Three standards for email security that are supposed to verify the source of a message have critical implementation differences that could allow attackers to send emails from one domain and have them verified as sent from a different — more legitimate-seeming — domain, says a research team who will present their findings at the virtual Black Hat conference next month.
Researchers have discovered 18 different ways of fooling the triumvirate of email technologies — Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) — for a subset of email services, including Gmail, and clients, including Microsoft Outlook. While the three technologies should ensure the FROM header of an email cannot be spoofed — for example, stating that the email comes from [email protected] when, in fact, an attacker has sent it from their own mail server — undermines the authentication that the three technologies are designed to provide.
The potential for spear-phishing is significant, says Vern Paxson, a professor at the University of California at Berkeley and one of the researchers investigating the issues.
"This is really sobering because the mindset today [is] if you are using an industrial-strength mail system like Gmail, and it tells you that the message really is from '[email protected],' you are going to believe them," says Paxson, who is part of the trio of researchers who conducted the tests. "And it boils down to the fact they followed the spec, but they just did it in ..
Support the originator by clicking the read the rest link below.
