On October 16, 2017, the Department of Homeland Security issued Binding Operational Directive BOD-18-01 directing federal agencies to adopt new cybersecurity measures. One of these measures, DMARC, is intended to fight phishing.
It is good to see the government addressing spearphishing. However, this measure will quickly prove to be ineffective against spearphishing attacks. Why? Because, as the DMARC specification tells us,
…DMARC can only be used to combat specific forms of exact-domain spoofing directly… DMARC does not attempt to solve all problems with spoofed or otherwise fraudulent email. In particular, it does not address the use of visually similar domain names (“cousin domains”) or abuse of the RFC5322.From human-readable <display-name>. Excerpt from DMARC Standard, Section 2.4.
Over six years ago the Anti-Phishing Working Group found that exact-domain name spoofing (the problem DMARC addresses) was not a favored attack method. Spearphishing attacks generally exploit deceptive cousin domains and/or display-names – the two problems that DMARC expressly does not address. This cyberattack on Israel illustrates both of these abuses:
The display-name is Israeli’s defense chief. The cousin domain is a gmail account that used the name of the defense chief to trick the recipients. All gmail addresses sending from gmail pass DMARC. Gizmodo’s recent prank showed the effectiveness of abusing only the display-name. The FBI Director was tricked by Gizmodo.
SP Guard fights the abuse of cousin domains and display-names.