I noticed this interesting article on DarkReading earlier today which several other folks forwarded to me (see, "Major Secure Email Products and Services Miss Spear-Phishing Attack") that reports how security experts at PacketFocus (an IT security, risk assessment and ethical hacking firm) were able to bypass spam filters "100% of the time" with a spoofed social media invite.

The gist of the story is that experimenters sent a spoofed LinkedIn invite to users at organizations that had agreed to participate in the test. The spoofed message, which resembled a legitimate LinkedIn invitation, invited recipients to connect with Microsoft Chairman Bill Gates.

Like real spear phishing attacks, the email's contentand its basic structural components contained little to no clues about the message's legitimacy (with the exception that the text of the "from" field spelled LinkedIn as "LinkedIN").

Typically, spam and broader-based phishing attacks contain at least a few different clues that email security systems can latch on to and determine whether the message is legitimate or not (these include things like reputational factors such as whether the sending IP is malicious, the presence of known malicious URLs in the body of the message, and other "spammy" or "phishy" content in the message). But true "spear phishing" messages are carefully crafted, not sent in high volumes and would use payloads that would not have already been identified as malicious.

These sorts of messages are extremely hard for email security solutions to detect, so it's not a huge surprise that PacketFocus found that their messages had a 100% delivery rate. eWeek also covered this story (see, "Spear Phishing Swims Past E-Mail Filters") and has some interesting quotes from PacketFocus CEO Joshua Perrymon, who notes that the basic problem is with SMTP itself.

Just as I do on a regular basis here in the email security blog, Perryman notes that training of end-users is extremely important and it's worth reiterating here that email recipients should be extremely wary of links in email (especially links in social media notification type emails). We advise users to simply visit the site in question and login directly to see messages, friend requests or other notifications, rather than following links inside of an email. (See this previous blog post for other tips about staying safe online.)

One thing I wanted to add that is not covered in either the DarkReading or eWeek articles is the subject of email authentication. The goal of email authentication systems such as DKIM and SPF is to solve this inherent weakness in SMTP email that makes it easy to "spoof" source addresses.

One of the weaknesses of both email authentication systems is that adoption of these tools is still far from universal. Not every domain has published the correct records (in the case of SPF) nor is every legitimate email that could be signed with DKIM sent with a DKIM signature.

On the receiving end, checking the validity of SPF records and verifying DKIM signatures is something that email administrators have to spend at least a little bit of time configuring. I'm guessing from the results of this test that none of the organizations that participated in this experiment have either form of email authentication turned on. (Not that this necessarily would have helped... I'm unsure whether legitimate messages from LinkedIn are DKIM signed, but it does seem that linkedin.com has a published SPF record.)

Long story short, this is a good reminder to add basic email authentication to your list of security New Year's resolutions.

Another thing to be mindful of: Many email security systems allow end-users to set up personal safelists and blocklists (Proofpoint for example supports safelists and blocklists at the global, group and individual end-user levels should the administrator allow them). In general, this is a good thing and it's a useful feature for ensuring that critical emails from certain senders are never at risk for getting inaccurately marked as spam. However, care should be taken when adding an entire domain to a safelist. It's much better to specify just one specific email address -- or, even better, to identify the safe sender by IP address.