Page 14 - Cyber Warnings
P. 14
Why MX Records Matter in the Fight Against BEC and Spear
Phishing
By Dylan Sachs, BrandProtect
In March 2016, the HR department of a regional financial institution received emails from their
CEO requesting copies of sensitive employment files, including employee personal information,
such as full names, mailing addresses, phone numbers, SSNs, and other highly-sensitive PII.
Because of the sensitive nature of the information in the files, the alert HR team double-checked
with their CEO before they complied with the request.
It was a good thing they did. The email was not from their CEO.
It was a socially engineered spear phishing or BEC attack, originating from a domain that was
similar enough to the institution’s regular domain that it could have easily been mistaken for a
legitimate email.
Having sidestepped a bullet, the institution sought expert help to better understand what had
happened. They turned to BrandProtect, whose Incident Response team quickly determined
that that the rogue domain used to send and receive the attacking emails, had been registered
only the day before the attack, and a quick MX check of the newly registered domain confirmed
that the mail server listed in the MX record of the domain matched that found in the header
details of the suspicious email.
Within one hour, the BrandProtect team, working with the appropriate registrar and server host,
had the rogue domain taken down. With the domain suspended, and the server taken down, the
perpetrators were no longer able to use this infrastructure to target the company's employees.
This BEC attack sought sensitive information, but other BEC attacks like this one carry
devastating malware, ransomware, or both. Luckily, this attack was mitigated.
Following the nearly-successful attack described above, the CISO at the financial institution
implemented proactive domain monitoring – including MX-record monitoring.
What could have been different? Lots of things.
The institution had been looking for similar domains previously, but it was a marketing and legal-
driven initiative, more focused on trademark integrity, rather than on imminent threat detection
and mitigation.
But If they had already implemented security-centric domain and MX record monitoring, the
BEC attack emails might never have reached the members of the HR department
14 Cyber Warnings E-Magazine – May 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
