How phishers can spoof Agari DMARC enforcement: A Western Union Case Study
On March 28th, Mad Max himself got a virus-laden email from firstname.lastname@example.org. So he wondered what kind of DMARC enforcement westernunion.com employed. Guess what? They're an Agari client with DMARC set to "p=reject". All of which means that Agari protection of the western union.com or wu.com is…well…BROKEN DAMNIT! So for you geniuses out there (probably nobody at MIT however…read yesterday's article here), below are three screen shots. The first is the email header info. The second is the westernunion.com DMARC setting. And the third is westernunion.com SPF record. If you're smart, you'll see how to get around so-called Agari DMARC protection. See the holes?
I've got a swell prize for the first email to MadMax@MadCISO.com to nail it (send your company affiliation, email, and street address for your prize; no PO Boxes please). What is the swell prize? Let me know if you want me to publicize your brilliance, and I'll post a picture of the cool reward I send you in a subsequent blog.
As for the rest of you reading this, go ahead. Do business with Agari. You get what you deserve. Agari should have caught this at Western Union.
Crunchbase suggests a multi-billion valuation at their IPO (read the story here). I wonder if a class-action lawsuit from hacked/phished victims of Agari clients will throw a wrench into the works. Maybe not, given the ignorance of the investors: led by Goldman Sachs (actually protected by Agari competitor proofpoint but with misconfigured SPF records), and joined by Norwest Venture Partners (Agari blew smoke up their skirt and set DMARC at no enforcement), Scale Venture Partners (hey, Agari set at enforcement but a kludge SPF record), Battery Ventures (Agari DMARC misconfigured), Greylock Partners (not even an Agari customer and with no DMARC protection), First Round Capital (actually DMARC protected by Agari competitor Valimail), and Alloy Ventures (not even an Agari customer and with no DMARC protection). Hey, guys; ever hear of sticking your money out the rear end of a wild hog, setting it on fire, and then watching the beast roar into the California forest?
Hey, I've got a new Agari slogan: "Build a man a fire, warm him for a night. Set his house on fire and you'll warm him for a lifetime."
Actually, Dante came up with a better Agari slogan: "Abandon hope all ye who enter here."
#agari #westernunion #phishing #hacking #dmarc #proofpoint #valimail #goldmansachs #norwestventurepartners #scaleventurepartners #batteryventures #greylockpartners #firstroundcapital #alloyventures