Absence of E-Mail Related Safeguards for SLC Leads to Easy Phishing

Online-scammers have come to easily know the trick of quickly gaining success from launching phishing campaigns and that is by sending e-mails impersonating Student Loans Company, apparently because the company, which disburses educational loans to aspiring students in UK, didn't have adequate security to prevent the act of domain spoofing. Softpedia.com published this, January 8, 2015.

It was prior to Christmas when Student Loans Company (SLC) predicted an increase in phishing e-mail assaults which would misuse its name for deceiving the e-mail recipients in a way that they would click malevolent web-links. The messages also told that in future recipients would find the e-mail id notifications@slc.co.uk sending any formal notification to them.

But, SLC wasn't aware that there was no safeguard regulation for its domain slc.co.uk which could deter that domain's spoofing. Consequently, scammers could impersonate the SLC e-mail id. Besides, as students (actual e-mail recipients) happened to learn about that other e-mail id from where future SLC communications would come, they seemed to trust the impersonated phishing e-mail.

Security Analyst Paul Mutton from Netcraft the security company apprises that there's no Sender Policy Framework (SPF) rule for slc.co.uk. So contrary to the rule, there's no description of the person dispatching e-mail from that address, while absence of the rule negates all restrictions related to the entity sending the e-mails seemingly from notifications@slc.co.uk. Netcraft.com reported this, January 8, 2015.

There's also absence of a Domain-based Message Authentication, Reporting and Conformance (DMARC) rule by which SLC could have taken measures against forged e-mails which spoofed slc.co.uk. With the right configuration in place, SLC couldn't just have its e-mail provider block the fake e-mails, but it could even see whatever is written in those e-mails as well as get the statistics on the number of messages been sent.

Meanwhile, SLC becoming susceptible to phishing assaults isn't something new. In one earlier instance, SLC, in the phishing e-mail, supposedly claimed that there was a revision going on of its database. The e-mail recipients were asked to complete update of their information in 3 days of getting the message failing which they mayn't get or have a delayed student loan.

» SPAMfighter News - 1/19/2015