BLOG

Authentication is about Identity, not Virtue

December 21, 2017 by in Technical

I just got some mail claiming to be from “Bank of America <secure@bofasecure.com>”.
It passes SPF:

Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=185.235.176.160; helo=bofasecure.com;

It passes DKIM:

Authentication-Results: mx.wordtothewise.com (amavisd-new); dkim=pass (1024-bit key) header.d=bofasecure.com

The visible RFC 822 From address is strictly aligned with both the SPF domain and the DKIM domain. So if they’d published a DMARC record it would have passed DMARC.
The message branding is good, and looks like Bank of America (unsurprisingly, as it’s loading assets from bac-assets.com, which is Bank of America). The only visible giveaway is that it includes an attached Word file, one which will presumably try and install malware on my machine if I load it with Word.
The perfectly passing authentication tells me it’s from bofasecure.com. There’s nothing that tells me that bofasecure.com isn’t Bank of America, and isn’t someone I should trust.

3 comments

  1. Steevo says

    Ingenious.
    As i often say, if these guys would apply themselves to good rather than evil, they could accomplish *anything.*

    December 21, 2017, 11:48 am
  2. Alan Hodgson says

    Yeah it’s a mess. Until there’s some effective international law enforcement the Internet is going to be one scary place to do business.
    Also, the fact that it’s 2017 and just opening a Word document can take over your computer is just sad. GJ Microsoft.

    December 21, 2017, 12:16 pm
  3. Don says

    Can you forward this email as an attachment to abuse@bankofamerica.com?

    December 22, 2017, 7:39 am

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Happy 2018Organizational Domain

Archives