Protecting Users from Fraud

my experience combating phishing and fraud using DMARC…

and assorted other techniques

First Up, What do I know?

• Barry Jones• Software Architect for ACS Technologies, Inc• Previously– Director of Application Development for a 14 year

old, high end electronics resale marketplace– Basically ebay for a niche market

Well, ebay if…

everything worked via direct user email

Now imagine…

• That the entire thing gets rebuilt without any of the previous security tools

• And users want features that are missing• And phishers, fraudsters and spammers

capitalize on the chaos

• And you get hired to fix it

Good timesSo what were the methods of attack?

Phishing

• Sending emails that appeared to be from us– Using our domain– Using variations of our domain

• Linking to a fake login page hosted with a free company– Steal usernames and passwords– Login to the user’s account and change the contact info

before they can reset the password

• Launch these phishing sites at times when our staff was less likely to be available to request takedowns

Western Union Scam

• Buy things in the marketplace…anything• Send a fake overpayment via Western Union• Discuss the problem and have the seller

deposit the check and then wire back the excess amount

• When the original check bounces, the seller is still out the amount wired back– And potentially the merchandise

Spam

• Bombarding users through the system• Marketing sometimes• Others trying to bait somebody into a

transaction

Fake Listings

• Putting up appealing items at steep discounts• Paying for the listings with stolen credit cards• Payment gateway issues cost per chargeback

fees when people challenge the transactions from stolen cards

• Users fall for the fake listings and get ripped off

And when you close an account

…they just make a new one

Users lose trustSo how do you combat it?

Multipart Process

• Secure YOUR domain’s email (with DMARC)• Make phishing more obvious• Identify compromised accounts• Bring dialog within the site to identify spam• Add more difficult user verification steps• Identify potentially fraudulent credit cards• Educate users• Don’t let the bad guys know they’re caught

DMARCSecuring your domain’s email

Email Sender Verification

SPF

• Sender Policy Framework• DNS record

– Identify where your domain email comes from

• Easy to implement• Bus analogy

– Only allow busses from Tulsa

DKIM• DomainKeys Identified Mail• Public/Private Key in an Email• DNS Record• Header with Encrypted Key• More complicated, must

control where email originates • Bus analogy

– Verify each person on the bus came from Tulsa

DMARC

• Mail servers have no idea how strictly you’ve implemented SPF or DKIM– So they guess

• DMARC lets you remove the guess work– Declare what you’ve implemented– You decide how failures are handled

• Flagged as spam (quarantine)• Discarded completely• Only implemented on a percentage of failures

– Get reports on exactly what happened– Even get copies of emails that failed

DMARC Reports

• Emailed zipped XML• You can parse them if

you want but they’re easy enough to read

• When setting up, all you care about is verifying YOUR email is passing checks

<?xml version="1.0"?>

<record>

<row>

<source_ip>207.126.144.129</source_ip> <count>1</count> <policy_evaluated>

<disposition>none</disposition>

</policy_evaluated>

</row>

<identities>

<header_from>stefanomail.com</header_from>

</identities>

<auth_results>

<dkim>

<domain>stefanomail.com</domain>

<result>pass</result>

<human_result/>

</dkim>

<spf>

<domain>stefanomail.com</domain>

<result>pass</result>

</spf>

</auth_results>

</record>

Sample DNS Records

• SPF (TXT &&/|| SPF)– v=spf1 a mx include:mailgun.org include:spf.mtasv.net ~all

• DKIM (TXT)– k=rsa; p=MIGfMA0<A HUGE HASH>aBc3

• DMARC (TXT)– v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com

Getting Setup

• SPF– DNS Record

• DKIM– Email senders must include DKIM• Gmail, Sendgrid, Postmark, Mailgun, etc

– Will provide the DNS record for you

• DMARC– DNS Record

Resources

DMARC

Understanding DMARChttps://support.google.com/a/answer/2466580?hl=en

DMARC Analyzerhttps://www.dmarcanalyzer.com/

Kitterman SPF Testing Toolshttp://www.kitterman.com/spf/validate.html

dmarcianhttps://dmarcian.com/

Port25check-auth@verifier.port25.com

==========================================Summary of Results

==========================================SPF check: pass

DomainKeys check: neutral

DKIM check: pass

Sender-ID check: pass

SpamAssassin check: ham

==========================================Details:

==========================================

HELO hostname: mail-yh0-x229.google.com

Source IP: 2607:f8b0:4002:c01::229

mail-from: john@example.com

Combined that will ensure…

• Real email– Gets through

• Phishing email– Doesn’t

But…there’s more•Fake other domains•Spelling variations•Shuffling interior letters

But…at least this is easier for users to identify

To stop that you can…

• Notify the owners of those domains– Have them setup SPF and DMARC

• Contact registrars regarding the activity• Purchase the domains and setup an empty

SPF record– indicates no email sent from the domain

Take down the endpoint• Phishing emails inevitably link back to a site

– Take down the site, you eliminate the risk• Contact a host abuse team to notify them

– Response times will vary by company• Have the user report the site to

– Google– Microsoft– PhishTank (OpenDNS)– McAfee– US Government

• Doesn’t hurt to use a honeypot either– Try to login with a fake user and password– Look for those fake credentials on login to spot the phisher using his

list

Identify users who fell for it

• Track login history by IP address– Record geolocation of IP

• Nginx GeoIP• Maxmind database/services• Cloudflare

– Identify logins by distance from normal center point• Lock the account• Notify the user of where the login came from• Give them a link to unlock it

– disable the check if they’re travelling• If not, tell them they need to change their password• Users respond well to this, makes them feel safer because

you’re looking out for them

Track email changes

• Maintain an entire email change history per account

• Notify users when their email address was changed and provide a link to reverse the change

• If a user reverses the change– Invalidate all reversal links AFTER that email

• but not before…so the original change is always valid

– Otherwise a hacker will change the email multiple times and keep reversing it back

Verify Users• Trust scores for completed transactions

– Aka – user ratings• Let new users verify themselves other ways

– Text verification• Can be prone to fraud• Still harder to fake than email

– Phone verification• APIs can identify TYPE of phone

– Land line, cell, disposable cell, pay phone

– Credit Card verification• Run a transaction• Use MaxMind minFraud service to flag risky cards

• Consider verification steps in a trust formula– Degrade strictness based on activity and trust scores– Don’t hassle your good users

Bring Communication In House

• Internal user message / dialog systems• Track targets and actions of flagged accounts• Identify patterns of bad behavior• Automate flagging based on those patterns

Use CAPTCHA

• When users try to send a lot of messages– Define “a lot” by trust scores

• Look for near identical messages– Levenshtein Distance Algorithm

• Excellent for calculating string similarity• Adjust similarity thresholds by trust scores

– Review stopped messages automatically• Typically spammers keep sending• The ones that didn’t are probably fine to deliver so a catch

and release policy for “probably not spam” is a good idea

Fark that guyThis is important

Fark’s Banning System

• You’re banned…– But you don’t KNOW you’re banned– So you keep posting like an idiot• And nobody else can see it…

This is important and works

• When you catch a spamming account• Banning it will just result in a NEW account– So don’t let them know– Let them keep manually filling out CAPTCHA• For hours…

– And hours and hours and hours– Daily– Keep a dashboard of time wasted for your own amusement

• Then every couple of weeks, ban them so they think you “caught” them

Educate your usersEstablish clear, simple guidelines of things you won’t ask for

Send emails with hashed links

• Emails with a link to bypass login for one use• Gets users used to NOT entering their login– If clicking emails from your site never results in

seeing a login screen, getting a login screen will seem strange

• Phishing sites can’t fake an automated login

Evercookie

• A virtually undeletable cookie– Track it with logins so you can trace multiple accounts and IPs

back to a single computer– https://github.com/samyk/evercookie– http://samy.pl/evercookie/

• MaxMind’s IP Service will identify Tor/Proxies with great success– Don’t let people do important things from an anonymous

connection– https://www.maxmind.com/en/geoip2-services-and-databases

• Also track with etag/if-none-match headers– Every ad system trick out there works for tracking fraud– http://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags

And of course…2 Factor Authentication

Thanks!