All businesses face phishing attacks – email continues to be the attack vector of choice for cybercriminals when it comes to spreading malware.
Most phishing attacks deliver their payloads via fraudulent e-mails that come from supposedly authorized senders. In fact, however, they come from domains that were set up for purely malicious purposes. For the majority of e-mail users, it is almost impossible to always reliably detect fake e-mails. This is why phishing is still a problem in the corporate environment – and will remain so for the foreseeable future. Especially after computer scientists uncovered 18 new security holes that affect the sender authentication of e-mail systems.
The researchers have bundled their findings in a research paper. Accordingly, e-mail servers use various SMTP extensions such as SPF, DKIM and DMARC to prevent e-mail fraud and to reliably authenticate senders. The composition of these software components creates new security gaps that attackers can use to disguise themselves as supposedly legitimate people.
“Because of minimal differences in how the various components interpret data, attackers can manipulate these systems,” explains Vern Paxson, professor of computer science at UC Berkeley. Over the course of a year, the researchers were able to develop 18 new techniques that take advantage of these very inconsistencies. These were tested on ten different popular webmail platforms and with 19 email clients. The providers included:
-
Gmail.com
-
iCloud.com
-
Outlook.com
-
Yahoo.com
-
Naver.com
-
Fastmail.com
-
Zoho.com
-
Tutanota.com
-
Protonmail.com
-
Mail.ru
The researchers identified three different types of attacks that exploit the vulnerabilities in the various software components: “Intra-Server” attacks, “UI Mismatch” and “Ambigious Replay”. In the test, all platforms were found to be susceptible to the latter two methods. Six platforms could also be compromised with intra-server attacks. The following video gives you an insight into the procedure:
“Not even security-experienced users who are familiar with the systems and processes can be sure that e-mails actually originate from the sender, unless they are really extremely careful and watch every raw Header very carefully. And even that is in some cases not enough to detect and prevent an attack, “says Paxson.
For the professor, the research results underscore the fragility of all email systems. The e-mail providers concerned were of course informed about the security gaps – most providers were astonished and recognized the problem, some also distributed bug bounty premiums.
In the case of Microsoft and Yahoo, however, the response left a lot to be desired: While Microsoft simply dismisses the problem as an enabler for social engineering and thus does not recognize it as an “official” security hole, Yahoo apparently completely lacked understanding of the methods used, such as Paxson reports: “We even sent them a video. They just didn’t understand it.”
The researchers are unable to make a reliable statement about whether one of the 18 attack methods discovered is already being used by criminal hackers: “Finding the weak points required a great deal of technical sophistication. If the methods are used, then only by really experienced actors.” says Paxson. “Unfortunately, we have no way of measuring that. At the most, Google could do that if the company searched all Gmail headers. Apart from that: who can say with certainty how many other security gaps there are still to be discovered?”
Another tangible result of research by Paxson and his team is the “espoofer” tool, which private individuals, system administrators and security researchers can download free of charge from Github and which is intended to help prevent email fraud.
Until the software inconsistencies are eliminated – or an end-to-end encrypted email system is developed and supported by a broad user base – there is only one way for companies to prevent phishing attacks: Sustainable security awareness programs. (fm)
This article is based on an article from our US sister publication CSO Online.
- Ignore emails that ask for confidential information!
Feature: In order to achieve the highest possible opening rate, an attempt is often made to create fear in the hope that the user will in this way give up his usual caution. The trick of pretending to block the account (at the bank, PayPal or Facebook) or credit card is particularly popular – combined with the request to log on to a page linked from the email in order to unblock it. Most of the time, the fraudsters also try to build up time pressure by claiming that the data must be entered within the next 24 hours.Tip: In general, banks, credit card companies and online payment services do not send any e-mails that link to a page on which you should enter your account details. Delete the email immediately and never click on the link! Simply visiting the site can lead to infection with a virus or trojan (drive-by download)!
- Check if the website is secured!
Feature: Websites on which important data is to be entered are usually protected by a secure connection. This can be recognized by the fact that the web address (URL) begins with https: // instead of http: //. If an e-mail requesting confidential information is sent to an unsecured website, it is very likely that it is forged. However, the phishers often hide the actual target URL behind an allegedly secured bogus address.Tip: Check where the link actually leads: by right-clicking on the link and selecting “Properties” or, if you have already clicked the link, by checking the address in the address line. The same applies here: If in doubt, do not click the link and delete the email!
- Pay attention to the exact spelling of the URL!
Feature: In order to achieve their goal, the phishers have to create the impression that the e-mail and the page on which the user is supposed to enter his data are real and belong to the alleged sender. Therefore, they choose addresses that at first glance look like a real address, for example the bank. Addresses that are not used by the bank but appear plausible are used (e.g. www.sparkasseonline.de) or inconspicuous spelling mistakes are incorporated (“postank” instead of “postbank”).Tip: Always pay attention to the spelling of the URL (also in the e-mail sender!) And check for spelling mistakes! Also check which URL the company usually has (by comparison with the website or with real emails)!
- Pay close attention to what data you should enter!
Feature: Access to online accounts and the use of credit cards usually require a multi-level authentication process. For online accounts these are, for example, the account number and TAN, for credit cards the card number, the expiry date and the three-digit verification number. For some time now, verification using the so-called 3D secure procedure (e.g. “Verified by Visa”) has also been available as a secure alternative.Tip: If you are asked to enter more than one TAN or both your verification number and the 3D Secure ID, this is phishing. Serious websites never ask for both data at the same time.
- Not only account and credit card phishing is dangerous!
Feature: Phishers
have long since ceased to be interested in bank or credit card details. In general, every access to online services is interesting, be it the webmail account, access to social networks, even business services like Google AdWords. For example, spammers use the captured data to run campaigns for their own pages – at the expense of the deceived users.Tip: Treat all access data to Internet services confidentially, even if they do not seem important to you! Alleged emails from Facebook or Hotmail can be just as dangerous as emails from your bank.