🚀 Tackling Email Spoofing and Phishing

Good morning, everyone, depending on what part of the world you're joining us from. Today we are excited to share our latest feature enhancement for DNS email security with DNS wizard.

Alongside me today is Hannes Gerhart, product manager here at Cloudflare.

Hannes, thank you for joining me. I'd love to spend the next 30 minutes or so discussing cybercrime risks associated with DNS and how to protect and be proactive to take preventative steps against such vulnerabilities.

With that, I have my first question teed up for you.

Are you ready? Yes, I am. OK, great. OK, so first question I have is what is the challenge that organizations or individuals face today with securing emails?

Yes, that makes a lot of sense. And so I think email is today still it's a really, really old communication method.

It's but it's still very, very commonly used.

You know, you receive a lot of newsletters and when you when you create an online account somewhere, typically email is used also for organizations.

I think it's still very, very common to to communicate with customers, with partners.

Everything that's that goes out of your company organization is mostly handled through email.

And there's a lot of focus on, you know, when it comes to protecting emails on, you know, installing, you know, spam filters or any other tools that that parse or scan the content of these emails for malicious attachments or, you know, taking a look at the hyperlinks in those emails.

And when you look at different sources on the Internet, you actually see that email is because of that, you know, very, very because it's so widely spread.

It's often used for social engineering attacks.

So phishing is one of them, for example.

And it's like more than 90 percent of all social engineering attacks are sent by email.

So it's it's really, really, really common attack vector. And really easy to miss.

Right. Just one decimal off or one letter changed. And your your our brains are pre-wired to, you know, fill in the gaps.

And so that really doesn't help us in any any preventative steps to kind of combat that that social engineering, which kind of goes over our heads so many times and why they've been so successful.

So I have a question. And you mentioned phishing being one of the most common spoofing is another that we hear about.

Can you briefly explain to me the difference between spoofing and phishing?

Yes, absolutely. So spoofing, first of all, is the process of the process when somebody impersonates somebody else.

So in general, spoofing is nothing, nothing bad. Right. So one example is domain spoofing, where, as you said, I sign up a domain where one letter is just different.

Right. Where a G is replaced by a Q. And, you know, in the large screens with the high resolution, you really don't spot the difference if it says, for example, web page or web that the G is a Q.

Right. So this this is maybe this is one type of spoofing.

And then there's also email spoofing where somebody sends an email on behalf of another domain.

So you actually see in your inbox, you'll see, you know, example.com as the email domain that this email was coming from.

And you think, OK, I'm trusting this. I know this domain. So I'm clicking on the links in the email.

But again, this is not not necessarily something bad. What is bad is phishing and spoofing is commonly used to, you know, launch these phishing attacks.

And that's when somebody tries to trick a malicious actor, tries to trick the victim into providing sensitive data.

And then that can have lots of different, you know, very, very bad impact.

Right. Negative consequences for sure.

Not just for the user, but the organization as a whole, which you're really teeing me up nice.

I don't know if you're doing this on purpose, but it's really helping me get to the next question, which is what is the risk of either of these attacks?

Say if a user opens the email, how can this impact the organization as a whole?

Right. I mean, you talked about the individual having some consequences if their personal data is is accessible to a hacker to do God knows what with.

But organizationally, there is a larger impact as well. Can you explain that a little bit?

Absolutely. I mean, you definitely know. And most of us do.

You receive a lot of emails, work emails, and most and some of them are not outside of the outside of the organization.

Don't come from your company's email address.

And it's crucial to avoid, you know, an employee clicking on a link in an email that could, for example, download some malicious code that could be malware.

You know, some software that now has access to your computer. And, you know, in order to to retrieve sensitive data of customers or or install ransomware, which we also have heard a lot about in the past.

The other thing is that if I click on a link and go to a spoof web domain, then or that basically mirrors an internal system or any other system I'm using on a daily basis, and then if I'm not careful, I might type in my my credentials, my username and password, and then the attacker has access to this.

Right. And they can log into whatever account I want to access again, get access to data.

And so that's concerning because you talk about the one of the biggest risks and threats to organizations being the increased amount of entry points into their network through IOT and all kinds of devices now that are connecting and creating entry points and gateways into our networks.

But DNS or email is not something that we, you know, maybe not all organizations are thinking of inherently as a prime secure point of vulnerability or a point of vulnerability for securing your your your data as an organization.

Getting in using social engineering or tactics, leveraging spoofing or phishing may allow them entry and then you're you're exposing your data and your organization to a lot of malicious intent that really can span across a wide variety of outcomes.

I mean, one thing I want to mention here, and you talked about it in your blog which if you guys haven't noticed it yet is live today.

