CyberWire Daily - Measuring the spearphishing threat. [Research Saturday]
Episode Date: July 21, 2018Researchers Gang Wang and Hang Hu from Virginia Tech recently conducted an end-to-end measurement on 35 popular email providers and examining user reactions to spoofing through a real-world spoofing/p...hishing test. Gang Wang joins us to share the sobering results. End-to-End Measurements of Email Spoofing Attacks https://people.cs.vt.edu/gangwang/usenix-draft.pdf  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
They start from me getting a lot of phishing emails, actually.
That's Gong Wong. He's an assistant professor of computer science at Virginia Tech.
The research we're discussing today is end-to-end measurements of email spoofing attacks.
It's a research paper he co-authored with his colleague Hong Hu.
Spear phishing is basically a phishing email
that attackers will try to trick you to do something.
Often cases about revealing important information,
such as your password or your credit card information.
We as a public university, and I'm a faculty member here,
so I often get a lot of phishing emails.
So sometimes the email center was impersonating a technical support the Virginia Tech network and
internal system, or sometimes get some personal information such as your social security number
or credit card information. So as a computer scientist, I sort of have the knowledge that
the system that we're using to send an email is not secure to begin with. So the fundamental
protocol is called SMTP.
The protocol is pretty old, actually. It's a 40 years old protocol. Now, the protocol itself does
not have a security feature, and it has been a while. But what I know is that there has been
efforts to try to improve the protocol by adding extensions and try to prevent attacker from impersonating someone else.
That got me curious. So I want to see how well we're doing since, for example, starting from
early 2000, there are people trying to develop, standardize those defense protocols. And we start
from there and see, it has been 10, 20 years, how well we're
doing. But the result is not very encouraging. It shows that even today, it's actually pretty
easy for attackers to impersonate your co-workers, your supervisor, or anyone literally they wanted
to send an email to you and trick you to do things.
So the fundamental reason we found is that the anti-spoofing protocols are not widely adopted or not correctly adopted.
So there are lots of problems.
With 35 different email service providers we tested, 34 of them can be penetrated by at least one of the phishing or spoofing emails we sent.
And if we actually spoof an existing contact of the victim, then every single email services we tested can be penetrated.
Well, let's back up a little bit.
If I want to spoof an email to you, how would I go about doing that? The email was actually sent from a given address, your supervisor's address or your co-worker's address.
And then I can just throw the email to the protocol and it will just go to your inbox.
It's just simple like that.
Right. So as designed, there are no checks or balances in place with SMTP to check that the information that's put in there is accurate.
That's correct. When the protocol was initially designed,
there's no security features to verify who is the actual sender. There's no security features to actually encrypt the email as well. So since early 2000, there started some efforts. But yes,
you're right. So what are some of the efforts that were put in place to try to improve the situation?
What are some of the efforts that were put in place to try to improve the situation?
Since early 2000, people have been developing the so-called SMTP extension protocols.
So one of them is called SPF. The idea is that when people send emails, they also want to verify if the IP address is actually associated with the actual sender address.
is actually associated with the actual sender address.
So using IP addresses, then you can verify if the sender that they claim to be actually using the associated IP addresses.
So this is just the high level of how one of the protocol works.
There actually, right now, also a DKIM protocol, and there's also a DMARC protocol
that they try to work with each other and compensate each other's weaknesses. Of course, there's ongoing development of some new protocols
that try to further improve the performance of the protocol. But the challenge, as I mentioned,
is that any new protocols will face a challenge to be widely adopted, especially in the current
state of the internet that it's hard to make everybody to
be standing on the same page. Right. And of course, these security protocols are voluntary.
That's correct. If you do not implement the security protocol as a sender, the receiver
cannot just block all the emails from you. Because as an email service provider, there's one thing you
cannot do is to lose legitimate emails. So that's why it's hard to force everybody to be adopting
every single protocol as we standardize. Take us through how you approached your
research here. Describe to us the experiments that you designed.
It's more like a black box testing that you control the input
to the black box and you observe the output coming out of the black box. So here we're treating a
given email service provider, for example, Gmail, as the black box. So what we do is that we set up
our own accounts and our Gmail so we can create our own email
addresses.
Then we treat them as the receiver.
Then we kind of send emails with a different kind of configurations and parameters to Gmail
to that particular receiver address that we set up.
So in this way, we can control the input by changing the configurations.
For example, who we spoof, what's the email content, what IPs we're using, and then observe what's happening in the output, which is whether the email was delivered to the inbox, whether the email was placed to the spam folder, or is completely blocked in the process.
So this is basically the high-level setup of
the experiment. So this allowed us to see, given a certain condition of the spoofing email,
how likely they can penetrate the email service that we're testing.
And so you tested a variety of email services.
That's correct. So in total, we tested 35 different email services, including the most popular ones,
for example, Gmail, Apple's iCloud, Microsoft Outlook, or Hotmail, whether you want to name
it, and also Yahoo Mail as well.
