Forging E-Mails: New Ways to Phishing Success

All businesses face phishing attacks – email continues to be the attack vector of choice for cybercriminals when it comes to spreading malware.

Most phishing attacks deliver their payloads via fraudulent e-mails that come from supposedly authorized senders. In fact, however, they come from domains that were set up for purely malicious purposes. For the majority of e-mail users, it is almost impossible to always reliably detect fake e-mails. This is why phishing is still a problem in the corporate environment – and will remain so for the foreseeable future. Especially after computer scientists uncovered 18 new security holes that affect the sender authentication of e-mail systems.

The researchers have bundled their findings in a research paper. Accordingly, e-mail servers use various SMTP extensions such as SPF, DKIM and DMARC to prevent e-mail fraud and to reliably authenticate senders. The composition of these software components creates new security gaps that attackers can use to disguise themselves as supposedly legitimate people.

“Because of minimal differences in how the various components interpret data, attackers can manipulate these systems,” explains Vern Paxson, professor of computer science at UC Berkeley. Over the course of a year, the researchers were able to develop 18 new techniques that take advantage of these very inconsistencies. These were tested on ten different popular webmail platforms and with 19 email clients. The providers included:

  • Gmail.com

  • iCloud.com

  • Outlook.com

  • Yahoo.com

  • Naver.com

  • Fastmail.com

  • Zoho.com

  • Tutanota.com

  • Protonmail.com

  • Mail.ru

The researchers identified three different types of attacks that exploit the vulnerabilities in the various software components: “Intra-Server” attacks, “UI Mismatch” and “Ambigious Replay”. In the test, all platforms were found to be susceptible to the latter two methods. Six platforms could also be compromised with intra-server attacks. The following video gives you an insight into the procedure:

“Not even security-experienced users who are familiar with the systems and processes can be sure that e-mails actually originate from the sender, unless they are really extremely careful and watch every raw Header very carefully. And even that is in some cases not enough to detect and prevent an attack, “says Paxson.

For the professor, the research results underscore the fragility of all email systems. The e-mail providers concerned were of course informed about the security gaps – most providers were astonished and recognized the problem, some also distributed bug bounty premiums.

In the case of Microsoft and Yahoo, however, the response left a lot to be desired: While Microsoft simply dismisses the problem as an enabler for social engineering and thus does not recognize it as an “official” security hole, Yahoo apparently completely lacked understanding of the methods used, such as Paxson reports: “We even sent them a video. They just didn’t understand it.”

The researchers are unable to make a reliable statement about whether one of the 18 attack methods discovered is already being used by criminal hackers: “Finding the weak points required a great deal of technical sophistication. If the methods are used, then only by really experienced actors.” says Paxson. “Unfortunately, we have no way of measuring that. At the most, Google could do that if the company searched all Gmail headers. Apart from that: who can say with certainty how many other security gaps there are still to be discovered?”

Another tangible result of research by Paxson and his team is the “espoofer” tool, which private individuals, system administrators and security researchers can download free of charge from Github and which is intended to help prevent email fraud.

Until the software inconsistencies are eliminated – or an end-to-end encrypted email system is developed and supported by a broad user base – there is only one way for companies to prevent phishing attacks: Sustainable security awareness programs. (fm)

This article is based on an article from our US sister publication CSO Online.

Leave a Reply

Your email address will not be published. Required fields are marked *