A U.S senator is asking the Department of Homeland Security and other federal agencies to implement DMARC to prevent impersonation attacks being conducted through email. In recent months, several government agencies have been focused on by phishers who have used government domains to send huge amounts of spam emails.
The emails appear genuine as they have been shared from government-owned domains, and while the text in the emails often includes clues to suggest the emails are not authentic, the official domain adds sufficient authenticity to see many email recipients tricked
The use of official domains by phishers is not a new phenomenon of course, but government-owned domains should be protected to stop them being used in phishing campaigns. The issue is that in most cases, insufficient controls have been used to block impersonation attacks.
Sen. Ron Wyden (D-Oregon) contacted the Department of Homeland Security voicing his concerns about the problem, and specifically, the failure of federal agencies – including DHS – to use the Domain-based Message Authentication Reporting and Conformance (DMARC) standard.
DMARC is a successful tool that can help to stop impersonation attacks via email by allowing email recipients to verify the sender of an email. If DMARC is used, it is possible to see if the emails have genuinely been sent from federal agencies or if they have been sent by a third party unauthorized to use the domain. In other words, it will stop impersonation attacks and safeguard consumers. If DMARC was used, it would make it much more difficult for government agencies to be impersonated.
The standard is recommended by the National Institute of Standards & Technology (NIST) along with the Federal Trade Commission (FTC). DMARC has also recently been implemented in the UK by the British government with hugely positive results. Since DMARC has been implemented, the UK Tax agency alone has cut impersonation attacks to the tune of 300 million messages in a one year.
The UK’s National Cyber Security Center (NCSC) has also developed a central system where it processes all of the DMARC reports from all government agencies to review impersonation attacks across all government departments
At present the Department of Homeland Security does not use DMARC and it is not used on most government owned domains. The U.S. government owns around 1,300 domains, yet DMARC is only used on an estimated 2% of those domains.
Impersonation attacks are increasing and numerous government agencies have been impersonated in recent months including the Department of Health and Human Services, the IRS and even the Defense Security Service – part of the U.S. Department of Defense.
Sen. Wyden claims the Department of Homeland Security should swiftly adopt DMARC and mandate its use across all federal agencies. DHS already reviews other federal agencies for vulnerabilities under the Cyber Hygiene program. Sen. Wyden says DMARC scanning should be included into that program. As in the UK, Sen. Wyden says that a central repository should be developed for all DMARC reports by the General Services Administration (GSA) to give DHA visibility into impersonation attacks in all federal agencies.