18 (new) ways attackers can compromise email

Researchers have discovered eighteen new vulnerabilities in how email systems authenticate senders, making it even easier for criminals to fool users.

incoming emails / DNS security / locked server / parked domain
Thinkstock / Imaginima / Getty Images

All organizations wrestle with chronic phishing attacks that are the primary vectors through which malicious actors breach systems and spread malware.

Most phishing attackers deliver their payloads on networks by crafting spoofed emails that look like they come from legitimate, authoritative senders. Those look-alike emails instead derive from domains deployed solely for malicious purposes. It’s virtually impossible for most email recipients to detect the differences between real and spoofed email accounts, making phishing an intractable and seemingly never-ending problem for users and organizations alike.

Now computer science researchers have discovered eighteen new vulnerabilities in how email systems authenticate senders. Vern Paxson, Professor of Computer Science at UC Berkeley and Co-Founder and Chief Scientist at Corelight, Jianjun Chen, Post-Doc researcher at the International Computer Science Institute and Jian Jiang, Senior Director of Engineering at F5 (Shape Security), presented the result of their research at Black Hat last week in a talk entitled “You Have No Idea Who Sent That Email: 18 Attacks on Email Sender Authentication.”

Subject to interpretation

As the researchers point out in their academic paper, to combat email spoofing, email servers employ several simple mail transfer protocol (SMTP) extensions, SPF, DKIM, and DMARC, to authenticate the sender’s purported identity for displaying in email clients assurances of the sender’s validity. It is the composition of these different software components to construct these assurances that have vulnerabilities that enable attackers to engage in the impersonation.

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)