Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Canada's Anti-Spam Legislation (CASL) 2014 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Canada's Anti-Spam Legislation (CASL) 2014

Canada recently passed anti-spam legislation.  Starting July 1 2014, organizations now need consent to send unsolicited emails or other electronic communications, which includes text messages, faxes and anything else you might think of.  This doesn't cover just mass marketing, a single email to a single person is covered in this new legislation.

Starting Jan 15,2015, the installation of apps, plug-ins and other programs need similar consent.

With fines up to $1 million for individuals and $10 million for organizations, there's a bit of a scramble to get consent from us Canadians .  Everyone from car companies wanting to send service bulletins to insurance companies who this this applies to emails on our insurance claims are sending "click here to consent" emails.  And of course, a similar scramble for folks that we've bought something from once, who want to send us sales flyers forever.

See the problem yet?  There was a clue in the note above

In this onslaught of "Click here" notes, it's oh-so-easy to slip in a few malicious emails, and of course if you do click in those notes, there's some special malware just for you!

To make things more interesting, many of the legit emails of this type are loaded with graphics with the links point to third party sites, so they also look like malicious content all on their own.

So in an effort to protect us Canadians from our collective compulsion to open every email and click every link (this isn't confined to just Canadians mind you), this legislation is actually resulting in a new "easy button" attack vector, so we have a spike of the very activity this is trying to prevent!

I wonder if the folks in Ottawa who wrote this legislation realize that this also applies to their campaign material at election time?  Or if they understand that a telephone call is also "electronic communication"?  <Just the first two gotcha's that came to mind>

If you've seen malware in email of this type, or if you have a slow day and want to read the legislation and look for similar "oops" situations, please share using our comment form !

http://www.crtc.gc.ca/eng/casl-lcap.htm
http://fightspam.gc.ca

===============
Rob VandenBrink
Metafore

Rob VandenBrink

515 Posts
ISC Handler
SPAM, SPAM, SPAM, SPAM, SPAM, take the SPAM quiz? Alas.. comforting to see yet another country securing the jobs of incompetent people. We have one too, called the Do Not Call List.. works as designed, broken. :rolleyes:
ICI2Eye

52 Posts
http://yro.slashdot.org/story/14/06/17/1230253/canadian-court-orders-google-to-remove-websites-from-its-global-index

Canadian's have apparently lost it.
Dean

135 Posts
I wrote about this a couple of weeks ago. http://sidfishes.wordpress.com/2014/05/26/how-casl-could-be-a-spearphishers-delight/

and of course the politcos have written in an exemption for themselves

"In addition, the Regulations provide exclusions from all requirements of the Act for commercial electronic messages that are: [snip] sent by or on behalf of a political party or organization, or a person who is a candidate—as defined in an Act of Parliament or the legislature of a province—for publicly elected office and the message has as its primary purpose soliciting a contribution as defined in subsection 2(1) of the Canada Elections Act."

http://fightspam.gc.ca/eic/site/030.nsf/eng/00271.html
Dean
2 Posts

Sign Up for Free or Log In to start participating in the conversation!