Email Server Vulnerability Allows Hackers to Fake Sender Information

Email security is already a challenge for businesses because any employee can compromise security. But historically, nefarious, “phishing” emails have been fairly easy to spot: simply check the sender to find out whether the email in question was sent from someone you trust, or from some unknown address.

Now, you should not automatically trust the authenticity of the sender address.

Security researcher Sabri Haddouche discovered a vulnerability last year, which he called Mailsploit. Mailsploit impacts most of the largest mail clients in business, from Apple Mail, to Mozilla Thunderbird, Opera Mail, AOL mail, and many more.

His findings revealed a relatively simple way to present the recipient with any address you could imagine, from thom.yorke@radiohead.org to officeofthepresident@whitehouse.gov. Any address could be forged to be an unrecognizable forgery. And once you know how, anyone could do it easily.

How Does Mailsploit Work? And More Importantly, How Did This Happen?

“The system that accidentally prevents you from pretending to be the President of the US is good enough for spam protection, but it’s not good enough for phishing protection.”

-Dan Kaminsky, a protocol-focused security researcher and chief scientist at cybersecurity firm White Ops

If your network is a castle, then email is a large gate into that castle. Except imagine this: Every single one of the inhabitants of the castle has a key. Anyone can open that gate at any time to let the barbarian hordes pass inside.

One of the ways cybersecurity experts have attempted to guard this vulnerable gateway is authentication systems, which check to see that messages are indeed sent by who they say sent them. The latest version is called Domain-based Message Authentication, Reporting and Conformance (DMARC). DMARC filters out emails whose headers pretend to come from a different source than the actual, coding these as SPAM.

Although DMARC was not created for the purpose of blocking phishing attempts, it has severely limited would-be phishers, forcing them to approach the sacred email gate in the open and under the light of day.

So, hackers have been forced to take on disguises. You might have seen emails from Amazon.co, or emails pretending to be from Amazon, but upon closer inspection, reveal that they came from some random address, like ghenr10.io. But the ability that anyone has had to look just under the surface to see the truth has been a gamechanging advantage for network security.

The vulnerability, Mailsploit, tricks DMARC by exploiting an antiquated way of presenting characters in email headers. Mailsploit works by presenting the real information to mail servers, so DMARC will corroborate that, for instance, an email from hackerkingzzz@youjustgothacked.com does in fact say it is from hackerkingzzz@youjustgothacked.com.

But then, the vulnerability allows a change to occur in the way this information is presented to the recipient. So an email from the above address could look like it came from nancy.pelosi@whitehouse.gov, or any other email the hacker wanted.

Who Is Affected by Mailsploit?

Mailsploit was revealed, first, to most of the most popular email servers on the planet late last year. Then it was revealed to the public in December. Most of the largest mail servers have responded by either triaging or completely eliminating the vulnerability altogether. However, there are still some mail clients that have not yet responded.

Find the full, real-time list of Email Servers Still Vulnerable to Mailsploit >>

Recommendations Moving Forward

It could certainly seem like the Internet is becoming more and more insecure. Within the last year, multiple vulnerabilities have been discovered by professionals like Haddouche: Mailsploit, Spectre and Meltdown, Cisco WebVPN, and others. These are different than hacking protocols and tactics, like ransomware, worms, viruses, malware, etc. In some ways, they are scarier because they are like back doors. They have always been there, and anyone could have used them. But once discovered, IT companies have been extremely fast to plug the holes.

This point brings to light another critical difference between vulnerabilities and other malware. Since vulnerabilities are proactively discovered by cybersecurity professionals, they are indicative of the system working to increase defense before a security breach ever occurs. That is a positive sign. On a global scale, cybersecurity networks are beginning to anticipate problems before they become problems.

In the meantime, Mailsploit should hit home how quickly the world can turn upside down, how quickly a trusted source of information can be falsified. Always treat emails with caution, and skepticism. Before opening a questionable attachment or clicking a link, it’s worth reaching out to the person via another channel for confirmation the message comes from the person and not a pretender. These multifaceted approaches to security are the best defense against unknown attack vectors.

And if you do get a message from White House, don’t give out your social security number.

 

Platte River Networks provides its Intuition customers with email security through Mimecast to help protect against this threat. For more information please call us at 303-255-1941 or email David@platteriver.com