Check out the latest blog on DNS wizard available on Cloudflare's website on under our blogs, but according to the FBI's 2020 intent crime report phishing was the most common cyber crime in 2020.

And this struck me that struck me right away with over 240 ,000 victims, leading to a loss of over $50 million.

That is a lot and that scope of impact is pretty massive.

Absolutely. So, go ahead. Yeah, I definitely agree with you.

And besides those typical tools like you know installing spam filters or other filters in your inbox specifically, there are already existing mechanisms based on DNS domain name system right the phone book of the Internet.

And those also help a lot right they actually can be used in order to prevent the email from being delivered in the first place.

Wow. That's, yeah, so you don't even get the email to begin with.

But so here's here's my question for you then there are security parameters already in place today for DNS right I mean we have SPF and D mark and other tools, what, what is DNS wizard offering that really helps us fill the gap that existing parameters are not touching on.

Yes. So briefly before I dive into the wizard itself.

This new feature in the UI. Give a lesson let me give a very high level overview about these, these mechanisms, you just mentioned so quickly.

So there's first SPF short for sender policy framework.

So very quickly, what this is doing it is, is it allows you to specify what email server is is authorized to send email on behalf of your domain, and that that can be your server in your basement, the IP address the external IP address of that server in your basement, but it can also be and that's much more common.

And, you know, an email provider like like Google or Microsoft, for example, right.

So those also have external IP addresses and they send email on behalf of your domain.

The second thing is deacon, which stands for domain keys identified mail.

And this is a mechanism that allows you to use cryptographic signing, which is basically adding a signature to the email address that that only the actual sender can can generate so that the receiver can verify the signature and confirm this email the content the body of the email has actually been sent from the, from the person I'm expecting it to to be sending this.

And the other thing is the last thing is and it's that's a that's a long name.

The mark is the short version of the long version is domain based authentication reporting and conformance really really a mouthful I would say.

And that connects the SPF and DM and deacon, so that allows you to as a domain owner to, you know, tell email receiving service, how to treat incoming emails, when they check the other when they fail the other two checks.

And it also allows you to to receive reports so we will actually see how often somebody tries to impersonate your domain right and sends emails on behalf of your domain which which can have serious consequences, of course.

Yeah, yeah. So that's that's a good rundown.

It seems to me that between the three that you mentioned SPF deacon, and the mark that there's parameters in place today that people are leveraging choose to secure their DNS, and what is it about DNS wizard that fills a gap that these are not covering.

Yeah, so the problem was with these three mechanisms is that there are two problems.

One is adoption. So, not every everyone who owns a domain or is configuring their email on his own domain or her own domain is aware of these mechanisms right so as one, there's one report that now now Erica disappeared, but I continue talking there's one report that actually.

That actually says that less than half of all domains are using the mark for example less than half really enforce these checks.

And one reason might be that this the protocol is, it has been published in the last couple of years only it's it's not one of the older record protocols here.

But I think people are just not aware of this right and and the wizard will generate awareness so everybody who is using Cloudflare for DNS will see warnings, when they log into their into the Cloudflare dashboard and configure their DNS records.

So they will see for example a warning, hey, you actually have not configured SPF right, you should do that in order to have a secure email configuration.

Wow, so it's not about it's not about filling a gap but really helping them optimize and leverage these, these tools to secure their, their environment.

Yes, definitely. Generating awareness is the first big problem that that the wizard is solving.

And the second thing and that's why it's called wizard.

So we know that from when you have a UI flow that guides you through a setup and it's simply called wizard that's where the name comes from.

So the second thing is actually helping users to configure these records and as we'll see in a bit.

Those can be quite complex, so the wizard helps them to, you know, easily configure them and and you know not get lost in details and even even more dangerously misconfigure them and that can lead to, you know, legitimate emails being dropped, basically, or malicious emails not being dropped right so you want the good emails to get through with the bad emails to not get through.

Very good point. So I really think that seeing is believing you talked about the UI config configuration being made much easier on the end user.

The recommendations and the alerts and the warnings to generate awareness of how to really leverage these security parameters that can help them in their environment and secure their users their data, etc.

How about a quick demo to showcase what what it is you've been talking about.

Absolutely. Share my screen here. Awesome.

Let me know when you can see my screen. Just make sure that I share the right screen.

Okay, awesome. So what you can see here is the Cloudflare dashboard. When you go to dash.Cloudflare.com.

If you already are using Cloudflare, you are quite familiar with this.

If not, you can just simply and for free, sign up on Cloudflare.com.

And, yeah, so there are a couple of sections here. One is the DNS section the DNS tab here if you navigate there, you actually see the DNS configuration of your domain.

And we can see already this new banner this blue banner, which is very prominently telling you hey we actually have a new feature the email security DNS wizard.

