How to protect your project against phishing – sysadmin tips

Hello guys,

Today I am going to list and give brief explanation about how you can protect your project against phishing. This article is designed to project managers, system administrators and those, who make security related decisions. No matter how big your project is – at some point you have to think about end-user protection, domain and email reputation, which basically leads to higher trust from client side. Well, enough speaking – most of you probably know, why they need it. 🙂

Here is a list of things, that can protect you against phishing attempts. Most projects may suffer from 2 types of phishing – website phishing – when bad guys try to imitate your domain and/or redirect customers to their own sites and second is – spam emails, which try to imitate your emails (e.g. sender of email is set to your name). Each of the methods described below targets one of these types. All together they provide higher trust in your legitimate emails and project in general.

1. SPF – sender policy framework – a small DNS record, that indicates, who (server, IP, network ranger) is allowed to be the source for emails for a domain. Target: email. Must have.
2. DKIM – domain key identification mail – complicated way of signing emails just before they leave mail server and verification using public key, stored in DNS. This is a very good technology, that is used to sign and verify email content and ensure, that it has been delivered without modification. Emails, which pass DKIM validation also are generally more trusted by spam filters. Technology consist of a private key on mail server and public verification key in DNS. Target: email. Recommended.
3. DMARC – domain message authentication reporting & conformance – quite simple way to let other mail servers know – if they should force SPF and DKIM for your domain and if they should report about failures. Getting automated daily reports may help you monitor if anyone is trying to send fake emails and if your SPF and DKIM policies work or have failures. Target: email. Recommended.
4. SSL – secure socket layer – technology, that encrypts traffic between visitor’s browser and webserver. Even it is not directly connected to anti phishing methods, combination with other methods creates very strong protection. Use of SSL encryption has become a standard for any descent website and project long time ago, as it plays important role in fighting traffic sniffers (those, who try to steal sensitive data, especially from public networks) and providing better trust. Must have.
5. CAA – certificate authority authorization – a small record in DNS, that tells everyone, which SSL authority is allowed to issue certificate for your domain. Helps fighting SSL certificate phishing, several registrar require existing CAA record. Must have.
6. HSTS – http strict transport security – a very very interesting technology, which silently (using HTTP headers) tells browser if SSL is required to access your website. Additionally it can indicate if SSL must be used on subdomains, how long information must be stored in cache (up to 2 years) and if this information should be preloaded into browser. If set – browser will automatically access your project using SSL only. That means that remote host must have valid SSL, which makes phishers life more complicated, especially in combination with CAA and DNSSEC. In most cases it requires special configuration on webserver level, but I have also seen plugins for WordPress. Very highly recommended!
7. DNSSEC – domain name system security extension – complex technology, which combines DNS zone digital signing on DNS and registry level. If enabled – your domain will only be resolved if DNS zone passes decryption. DNSSEC information is being modified and updated on every DNS change. Part of encrypted information is served from the domain registry – it make DNS record phishing impossible – phishers are not able to somehow inject their IP into resolving nameservers and silently point your domain to another host. Yes, sounds complex, but it is real hardcore protection, believe me! Not all registrars and not all DNS servers support it, but if you care – you should find the one who does! Protected DNS applies to CAA, SPF, DKIM methods described earlier, as they all are using DNS. Very highly recommended.
8. Similar domain names – I would call it – third party method. 🙂 Technically you can write almost any domain name in slightly different ways. For example GOOGLE.COM and G00GLE.COM – have you spotted two zeros in the second URL? Or myworld.com and rnyworld.com – letter “m” in the second example is written as “r” and “n”. Hypens, numbers, letter and digit similarity and their combination can create wide variety of your domain’s variations. You should look and try to buy those, which look close to your name and just have it as redirect to the main website. Recommended.

So far – that’s it.. If you know other tips and tricks – I would love to hear about them. If you have questions or need help – I am here to help, feel free to contact me!

Let your project grow and be secure!