A new study spearheaded by computer scientists at the University of California San Diego suggests that scammers may send an email with a forged address more easily than previously believed. It was attributed to a security flaw found in the process of allowing email forwarding.
Scammers are known to be tech-savvy and sometimes use subtle manners to target an online user. However, their schemes usually work with the presence of vulnerabilities.
Scammers Spoofed Email
The researchers claimed that their findings have a broad impact, particularly on the integrity of email delivered from various domains, such as those from the US government departments. They cited the majority of the US cabinet email domains and state.gov as examples.
They also found that it could affect news organizations such as the Associated Press, The Washington Post, and even financial service companies. In short, various entities are vulnerable to this reported security flaw.
This finding is called "forwarding-based spoofing," and the team has shed light on its mechanisms. Email messages supposedly impersonating prominent organizations can bypass the protections set in place by Gmail and Outlook.
They further noted that when recipients receive this email, there is a high likelihood that they will open attachments with malware or links that have spyware.
According to the team, the operation of this spoofing lies in various vulnerabilities for forwarding emails. They said that the initial protocol verifying the authenticity of an email assumes that these entities run their own mailing infrastructure, particularly with IP addresses not employed by other domains.
Numerous organizations rely on Gmail and Outlook for their email infrastructure. Consequently, many domains entrust these third-party providers with the authority to send emails on their behalf.
Although these providers ensure that their users only send emails to domains they control, email forwarding can circumvent this safeguard, according to the team.
For instance, the Department of State's email domain, state.gov, permits Outlook to send emails on its behalf. Consequently, emails claiming to originate from state.gov are considered genuine when sent from Outlook's email servers.
This situation allows an attacker to create a spoofed email, impersonating, for instance, the Department of State, and then forward it through their personal Outlook account.
Once forwarded, the spoofed email is regarded as legitimate by the recipient because it originates from an Outlook email server. Similar vulnerabilities also affect five other email providers, such as iCloud.
The researchers also identified additional minor issues affecting users of Gmail and Zohomail, an email provider in India. They said they notified tech giants Microsoft, Apple, and Google about this issue. However, they also claimed that this flaw has not been fully fixed yet.
Read Also: Thailand Threatening Facebook Shutdown Over Scam Ads
Stopping Scammers 'Require a Major Effort'
"That is not surprising since doing so would require a major effort, including dismantling and repairing four decades worth of legacy systems," Alex Liu, the paper's first author and a Ph.D. student in the Jacobs School Department of Computer Science and Engineering at UC San Diego, said in a press statement.
"While there are certain short-term mitigations that will significantly reduce the exposure to the attacks we have described here, ultimately email needs to stand on a more solid security footing if it is to effectively resist spoofing attacks going forward," Liu added.
According to the team, Zoho addressed its issue and awarded a bug bounty, while Microsoft and Gaggle also awarded bug bounties but have not fully resolved the issues.
Gmail fixed the problems, and iCloud is currently investigating. To address these vulnerabilities, researchers recommend turning off open forwarding, a feature allowing users to forward emails without verification.
The researchers suggest a more comprehensive approach that standardizes various forwarding aspects, but this would require cooperation across email systems and might encounter operational challenges. The findings of the team were recently published in arXiv.
Related Article: FCC Issues Order of Blocking One Eye for Enabling Robocall Scams
