Monday, 10 September 2018

Security: RBC Royal Bank: Best laid plans of mice and men

We did some banking work with our bank, RBC Canada. In the process they sent us a few "Secure Document Access" requests that the agent provided the password for via a phone conversation.

When the first one came in, it was a bit of a system shock.

image

RBC Royal Bank "Secure Message"

The highlight is ours. Huh?!?

Given the nature of today's phishing attacks a phone call was very quick to happen to our contact after receiving the above to verify its legitimacy.

We received a number of subsequent "secure" e-mails using the same method.

The encryption process we use, and our clients use, on the ExchangeDefender (xD) system is a link to an Internet property owned by xD with the appropriate SSL properties in place to assure the recipient that they are in the right place. That's after we indicate to the recipient in a prior e-mail of the upcoming process to obtain the encrypted content.

The RBC Royal Bank method is close to that but why the .HTM attachment requirement? That's just plain weird. :S

Sure enough, this is what was in an Inbox here this morning:

image

Phishing Message

It's a poorly crafted phish attempt at best.

image

E-mail Header

The trail is pretty clear as far as where it came from and the "how" looks to be fairly clear as well.

All it would have taken was a bit better in the way of timing on the phisher's part and a bit of distraction on our part and BOOM we could have been hooked. :(

RBC Royal Bank Canada needs to change their secure document transmission methodologies please.

And, Microsoft, please give us built-in DKIM abilities for on-premises Exchange instead of keeping that to online properties only. That's not polite in the least.*See Note Below

Outlook Header How-To

Outlook users, here's how to get the header information shown above:

  1. Double click on the e-mail
  2. Click the Message tab
  3. Click the break-out button on the bottom right of the Tags category
    • image
  4. Click anywhere in the small information window
    • image
  5. Keyboard:  CTRL+A then CTRL+C
  6. Click Close and close the e-mail
  7. Paste the content into the destined app (we use Notepad)

After examining a few headers it gets pretty easy to identify the legit and illegitimate messages hitting our Inbox every day. While the process may be a bit time consuming, figuring out whether something is legit or not could be the difference between DELETE and an encryption event or Inbox/Contacts harvesting.

Happy Monday everyone and thanks for reading! :)

2018-09-10 EDIT: Oops, that Microsoft sentence should have been CUT along with the other sentences that were in a previous paragraph. Suffice it to say, we've been working on DMARC/DKIM requests and discovered that Microsoft seems to be holding DKIM off from on-premises Exchange. Thus, we need to go third party to get to use that business critical security feature. :(

Philip Elder
Microsoft High Availability MVP
MPECS Inc.
Co-Author: SBS 2008 Blueprint Book
www.s2d.rocks !
Our Web Site
Our Cloud Service

No comments: