SwiftOnSecurity It's great news that this phishing attack also contains incorrect wording/spelling ("destruct"), to help people suspect its authenticity.
Show threadjlbecDec 31, 2022
@lcrespom @SwiftOnSecurity I remember reading years ago that these errors and misspellings are intentional filters. The person who misses the errors and still clicks is very likely to be successfully exploited.
Show threadLuis CrespoDec 31, 2022
@jlbec @SwiftOnSecurity that makes sense for spam, which frequently requires human interaction… but phishing is automated so I don’t see why they would want to reduce the number of potential victims.
Show threadThat Anonymous CowardDec 31, 2022

@SwiftOnSecurity

2ndary object...
upgrade to the newest...
Ummm pretty sure everything is server side.
So this is phishing for your login as well as setting the stage for you to willingly accept and run something when its offered to you.

Show threadKevin Karhan Dec 31, 2022

@SwiftOnSecurity *nods in agreement*

ALWAYS SUS THINGS OUT OF PROTOCOL!

Show threadDr. Jorge CaballeroDec 31, 2022
@SwiftOnSecurity Since we're on the topic: what's your take on DKIM and the other DNS-level anti-spoofing measures?
Show threadSwiftOnSecurityDec 31, 2022
@DataDrivenMD not much to say they've reached maturity and work, minus some edge cases. DKIM and SPF should both be made to work redundantly.
Show threadDr. Jorge CaballeroDec 31, 2022
@SwiftOnSecurity Thank you. I didn't frame the question well, here, but the 3rd post in your thread hit on the topics that I was thinking about, but failed to explicitly convey. Very helpful post- thank you.
Show threadangelwolf71885 πŸ’Ž πŸ™Œβœ…Dec 31, 2022
@SwiftOnSecurity is this the person who is on the mastodon.social instance?
Show threadSync_Pundit πŸ‘½πŸ˜ŽπŸ”±πŸ”₯Dec 31, 2022
@SwiftOnSecurity has said it. Let's get that 2FA setup!
Show threadNot a doctorJan 1, 2023

@SwiftOnSecurity

About me: I'm old. I ran away with someone I met on the pre-internet in 1981.

I have never had malware on my computer nor given my info to a phishing email.

How?

1) Any link, anywhere on the internet - your browser will tell you where it goes when you hover it on your desktop device or long-press on your mobile. Some sites also warn you if clicking the link would take you off their site.

🧡

Show threadNot a doctorJan 1, 2023

@SwiftOnSecurity

2) Some other apps (like PDF viewers) work similarly. In your word processor, you have to work to open a link, and you can see where it goes if you select Edit the link.

3) Don't install random apps. If you're on an ad-supported download site, be especially careful of what you're clicking on.

4) Pop-ups lie. The scarier, the more bogus. If you don't know how to get rid of the popup, close the app.

2/

Show threadNot a doctorJan 1, 2023

@SwiftOnSecurity

5) Tech Support only calls you after you've reached out to them. Ask them to verify your support ticket number before telling them anything.
CALLER: I'm with Microsoft tech support, blah-blah-blah
YOU: Hello, please verify the ticket number you are calling about.

6) These apply to everything - even texts and emails and direct messages from your friends and family.

I assure you, I'm not paranoid.

3/3

Show threadNot a doctorJan 1, 2023

@SwiftOnSecurity

PS

Never share passwords, yours or anyone else's. I raised five children without knowing their passwords.