Decades-Old Email Flaws Could Let Attackers Mask Their Identities

Decades-Old Email Flaws Could Let Attackers Mask Their Identities

By now you're hopefully familiar with the usual advice to avoid phishing attacks: Don't be too quick to download attachments, don't enter passwords or send money somewhere out of the blue, and, of course, don't click links unless you know for sure where they actually lead. You may even scrutinize each sender's email address to make sure that what looks like [email protected] isn't really [email protected]. But new research shows that even if you check a sender's address down to the letter, you could still be deceived.


At the Black Hat security conference on Thursday, researchers will present "darn subtle" flaws in industry-wide protections used to ensure that emails come from the address they claim to. The study looked at the big three protocols used in email sender authentication—Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC)—and found 18 instances of what the researchers call "evasion exploits." The vulnerabilities don't stem from the protocols themselves, but from how different email services and client applications implement them. Attackers could use these loopholes to make spearphishing attacks even harder to detect.


"I think I’m a savvy, educated user and the reality is, no, that’s actually not enough," says Vern Paxson, cofounder of the network traffic analysis firm Corelight and a researcher at the University of California, Berkeley, who worked on the study along with Jianjun Chen, a postdoctoral researcher at the International Computer Science Institute, and Jian Jiang, senior director of engineering at Shape Security.

"Even users who are pretty savvy are going to look at the indicators that Gmail or Hotmail or others provide and be fooled," Paxson says.


Think ..

Support the originator by clicking the read the rest link below.