Darn those Phishers…
In early January, our firm was the victim of a phishing attack, but not quite in the way you might be thinking. We were impersonated in an attempt to add credibility to the phisher’s scheme. Using several legitimate law firms as the sending address, these attackers sent messages to a seemingly random list of recipients: clients, adverse parties, grandparents, students, you name it. The messages were catchy and followed a legal theme “Judicial Summons No7889”, “Notice to appear in court NR#9530”, “Forclosure Notice”, etc.
These messages were obviously not from Perkins Coie, but rather from phishers, scammers that use email as a vector to trick people into installing malware on their computers or trick people into wiring them money. Phishing schemes have been around for a long time, often appearing to come from banks or other financial institutions, the IRS, or other agencies where the objective was to trick people using their pocketbooks as the motivation to follow through and either visit a malicious web site to enter “validation” information that would give the hackers access to your legitimate accounts or using attachments to infect your PC so that they could snoop your computer for information that helps them towards the same end – making money off of your personal information. What was new was the legal angle being used.
There’s nothing we can do…
While we were not the recipients of the email messages nor the malware, the impact of this attack caused quite a lot of havoc within our firm. Secretaries getting angry phone calls from grandmothers stating that we have no right to send this sort of notice. Attorneys received phone calls, as did our main switch lines in several offices as a result of this phishing attack. We even posted a note on our public web site about the scheme and referred people to sites that had classified these notes as fraudulent.
Given that the messages were sent by a third party directly to recipient’s ISP’s, there was nothing we could do to hedge off this attack, right? Well, not so fast… There is, in fact a way to mitigate this type of attack from using email addresses from your firm. The concept is called “email authentication”, whereby you publish to the world information about who is allowed to send email on your behalf. There are currently three primary standards that cover the world of email authorization, SPF, DomainKeys, and DMARC, the newest standard to address this issue. Note that when these systems were launched (as SFP, SenderID, and DomainKeys), they were lauded as “the end of SPAM” by many, including Bill Gates himself. While we all see this has not really fabricated, what has happened is that email authentication, and SPF specifically have become a tool in the shed towards combating the type of use that the phishers exploited in this incident.
In response to this spate of attacks, I began to do some research about what other law firms are doing in the email authentication realm. Since email authentication records are records that you must make publically available for the system to work, I was able to compile a list of the world’s 100 largest law firms (or an approximation thereof, thank you, Wikipedia) upon which I was able to query the existing SPF and DKIM records for. A great tool for this is available at the Online Trust Alliance web site, an organization that is working towards increasing adoption of DMARC: https://otalliance.org/resources/authentication/spflookup.html[otalliance.org]. Using this tool, I was able to plug in the email domains for the 100 top law firms and quickly determine that 51% of the top 100 in fact had SPF records on file with only 1 firm having implemented DMARC. As both DMARC and DKIM layer upon SPF and we’re now on the trailing end of the adoption curve for SPF, I was convinced that SPF was the proper route for Perkins Coie to take.
I also queried a few law firms that had implemented SPF records to ask how their transitions went and whether they had been impacted by the email spoofing campaign. While some had a rocky start, all were happy with their records as they sat and none of the polled firms were impacted by the spoofing campaign. One told me that they were the recipient of several of these messages, however, and gladly forwarded me one example – and it originated from perkinscoie.com!
After presenting my findings to the rest of the Technology Management team, we were in agreement that SPF records should be implemented.
So now we were convinced that SPF records are the technique we’d like to implement, so what’s next?
One of the most important aspects of email authentication is understanding who is legitimately sending email on your behalf. When I asked “what services do we use?”, the response was a pretty resounding “I know what I use, but I can’t speak for the rest of the firm”. There is no one place to gather this information. An external services catalog would need to be developed in order to understand what services the firm uses and why it is used in order to get a handle on what an SPF record should look like. This relatively simple issuance of a DNS record now looks like a much more daunting task.
Enter Heartbleed
While we were scrambling to understand the firm’s exposure to the Heartbleed bug last week, the initial focus was on our internal systems and if they were secure, but the momentum quickly turned to the notion of what external services the firm was using and finding out each vendor’s response to the Heartbleed situation. The ILTA boards have been lit up with various responses to Heartbleed from various vendors, but one thing Heartbleed gave us was a good inflection point to engage the attorneys and various support organizations with answering the question “what services do we use on the Internet?” After asking just a few groups, we quickly set up a shared spreadsheet on Sharepoint to list and classify each product we utilize. This list of sites and vendors has grown to well over 500 entries and was built quite quickly as the various groups sent us lists of the sites they use.
As this was building up, I realized this was the start of the services catalog that we had been attempting to build for designing our SPF records…
We will be converting all of this data we’re collecting as the basis for an ongoing list of the services that the firm uses. The ability to leverage the data we’ve collected for Heartbleed will surely be an ongoing conversation about the services that we use and how we use them as a firm. The upcoming SPF implementation will likely be but the “first step” in understanding and leveraging the value of the services catalog that we developed in response to Heartbleed.
Next Steps
Now that we've done this research, we are finally ready to move forward. Next week, Perkins Coie will be publishing our SPF records to the world... I'll let you know how the cutover goes in a future blog post.