Phishing protection

On the back of Tom B’s unfortunate situation I have some queries on Phishing that some of the IT security peeps in here might be able to help with.

Over the last few months, on a few occasions I have received an email “from” my colleague, usually something simple like “are you at your desk” etc.

If I read the email through the gmail webpage via Chrome, a brief float over the Display Name (which is correct) shows that the address is wrong and it’s “spear-phishing” attempt.

However, if I read the email on the Android phone using the Gmail android app, only the display name is visible and not the From address. I keep an eye out for such emails, but I’ve missed it once and did respond (with a simple “yes, will be at my desk in 15mins” kind of reply), then I saw what I had done and blocked the address (they usually then follow up with asking me to make a transfer via western union or some such twaddle that my colleague would never ask anyway)

Does anyone know of a way of making a “whitelist” of addresses for a given display name to filter out those that arent pre-approved for certain display names? Can I modify Android Gmail to do it?

Edit: sorry misread the title

Not really an IT security thing – just poor design from a security perspective but there appear to be lots of ‘Oi Google’ posts asking to show more than just display names for reasons other than security.

Good to see awareness around looking beyond the display name though. First/easiest question to ask – ‘is this really from <whomever>’ based on sender email address initially and then of course the message content/context. Of course sender email addresses can also be faked and the mechanisms to address that are beyond your control (unless you run da email in which case its SPF, DKIM and DMARC).

cheers scuttler. Indeed I think it is a weak app design rather than anything more malevolent.

Im going to see if I can do something in my contacts against my colleague’s name and see if it shows up (say make his name: “?John Smith” to show its authentic for the email from address.

Just to avoid any false sense of security you may be heading towards,

Assuming you can block them based on email address, spoofing email addresses is laughably easy. Anyone knowing your contact’s address (by fair means, foul, or plain guessing) could say it’s from them. Blocking if it’s wrong is all well and good, but don’t infer that just because it’s not been blocked it’s safe. That sort of thinking leads to you finding out how good your backups are.

For Android, try K9 Mail. It can show you the complete headers for the message, so you can check if it looks suspicious.

That sort of thinking leads to you finding out how good your backups are.

That’s OK we dont have any.

cheers craig, will investigate

In any case, often they can get into someone else’s email account via phishing so the email might genuinely be from that account but not them. The ONLY way now is to never do large transfers without checking by a second method e.g. Phone. This stuff is getting horrible.

what about a gmail addon that fixes a onetime code to your signature that authenticates the message? Obviously you’d need both sender and receiver to use the system….

It’s far from the only way. PGP, for instance. I use a thing called Egress Switch with some of our customers, it’s a similar idea to PGP only you can get it working in under a year.

The downside to any of this of course is you need the other end to use it also.

Its only my colleagues on our domain that are being used for this kind of spear-phishing, so implementing it for all of us would be straightforward, especially if it was something that could be deployed through Google Apps for business admin console.

Looks like a job for spf, DKIM and DMARC email headers. The latter is a right pain as you need to train it and then over time set the header to reject. (It specifies which machines are authorised to send from that domain address). Such fun….

spf is easily set up, DKIM needs some trickery to get a certificate into the header, all require access to your DNS provider control panel.

spf is easily set up, DKIM needs some trickery to get a certificate into the header, all require access to your DNS provider control panel.

all sounds v painfull