So if you use it and have any feedback, please use this feedback survey and provide us with all your feedback and if you want some additional functionality have some find a bug which you hopefully don't.

Please let us know through that feedback survey.

The next new thing is in the top here we have a section that shows warnings and recommendations about your email configuration.

And we can see two of them already here. One is that on this domain so this is one of my demo pages.

We realized there's actually no SPF record play so there's there's no SPF policy.

And there's also no DMARC policy so so we show you this.

And we can actually just click on a link here let's let's directly do this so I am a user I see this warning.

Now I want to act upon it or I want to fix my configuration.

So I'm clicking on this link directly in the warning. And now I'm in the right section of the wizard, where I can create this SPF record.

So SPF has a lot of different possibilities that you how you can configure the SPF TXT record so down here, we actually see the live preview of the of the content of this record.

And so what I'm firstly doing is I'm providing the IP address of a email server that I know is allowed to send email on my behalf, which is providing an example email here.

Just type it in here. I can list more than one email, obviously, then what else I can do here is if I'm using for example Google as an email provider they they provide you with a specific, or they might provide you with a specific domain name that actually already contains an SPF policy and I can just include this already existing policy in my policy.

So I'm just also making up something here to common name is to use the underscore SPF subdomain.

Let me just call this email provider dot test.

So this could be one existing policy I want to include in my SPF policy.

And then the last thing which is which is also very important to configure is is my actual policy for all IP addresses that are not listed in here, either specifically or part of this policy.

How should email receiving service treat incoming emails from IP addresses that are not part.

What I specified here, and in my example I would want to want these emails to fail the checks because I only want to allow everything that is specified here.

You can also allow everything else, which, you know, allows everybody to send email on your behalf, on behalf of your domain which is not recommended.

And you can also say soft fail which which might result in the email being marked as spam.

Cool. And that was already it right I mean there are more tags that are part of the record so this is basically one example of a tag.

But this is we decided to keep it simple to give it the options that a user has for the most, you know, crucially most important things.

Yeah, I see that I see the preview, I can click submit here. And there's a again a confirm model because this is important to make sure to not miss an email.

If I would miss an email here then maybe legitimate emails would be would be dropped right which I definitely don't want.

And the last step then would be clicking confirm.

And now we can see this record. So this is this record down here has actually created been created on my domain and is now already live on our global network.

That was very easy I'm pretty sure you did that within four minutes before a new user who is going to who could adopt this if they have DNS today with Cloudflare, how can they enable this service and how can they start to leverage these, these helpful tools for warnings and configuration recommendations, things like that.

Yes, so this feature will be available to everybody.

We will slowly roll this out. And over the next couple of weeks. So, yeah, it will be for free and everybody who is using Cloudflare for DNS, they will see this banner.

During the next couple of weeks. So this banner will help will prompt them to be able to go in and make configuration changes just as you have outlined here in this demonstration, just that easy.

It's that easy. So there are two ways to to access the or use the wizard.

So the first one I already shown the the warnings up here have a hyperlink directly into the right section.

So this is the most prominent way I would say and then there's also if you scroll all the way down.

There's also this new new new section called email security, and here I also can navigate to the to the wizard.

This is a little bit more, there are a couple of more options here.

So one is if your domain sends email, then we allow you to specify these three records and provide the necessary information with SPF I just walked you through.

In the other scenario, actually also maybe want to quickly demonstrate here is if your domain is not used to send email.

If I want to, you know, tell receiving email service, please drop any email on coming from this domain.

Let me actually quickly make sure that this configuration is correct I don't want to demonstrate something that is not correct so I'm getting rid of all the email related DNS records here.

And then I can configure this domain to not send it to not be able to send email.

I can actually use again this warning up here it says hey there's no mail exchange record for your domain.

Either, please add this if you want to be able to send email or receive email, or you can also set up restrictive records with one click to prevent anybody else from from sending email from this domain.

So, yeah, this is really one or two clicks right I just clicked on the link.

And now I just have to submit all of these restrictive records.

So let's do this very quickly. So you see as as quick how quick this was if I don't want to send email on my domain.

I can just use this configuration to ensure nobody else's. Right. So we have three records that have been created right now.

SPF, DKM and DMARC and all in a way that this domain.

Yeah, is prevented from being sending email. So I see that it's it's really helping users apply the security parameters with the UI updates in the wizard.

What happens if an alert does come up, how will they see that. Okay, so, um, you mean basically if somebody sends an email.

Yeah, so this is where DMARC comes in.

Let me maybe quickly go to one of my other domains here, where I still have this configured.

So here you can see, I configured the DMARC record. So, so this is an email that should be able to and domain that should be able to send emails.

And what I did here is I configured the DMARC record in a way that it contains a reporting email address.

So, I mean, this is not an actual email address, but it could be, it should be my, my email address.

And what this does it is it prompts receiving email service to send aggregate reports, once a day.

So now, if this email would be working I mean it's just a fake email but I would receive one email per day that tells me so many emails have been dropped by email receiving service, because they failed one of these checks, and they were potentially malicious.

That makes sense. Okay, so they get daily reports, then, against any malicious or suspicious activity regarding their email domain.

Yes, and that's obviously very, very important right and I need insights into what's happening on the email traffic of my domain right in order to act.

Maybe I seen these reports that I missed the IP address, or maybe an IP address of one of the email service that I'm using to send emails is has changed over time so I need to update my configuration.

So this this allows me to get those insights. That's very cool. That leads me to actually a question we have in the chat right now, which is, and I think you've touched on this but I want to just double click for the sake of our audience and to make sure that it's very clear.

He says, will there be any log with where actually there, the spoofing accrued or tried to.

That question. Yes. So, um, first of all, so I think I just touched upon this but just make sure I understood the question correctly, the, the log we won't log anything on the cloud side right so that there won't be any logs that that Cloudflare stores.

Hey, this domain has been tried to be spoofed that many times so this only is reported on the email address you configure in your demand record.

So, yeah, there will, there will be this log in form of the, the regular reports that will be sent to the email, you can specify.

Awesome. Yes, I think you did touch on that just wanted to double check.

We're not missing anything for our audience. Now, if with regard to learning more information and being able to get maybe more foundational knowledge about how to leverage the the tools like like the mark right, I know we have a lot of relevant and great foundational knowledge and information available, where can they find that.

Yes. So there is one blog post available on blog.com. This actually introduces the entire, you know, problem with these records not being known to people and what what are the risks with with phishing and spoofing.

And it also touches upon how how exactly SPF, DKIM and DMARC work.

So this is one blog post published this morning.

What we also did is we created new learning pages on Cloudflare.com slash learning.

There are individual pages that also go into detail about, about these security mechanisms, why they are important, how they can be configured, and what the, each of these mechanisms, you know, consists of different, let's call them tags inside the record itself and what what each tag means what you can do and so on.

Awesome. So that is on Cloudflare.com under learning pages, they'll be able to find information on those those components.

Yes. Awesome. Awesome.

Any other information that you'd like to share as a, as a summary or, you know, key takeaway for users that may may not be leveraging DNS today with Cloudflare.

The, the overall benefits of leveraging our DNS products and and the addition of this new new feature DNS wizard.

Absolutely. Yeah. Cloudflare. The DNS product of Cloudflare is.

We actually the largest provider on the planet right more than 14% of all websites on the planet are using Cloudflare for DNS.

And that's built on our global network right I mean more than 250 cities have a Cloudflare data center basically.

And all of these data centers are also serving DNS.

So your, your DNS records of your domain are very are served very close to the end user that means really really good performance, and also security right I mean, I don't want to drift up into security but there are lots of other attacks that can happen based on based on DNS and to using Cloudflare for DNS you're also protected against those of course.

Yes, I have, we have a family of entrepreneurs, and in my, my personal family and I was surprised to hear that even before I began working at Cloudflare.

Some of the family members I have with startup organizations said oh yeah we use Cloudflare no this is, we have to, it lowers the barrier to entry for startups and really helps optimize at every, every organization size from startup to enterprise to really make it work opt in an optimized way with agility to scale on a global in a global way like you just said 250 cities and over 200 countries.

We are sorry 100 countries, we are a lot, 200 on the mind, but we were expanding by, by the, by the year and we've had some really exciting announcements come out and our, our latest speed week and now we are in birthday week so there's a lot more great content for you all to catch up on and what we're doing here this week as we celebrate our anniversary at Cloudflare, and thank you so much, Hannes for joining me and explaining the awesome benefits of DNS wizard and going through that demo for us.

I really appreciate it. I don't see any more questions in the, in the track and the q&a so I think for that we are all done.

Yeah, I mean, definitely I highly encourage everybody who owns their own domain, like last name.com or last name.io whatever, whatever you, whatever top level domain you're using.

If you're not on Cloudflare I can highly encourage you go to Cloudflare.com, sign up for free.

It's very, very easy, very quick, only takes a couple of minutes, and then you can use a lot of Cloudflare's features that will make the life of your domain, a lot of easier.

Very well said. Thank you everyone for tuning in.

I hope you have a great rest of your day and continue looking out for amazing products updates and announcements that are happening this week on birthday week.

Have a great day. Yeah. Bye. Have a good one. Transcribed by https://otter.ai