What is BIMI and how is it supposed to help with Phishing.
Earlier this week, I talked about how Phishing is still a huge problem and how compromised WordPress installs and free file hosting services are abused. But the root cause why Phishing works is more "human": Phishing works because it is hard to figure out if an email or a website is authentic. Over the years, many technical solutions have been implemented to make it easier to recognize valid senders or a valid website. TLS helps, but not if the attacker comes up with a decent look-alike domain or can obscure the hostname with lengthy prefixes. DKIM and SPF help, but they again do nothing against look-alike domains.
The latest attempt to find a better way to authenticate an email sender visually is "BIMI," short for "Brand Indicators for Message Identification" [1]. It will add a company logo to each email, and the logo may be verified.
Of course, to make this work, we need yet another DNS TXT record: [selector]._bimi.[domain]. The [selector] can decide which logo will be used. But typically, you should see default._bimi.example.com.
e.g., for dshield.org:
v=BIMI1;l=https://dshield.org/images/dshieldbimi.svg;
The image must be in SVG format.
Preview generated by bimigroup.org
So what prevents a phishing site from copying your BIMI logo, just like it reproduces all your other artwork? Certificates! You may use BIMI without certificates (like I do for DShield.org), but the value is limited, and not all email clients may show it (more about that later). But you can use an optional "Verified Mark Certificate" (VMC) to improve BIMI.
So what is a VMC, and how do you get one? In short, the VMC verifies that you own a trademark for a particular logo. Start by obtaining a trademark. Future versions of the standard may no longer require this step, but that will get you started for now. Next, you have to get your certificate. There are no free options so far. I have seen them offered for around $1,000-$1,500 per year. So it is in no way cheap. There may be a manual process in approving the request, which is likely why they are so expensive. Also, the lack of a free option may contribute to the cost. Most organizations will already have a trademarked logo, but if not, that will add another $500 or so.
So far, Yahoo, Google, Fastmail, and Pobox are supporting BIMI. Others are considering it. But note that neither Apple nor Microsoft has announced any plans so far (according to [1]). With Outlook/Office 365 and iOS/macOS out, it is hard to justify the cost of a "complete" BIMI implementation (it is not just the cost of the certificate, but it is also something else that could break with email, another certificate to maintain, and a logo that needs to be created in the right format).
Pros and Cons? Should you do it?
+ it does offer another visual indicator that an email is authentic
- it is expensive to do it "right"
- support is limited
[1] https://bimigroup.org
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago