BLOG
Authentication is about Identity, not Virtue
I just got some mail claiming to be from “Bank of America <secure@bofasecure.com>”.
It passes SPF:
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=185.235.176.160; helo=bofasecure.com;
It passes DKIM:
Authentication-Results: mx.wordtothewise.com (amavisd-new); dkim=pass (1024-bit key) header.d=bofasecure.com
The visible RFC 822 From address is strictly aligned with both the SPF domain and the DKIM domain. So if they’d published a DMARC record it would have passed DMARC.
The message branding is good, and looks like Bank of America (unsurprisingly, as it’s loading assets from bac-assets.com, which is Bank of America). The only visible giveaway is that it includes an attached Word file, one which will presumably try and install malware on my machine if I load it with Word.
The perfectly passing authentication tells me it’s from bofasecure.com. There’s nothing that tells me that bofasecure.com isn’t Bank of America, and isn’t someone I should trust.
Ingenious.
As i often say, if these guys would apply themselves to good rather than evil, they could accomplish *anything.*
Yeah it’s a mess. Until there’s some effective international law enforcement the Internet is going to be one scary place to do business.
Also, the fact that it’s 2017 and just opening a Word document can take over your computer is just sad. GJ Microsoft.
Can you forward this email as an attachment to abuse@bankofamerica.com?