If anyone should be able to recognise a hoax, it’s the kind of person who corresponds with ISC2, that awkwardly named organisation known for doling out certifications to security professionals. But four months ago, the International Information Systems Security Certification Consortium became the target of an e-mail spoofing campaign — and even a group of so many security brainiacs still hasn’t been able to close the case.
It started last autumn, when the security community got blasted with a “legal notification” allegedly from ISC2. On September 3, I myself got the e-mail, which warned that my name, banking information and Social Security number had been sold for marketing research. Supposedly I could send $US10 to ISC2, which would then “consider” deleting its records about me. Otherwise the organisation would deduct $US50 from my account.
Despite the fact that the e-mail seemed to come from ICS2, listed its real mailing address and was signed with the name of a real staff member, it had hoax written all over it. Its claims were ludicrous, and it gave a vague citation of something called “the privacy act” as its legal rationale.
Later the spoofing campaign turned really nasty, with antisemitic rants and photos, the details of which aren’t worth repeating. This round of e-mails appeared to come from ISC2’s webmaster.
Dorsey Morrow, general counsel for the Framingham, Massachusetts-based organisation, has been on the case ever since, working with law enforcement officials in Massachusetts, Australia and now Israel, to try to track down the suspect. There’s just one problem: Morrow is not sure exactly what crime has been committed. Because the perpetrator wasn’t trying to collect any money himself, the spoofed e-mails don’t count as fraud. The crime seems to have been committed in Australia, where defamation and slander are difficult to prove. And the antisemitic e-mails inferred violence but did not explicitly threaten it. “He walks up the line,” Morrow says. “This guy’s more of an annoyance than anything else.”
Morrow’s biggest hope for prosecution comes from an unlikely place: spam legislation that would have allowed ISC2 to bring charges for misrepresenting the origin of an e-mail. This seems a stretch.
The sad truth is, e-mail spoofing — in which a message appears to come from someone that it’s not — has become a way of life. Users have long been told not to trust e-mails from unknown sources. Spammers, and virus writers too, have responded by making it appear as though an e-mail is from a trusted source. (A note for you geeks out there: who’s going to slog through the IP header looking for the real trail? As far as most e-mail users are concerned, all that really matters is the “from” line.)
There are a few things companies can do. First they should make sure their e-mail servers are secured, says Maurene Caplan Grey, a research director for Gartner Research in the US. Some spammers hunt the Internet for organisations whose e-mail relays are open, and then use them to send spam. The e-mails seem to come from the organisation because, technically, they do.
The other, more complicated step companies can take is using smart relays. “We see many organisations using an Exchange server or whatever e-mail product they have in-house,” Grey says. “You can configure an Exchange server to be a relay, but that’s not what it was designed to do. It’s not smart enough to know if it’s being attacked.” Instead, she says, e-mail relays from anti-spam vendors like Sendmail, CipherTrust or Mirapoint can identify when a spammer is attacking a domain by trying random e-mail addresses. The gist of this is that if spammers can’t confirm that an e-mail address is a valid one, they’re less likely to spoof it.
Unfortunately none of this does much good for an organisation that’s being specifically targeted but whose servers aren’t actually involved in sending the e-mail. If I were in a darker mood, I might even predict that this could be 2003’s one-up on the political Web site defacements we’ve seen. It’s the perfect crime, because you don’t even need to break in.
Meanwhile, the folks at ISC2 have installed PGP to authenticate genuine e-mails, and law enforcement seems to have scared the culprit into stopping. Now, the only thing left for them — or any of us — to do is to hope that our friends are smarter than our enemies, and can distinguish e-mail spoofs from the real thing.
"Alarmed" is a biweekly column about security and privacy. Look for a new version every other Thursday.