By now you’re hopefully familiar with the usual advice to avoid phishing attacks: Don’t be too quick to download attachments, don’t enter passwords or send money somewhere out of the blue, and of course, don’t click links unless you know for sure where they actually lead. You may even scrutinize each sender’s email address to make sure that what looks like firstname.lastname@example.org isn’t really email@example.com. But new research shows that even if you check a sender’s address down to the letter, you could still be deceived.
At the Black Hat security conference on Thursday, researchers will present “darn subtle” flaws in industry-wide protections used to ensure that emails come from the address they claim to. The study looked at the big three protocols used in email sender authentication—Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting and Conformance (DMARC)—and found 18 instances of what the researchers call “evasion exploits.” The vulnerabilities don’t stem from the protocols themselves but from how different email services and client applications implement them. Attackers could use these loopholes to make spear-phishing attacks even harder to detect.
“I think I’m a savvy, educated user, and the reality is, no, that’s actually not enough,” says Vern Paxson, cofounder of the network traffic analysis firm Corelight and a researcher at the University of California, Berkeley, who worked on the study along with Jianjun Chen, a postdoctoral researcher at the International Computer Science Institute, and Jian Jiang, senior director of engineering at Shape Security.
“Even users who are pretty savvy are going to look at the indicators that Gmail or Hotmail or others provide and be fooled,” Paxson says.
Think about when you hand a friend a birthday card at their party. You probably only write their first name on the outside of the envelope, and maybe underline it or draw a heart. If you mail that letter instead, though, you need the recipient’s full name and detailed address, a stamp, and ultimately a postmark with a date on it. Sending email across the internet works similarly. Though email services only require you to fill out the “To” and “Subject” fields, there’s a whole list of more detailed information getting filled out behind the scenes. Those industry-standard “headers,” as they’re known, include date and time sent and received, language, a unique identifier called a Message-ID, and routing information.
The researchers found that by strategically manipulating different header fields they can produce different types of attacks, all of which can be used to deceive the person on the other end of an email. “What’s the account sending it, and where is it from? There’s not much that enforces that they actually align,” Paxson says.
The 18 exploits fall into three categories. The first set, called “intra-server” attacks, prey on inconsistencies in how a given email service pulls data from headers to authenticate a sender. Take the fact that email headers actually have two “From” fields, HELO and MAIL FROM. Different authentication mechanisms can be set up to reconcile those two fields in different ways. For example, some could be implemented to interpret an email address that begins with an open parenthesis—like (firstname.lastname@example.org—as an empty MAIL FROM field, causing it to rely instead on the HELO field for integrity checks. Those sorts of incongruities create openings for attackers to set up strategic email domains or manipulate message headers to pose as someone else.
The second category focuses on manipulating similar inconsistencies, but between the mail server that receives your message and the app that actually displays it to you. The researchers found, for example, vast inconsistencies in how different servers and clients handle “From” headers that list multiple email addresses or addresses surrounded by different numbers of spaces. Services are supposed to flag such messages as having an authentication issue, but in practice, many will accept either the first address in the list, the last address in the list, or all of the addresses as the From field. Depending on where the email service lands on that spectrum—and how the mail client is configured—attackers can game this progression to send emails that look like they came from a different address than they really did.