And so how did they do?
Did some of them shine as being better than the others?
Well, it depends, right?
So if you look at the so-called penetration rate or inbox
rate, so we calculate what's the percentage of the emails that eventually reach your inbox.
So the result we found is not very encouraging. So basically 34 out of 35 have at least one
spoofing email arrived in the inbox. So the only exception,
the only one that blocks every email we send is Hotmail or Outlook. But they're not 100%
secure, which means that if you actually spoof an existing contact of the receiver,
then Hotmail will let that spoofing email go through to the inbox.
Technically, it's 35 out of 35.
One of the things I noticed in your research that stood out to me was that you noted that
25 out of the 35 providers would automatically load the spoofed sender's photo.
So if I was pretending to be someone in your organization, then in addition to the email getting through, it would pop up a photo, which of course just reinforces in the receiver's mind that this is probably a legit email.
That's correct.
When emails come to a user's inbox for usability purposes, email service providers often implement those UI elements to remind you who the center is. So for example, sometimes they
load a profile photo of the center. Sometimes they do even more, for example, listing the previous
conversations you have with that particular user. Or sometimes they have this kind of a little,
you know, a name card listing all the other information about that user to remind who this user is. But again,
if the user's sender address is not verified, sometimes it's spoofed by the attacker that
it reinforced the so-called trust or fake sense of security to the victim.
Now, one of the things you looked into was how the various email providers alert the user that
perhaps something needs a little more attention.
Can you take us through,
what was your methodology there
and what did you discover?
Again, as I said,
35 out of the 35 email service providers
have some part of the spoofing email
delivered to the inbox.
So once the email is in the inbox,
what we do is try to check the emails through different user interfaces.
So, for example, we check emails by opening up a browser and check emails.
We check emails by using the dedicated mobile applications.
For example, Gmail or Yahoo Mail have their mobile apps.
And we also check emails through the third-party email clients. For example, Microsoft Outlook has an email client that works for different email providers.
Now, what we found is that only a small number of email services or email providers have some security indicator on their interface to warn a user that the email is not verified.
communicator on their interface to warn a user that the email is not verified. So for example,
if you are a Gmail user, when the sender is not verified, you can see a little red question mark on the sender's profile photo, which essentially means that the sender address is not verified.
And if you move your mouse over that question mark, it shows a text message of
explanation to say, hey, Gmail cannot verify the sender, and this is not a spammer. So that'll show
up to, I think, eight out of the 35 email services that we tested. And this is on the web interface.
On the mobile interface, there's even a smaller number of service providers that have that. I think the number is a six out of 35 has the same some of the information away. So unfortunately, security
information is one of the information that has been moved away compared to the web interface.
Now, one of the things that you pointed out was that email providers tend to err on the side of
delivering the email. When in doubt, I guess they consider it better to deliver that email than not.
consider it better to deliver that email than not. That is correct because as an email service provider, they cannot afford losing legitimate emails. So imagine you're a Gmail user and you
lose an email from important clients or a customer and that's unacceptable. So that's why this is a
really hard trade-off because as I previously mentioned, not every single email services or not
every single internet host have adopted those anti-spoofing protocol. So if there's a legitimate
email center that not adopt that protocol, you as Gmail or you as Yahoo Mail cannot effectively
verify if the center is trusted. In those cases, you cannot simply say, hey, everybody who has an
unverified address needs to be dropped. That's not acceptable because from the user perspectives,
their first priority is to receive emails. So that's why you can see that if you spoof the
right sender and if you configure the email content correctly, then the spoofing email can directly
penetrate the service provider and get to the inbox. And one of the things you noted in the
research is that there's a relatively low adoption rate of these authenticating extensions.
Yes, the adoption rate is relatively low. So what we observe is that out of the top 1 million hosts ranked by Alexa,
only 44% of the hosts have SPF protocols adopted, and only 5% of the hosts have DMARC protocols
adopted. So because DMARC is relatively new. So this is basically a concern because not every internet host or email centers are playing the same game.
So the receivers cannot treat them as attackers.
They are legitimate hosts.
Now, what did you discover in terms of what were the most effective ways to get a spoofed email through?
You looked at different techniques, yes?
That's correct.
So there are different techniques, yes? That's correct. So there are different factors,
right? So for example, we have tested whether it is easy to deliver an email by spoofing particular
senders or whether it is easier to change the email content or change our IP address. So what
we found is that the most important factor is actually to look at whether the email receiver has adopted
the protocol. So for example, if I wanted to send an email to Gmail user, it's slightly harder
because Gmail has all the protocols adopted. It will check every single email's sender address
and try to verify if possible. But on the other hand, other email services who have not
adopted this protocol,
who didn't check the email center at all,
they are easier to penetrate.
The second and most important factor,
which is very obvious,
is that it matters who you're spoofing.
So for example,
if you spoof an email center
that has not published their SPF or DKIM record,
it's easier to spoof them.
So the takeaway is that you can have a higher success rate by spoofing a center that is
not protected or send emails to a receiver that it does not track the authenticity of
the center.
In terms of the takeaways from your research,
given the ubiquity of email and the fact that most of us still need to use it,
what are your recommendations for folks to do the best job possible to protect themselves?
Well, from the user's perspectives, given the current situation, I think we should at least first eliminate some of the bad advice to users. So for example, I still remember that I saw some of the security advice online that you should always check who is sending you the email and see if they are someone you can recognize.
That's a bad advice because attackers can easily impersonate whoever you know in real life.
So I guess a better advice or more accurate advice is don't trust the sender address,
given the current situation that email providers cannot fully authenticate them.
Another advice is, you know, from the user perspective, you should always stay skeptical
and alert. So for very important operations, for example, if there's emails that ask you to give away critical information or making big payments, always try to perform additional confirmation through a different channel.
So, for example, maybe you can make a phone call to the sender and check if this is really that sender that tried to ask you to do this.
that center that try to ask you to do this. As additional bonus, if you actually want to see
a quick demo, I can actually spoof one of your
cool workers if you like, to actually send an email
to you and for you to sort of see if this can
win through.
While it-
Let's do it.
This actually depends on whether your email service
provider, which is Subberwire, actually can block this.
Maybe you guys are doing a better job than others.
All right, well let's try it out.
So if you can send me a name and email address
that you want me to impersonate,
I can try to do that and see how it goes.
Here, I'll send you that on.
Okay, just this.
Just like that, yep, just like it is there in the email.
So I assume this is your cool worker. Yep. He's my boss actually.
Oh, okay. Even better. Yeah.
All right. See, it's very easy. I just sent it.
So let's wait and wait and wait. Uh, from my side,
it says the message sent successfully.
It probably take a minute or so to arrive.
And if you didn't receive any email on the inbox, please try to check the spam folder,
which means great. You guys sort of block it, at least put it in the spam
folder. If you see nothing, that means you completely dropped that
email. That's even better. Alright, I haven't had anything come through directly.
Let's look in the, uh, let's look in the junk filter. Oh, Hey Dave, this is Peter. Is that it? Yep. That's it.
Yep. It went in the junk mail. Okay. That's good. Yep. It says this message appears to be junk mail.
Be aware of links in this message. So I got an indication in Outlook with a little red envelope and a warning message.
So I got the message from you. Excellent. So tell me what's going on here. So you tried to
spoof an email to me. What do you suppose my email software did to flag this? How do you suppose it
sensed it? So currently what happened is that I try to spoof a email that pretend to become from your own email service.
So, for example, both you and Peter are using the same email service provider.
And that email provider has the ability to actually cross check themselves to say if this email actually sent through my own service.
If it is not, they can easily flag this as, okay, this is not
real. So if I actually spoof a different
email service provider, let's see, gmail.com,
things might be different. But in that case, if I spoof
gmail.com, what your email provider can do is
to check if the sender address, which is gmail.com, what your email provider can do is to check if the sender address, which is Gmail.com, actually authenticated that email.
Gmail has an SPF record to show a list of IPs that it can send email on behalf of Gmail.
And obviously, I don't own that IP address, which means that your email service provider shouldn't be able to detect that and block it.
All right. I just sent you another one. This is my wife.
Oh, okay.
So let's see if this one works. This is fun.
All right. Let's see. So from address. Okay. This is a different email provider.
Yep.
All right. So I also need to get your email, which is Dave.
Yes, I got it.
So I got everything.
So subject, let's make it easier.
Test.
All right.
Test.
So it went through to you.
So let's see this time it's in the inbox or also a spam folder.
Yeah, let's check it out. All right. Let's see this time it's in the inbox or also a spam folder. Yeah, let's check it out.
All right, let's see.
This particular email is, well, technically it will be harder to find
because this is no longer from the own email services that you are using now.
So they need to go actual mile to track if the current email,
need to go actual mile to check if the current email uh sort of this center would instruct your email provider to block them right all right oh yep came through yeah it looks like it came through
free and clear no problems yep oh wow this is the one i actually went to the inbox yeah yeah oh okay
yeah well there you go we we got a one out of two. All right. Well, it's as much fun as it was. I'm glad that you're a good guy,
but it just certainly does demonstrate how easy it is and how we should be aware of it.
Yeah. So as I said, never trust the email center.
Right. It's a field that you should just ignore.
Right.
It's a field that you should just ignore.
Right.
Our thanks to Dong Wong for joining us.
The research is titled End-to-End Measurements of Email Spoofing Attacks.
We'll have a link to the research paper
in the show notes of this episode.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
safe and compliant. Thanks for listening.