18 (new) ways attackers can compromise email

All organizations wrestle with chronic phishing attacks that are the primary vectors through which malicious actors breach systems and spread malware.

Most phishing attackers deliver their payloads on networks by crafting spoofed emails that look like they come from legitimate, authoritative senders. Those look-alike emails instead derive from domains deployed solely for malicious purposes. It’s virtually impossible for most email recipients to detect the differences between real and spoofed email accounts, making phishing an intractable and seemingly never-ending problem for users and organizations alike.

Now computer science researchers have discovered eighteen new vulnerabilities in how email systems authenticate senders. Vern Paxson, Professor of Computer Science at UC Berkeley and Co-Founder and Chief Scientist at Corelight, Jianjun Chen, Post-Doc researcher at the International Computer Science Institute and Jian Jiang, Senior Director of Engineering at F5 (Shape Security), presented the result of their research at Black Hat last week in a talk entitled “You Have No Idea Who Sent That Email: 18 Attacks on Email Sender Authentication.”

Subject to interpretation

As the researchers point out in their academic paper, to combat email spoofing, email servers employ several simple mail transfer protocol (SMTP) extensions, SPF, DKIM, and DMARC, to authenticate the sender’s purported identity for displaying in email clients assurances of the sender’s validity. It is the composition of these different software components to construct these assurances that have vulnerabilities that enable attackers to engage in the impersonation.

“Complex internet services and systems have a bunch of different components, and they have to work together or coordinate in some fashion,” Vern Paxson explains to CSO. “Due to subtle differences in how they interpret data, attackers can manipulate them. Modern email assurances of validity are built upon three different protocols that essentially need to interpret various facets of email messages and develop the assurance that, yeah, it really came from where it should have.”

Over the course of a year, the researchers developed a range of eighteen techniques that can exploit these inconsistencies across ten popular email providers and nineteen email clients. The ten email providers studied were Gmail.com, iCloud.com, Outlook.com, Yahoo.com, Naver.com, Fastmail.com, Zoho.com, Tutanota.com, Protonmail.com, and Mail.ru.

The researchers lay out three different types of overarching attacks that exploit the holes in the various software components: intra-server, UI mismatch, and ambiguous replay.  Of the ten email providers, six were affected by intra-server attacks, and all were vulnerable to UI mismatch and ambiguous replay.

Email fragility

Although the details of how these attacks work are technically intricate, “the core point is that there are eighteen of these and some of them really quite subtle,” Paxson says. (The researchers have posted a video that succinctly helps explain the attacks.) “The upshot is that even if you’re a savvy security user, who really understands what’s going on in these things, you can’t look at your email and know that’s from [for example] security@facebook.com unless you’re really careful.  You’ve got to look at the raw headers and think about them a lot. And for some attacks, that’s not even good enough.”

For Paxson, these attacks underscore the fragility of even the hardiest of all the email systems, Gmail. Chen, who conducted most of the research, responsibly disclosed the problems to the ten email providers. “Most of them said, ‘Wow, this is really a problem.’ A number of them sent along bug bounties,” Paxson says.

Microsoft and Yahoo, however, didn’t respond to the findings as the researchers expected. “Microsoft, their view was ‘Well, this is a flaw that enables social engineering, and social engineering is not a security property.’ That constitutes a vulnerability from our perspective,” Paxson says, calling Microsoft’s position “not very forward-looking.”

As for Yahoo, “they just couldn’t understand it,” Paxson says. “It was quite disappointing. [Chen] included a video and they’re like ‘Well yeah it looks like the DNS servers are misconfigured.’”

When contacted by CSO, a Microsoft spokesperson said “Office 365 and Outlook.com employ a multi-layered email filtering defense to protect our customers from [the] latest phishing, spoofing and impersonation attacks. We are constantly evaluating and hardening our services against new attack patterns to help keep our customers secure. We’re evaluating the specifics of this paper and will take action as necessary.” Yahoo, now owned by Verizon Media, did not respond to CSO’s request for comment.

Closing the barn door

The researchers don’t know if any of the 18 vulnerabilities have been exploited in the wild. “It took a whole lot of technical diligence to find [the vulnerabilities], so if they’re being used today, it’s mostly by very sophisticated actors,” Paxson says.

“We don’t have a way to measure whether they’re being used. Only somebody like Gmail who could search through their all their email headers of this huge corpus could even check if they’re being used.”

On top of that, the problems the researchers found are by no means “an exhaustive set” of all the likely vulnerabilities afflicting email providers and clients, according to Paxson. “We don’t have the tools to reliably find these issues. And absent those tools who knows how many more are out there waiting to be found.”

One output of the research is the development of a tool to help individuals and organizations find and fix the kinds of spoofing attacks the researchers discovered. They’re calling the tool ‘espoofer,’ and it’s available to individuals, sysadmins, and security researchers on Github.

Until some solution to the software inconsistencies problem is devised, or, far less likely, some end-to-end encrypted email system gets developed and widely adopted, the best organizations can do to protect against phishing attacks is user awareness training.

“What I get from some studies of training is it does move the needle [even though] it does not close the barn door,” Paxson says. His advice: “If the message seems like it’s requiring you to do something sensitive, figure out how to confirm it.”