Because of flaws in the email forwarding process, sending emails with bogus addresses has become surprisingly simple. These flaws, which have far-reaching ramifications for the legitimacy of emails sent from various domains, were recently discovered by a team of computer scientists from the University of California San Diego. These flaws threaten numerous government agencies in the United States and financial services behemoths like Mastercard and primary news sources like The Washington Post and the Associated Press.
Termed "forwarding-based spoofing" enables scammers to send emails masquerading as reputable organizations, effectively evading the safeguards by email providers like Gmail and Outlook. When recipients open a fake email, they become more vulnerable to harmful attachments or links that might install spyware or malware on their devices.
The heart of the problem is in the weaknesses in email forwarding, where the original protocol believed that each organization operated its email infrastructure, with dedicated IP addresses used solely for that reason. However, in today's world, many businesses outsource their email systems to third-party companies such as Gmail and Outlook. Consequently, thousands of domains grant these providers the right to send emails on their behalf. While these providers validate that their users only send emails to domains they operate, email forwarding can circumvent this protection.
Consider the email domain state.gov, owned by the Department of State. Outlook is permitted to send emails on behalf of state.gov, letting state.gov emails appear authentic if they originate from Outlook's servers. An attacker can then send a faked email purporting to be from the Department of State via their personal Outlook account. Because the counterfeit email looks to come from an Outlook email server, the recipient will believe it is accurate. This issue also exists in other email providers like iCloud, Gmail, and Zohomail.
The research team reported these vulnerabilities to major tech giants like Microsoft, Apple, and Google. Still, a complete fix has not been implemented, mainly due to the substantial effort required to overhaul decades-old legacy systems. Short-term mitigations are available but insufficient; a more solid email security foundation is required to prevent future spoofing assaults successfully.
The study team presented their findings at the 8th IEEE European Symposium on Privacy and Security, held in Delft from July 3 to 7, 2023, winning the best paper award.
Attacker's Account: The attacker sets up a personal forwarding account and adds the fake address to the account's whitelist (a list of domains not subject to security checks). The attacker sets up the account to forward all emails to the intended recipient. Following that, they create an email that appears to be from state.gov and send it to their personal Outlook account. Following that, the attacker sends the spoofed email to their intended recipient. Surprisingly, more than 12% of the top 100,000 Alexa-ranked email domains, including significant news sources, financial institutions, and government entities, are vulnerable to this attack.
Outlook to Gmail Attack: In this scenario, the attacker sets up a personal Outlook account in order to pass faked email messages to Gmail. They impersonate a domain that is also served by Outlook and transport the faked message from their malicious server to their personal Outlook account, which then forwards it to several Gmail accounts. Surprisingly, 1.9 billion consumers worldwide are vulnerable to this form of attack.
Mailing List Services: The researchers uncovered variants of similar assaults that are also compatible with four popular mailing list services: Google Groups, Mailman, Listserv, and Gaggle.
Turning off Open Forwarding: Providers should turn off Open Forwarding, allowing users to forward messages to any email address without verification. This feature is currently available in Gmail and Outlook.
Eliminating Assumptions: Providers should not trust emails sent by high-profile email services and should forsake the premise that emails from large providers are trustworthy (loosened validation policies).
Sender Confirmation for Mailing Lists: Mailing lists should require confirmation from the genuine sender's address before delivering an email.
While these solutions are critical, the researchers note that they will require extensive collaboration and may face operational hurdles in their implementation. Email security mechanisms are sophisticated and dispersed, resulting in a broad and complex attack surface that no single body can readily manage.
Finally, the flaws in email forwarding underscore the critical need for improved email security measures. As scammers continue to exploit these flaws, email providers and businesses must work together to secure email systems against spoofing attacks and preserve the integrity of online communication.
Read next: US Security Firms Issue Increased Phishing Warnings As Employees Prepare To Work From Home For Big Labor Day Weekend
Termed "forwarding-based spoofing" enables scammers to send emails masquerading as reputable organizations, effectively evading the safeguards by email providers like Gmail and Outlook. When recipients open a fake email, they become more vulnerable to harmful attachments or links that might install spyware or malware on their devices.
The heart of the problem is in the weaknesses in email forwarding, where the original protocol believed that each organization operated its email infrastructure, with dedicated IP addresses used solely for that reason. However, in today's world, many businesses outsource their email systems to third-party companies such as Gmail and Outlook. Consequently, thousands of domains grant these providers the right to send emails on their behalf. While these providers validate that their users only send emails to domains they operate, email forwarding can circumvent this protection.
Consider the email domain state.gov, owned by the Department of State. Outlook is permitted to send emails on behalf of state.gov, letting state.gov emails appear authentic if they originate from Outlook's servers. An attacker can then send a faked email purporting to be from the Department of State via their personal Outlook account. Because the counterfeit email looks to come from an Outlook email server, the recipient will believe it is accurate. This issue also exists in other email providers like iCloud, Gmail, and Zohomail.
The research team reported these vulnerabilities to major tech giants like Microsoft, Apple, and Google. Still, a complete fix has not been implemented, mainly due to the substantial effort required to overhaul decades-old legacy systems. Short-term mitigations are available but insufficient; a more solid email security foundation is required to prevent future spoofing assaults successfully.
The study team presented their findings at the 8th IEEE European Symposium on Privacy and Security, held in Delft from July 3 to 7, 2023, winning the best paper award.
Various Attack Scenarios
Using email forwarding, researchers devised four separate attack strategies. The attacker must control both the sending and forwarding accounts in the first three cases, have a server capable of delivering faked emails, and have an account with a third-party service that permits open forwarding.Attacker's Account: The attacker sets up a personal forwarding account and adds the fake address to the account's whitelist (a list of domains not subject to security checks). The attacker sets up the account to forward all emails to the intended recipient. Following that, they create an email that appears to be from state.gov and send it to their personal Outlook account. Following that, the attacker sends the spoofed email to their intended recipient. Surprisingly, more than 12% of the top 100,000 Alexa-ranked email domains, including significant news sources, financial institutions, and government entities, are vulnerable to this attack.
Outlook to Gmail Attack: In this scenario, the attacker sets up a personal Outlook account in order to pass faked email messages to Gmail. They impersonate a domain that is also served by Outlook and transport the faked message from their malicious server to their personal Outlook account, which then forwards it to several Gmail accounts. Surprisingly, 1.9 billion consumers worldwide are vulnerable to this form of attack.
Mailing List Services: The researchers uncovered variants of similar assaults that are also compatible with four popular mailing list services: Google Groups, Mailman, Listserv, and Gaggle.
Potential Solutions
To address these vulnerabilities, the researchers propose several measures:Turning off Open Forwarding: Providers should turn off Open Forwarding, allowing users to forward messages to any email address without verification. This feature is currently available in Gmail and Outlook.
Eliminating Assumptions: Providers should not trust emails sent by high-profile email services and should forsake the premise that emails from large providers are trustworthy (loosened validation policies).
Sender Confirmation for Mailing Lists: Mailing lists should require confirmation from the genuine sender's address before delivering an email.
While these solutions are critical, the researchers note that they will require extensive collaboration and may face operational hurdles in their implementation. Email security mechanisms are sophisticated and dispersed, resulting in a broad and complex attack surface that no single body can readily manage.
Finally, the flaws in email forwarding underscore the critical need for improved email security measures. As scammers continue to exploit these flaws, email providers and businesses must work together to secure email systems against spoofing attacks and preserve the integrity of online communication.
Read next: US Security Firms Issue Increased Phishing Warnings As Employees Prepare To Work From Home For Big Labor Day Weekend