Last week proved to be a rather interesting technical challenge for Click Travel. For the first time ever we were the subject of a large-scale email spoof, powered by a computer virus called Dridex.
Dridex has been around for some time working the rounds of infected computers all over the world – in fact, the administrators of the virus are already in the klink!
It’s critical to understand that Click wasn’t subject to any kind of hack. Nothing was compromised, nobody stole email addresses or data of any kind, and the emails weren’t coming from us – they were being sent by someone else pretending to be us.
What Dridex does is take an email received by an infected computer and replay it to millions of email addresses that have been harvested over several years. In fact, because we put a unique ID into the metadata of every email we send, we were able to trace the spoof email back to patient zero – i.e. the original infected computer that started the storm of spoof Click emails. It happened to be a hotel reception desk in London who received a confirmation email from us for “Itinerary #C003NS39”.
Spoofing an email isn’t exactly difficult. In fact, I could send your boss an email right now, from you, telling them that you think they are a useless waste of space (I won’t, promise). The difficulty is that the people who originally invented email just didn’t foresee it being abused to the extent that it is today.
But the world of email has moved on and there are now checks that an email server can perform to authenticate that a received email has in fact been sent by the person that the email claims to be from. The two key checks are called the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
SPF enables the sender to publicise the identity of servers from which it sends email so that recipients can check that email they receive originated from one of the servers identified as legitimate by the sender.
DKIM goes a step further – it attaches an identifier to each email message and uses cryptographic techniques to enable the recipient to validate that the sender put it there.
Quite simply by ensuring that SPF and DKIM checks are passed for each mail received, an email service can identify and reject spoofed emails with ease.
Somewhat ironically Click has published SPF details and DKIM signed the email we send for years. So what went wrong? Why did so many members of the public (some of whom just so happened to also be our customers) still receive the spoofed email?
The answer is that their organisation’s mail servers are failing to properly authenticate received email using SPF and DKIM checks.
Quite simply, if every mail server in the world rejected email that failed SPF and/or DKIM checks, spoof emails wouldn’t be able to make their way around the world and the spread of computer viruses would be a lot harder. But that’s clearly not the position for a large number of mail servers out there.
Interestingly, statistics on the spread of Dridex are fascinating:
Note the prevalence of the virus in the UK – an indicator that us Brits are pretty terrible at preventing the spread of such viruses, which is likely to be a result of weak email security, an interesting thought given Islamic State’s recent announcement that it intends to take its fight in the cyber world.
We’ve taken a number of actions as a result of this incident: We’re working with our customers to educate them about the importance of performing SPF and DKIM checks so that they can better protect themselves against spoofs in the future, and we’ve now published a DMARC record which tells recipient mail servers of mail that fails either the SPF or DKIM check to send us a report of the email so that we’re aware of spoofs more quickly.
Hopefully, together, we and our customers can help improve the security of email and reduce the spread of computer viruses across the UK and the rest of the world.