Email forwarding flaws allow attackers to impersonate high-profile domains

Sending an email with a fake address is easier than previously thought, according to a research team led by computer scientists at the University of California, San Diego, due to flaws in the process that enables the transfer of emails. emails.

The issues discovered by researchers have a far-reaching impact, affecting the integrity of emails sent from tens of thousands of domains, including those representing U.S. government organizations, such as the majority of U.S. cabinet email domains, including state.gov, and security agencies.

Major financial services companies, such as Mastercard, and major news outlets, such as the Washington Post and the Associated Press, are also vulnerable.

This is called forward-based spoofing, and researchers found that they could send emails impersonating these organizations, bypassing protections deployed by email providers. email such as Gmail and Outlook. Once recipients receive the spoofed email, they are more likely to open attachments that deploy malware or click on links that install spyware on their computer.

The research team discovered that such identity theft is made possible by several vulnerabilities focused on email forwarding. The original protocol used to verify the authenticity of an email implicitly assumes that each organization operates its email infrastructure with specific IP addresses not used by other domains.

But today, many organizations outsource their email infrastructure to Gmail and Outlook. As a result, thousands of domains have delegated the right to send emails on their behalf to the same third party. Although these third-party providers validate that their users send emails only on behalf of the domains they operate, this protection can be circumvented through email forwarding.

For example, state.gov, the State Department’s email domain, allows Outlook to send emails on its behalf. This means that emails claiming to come from state.gov would be considered legitimate if they came from Outlook’s mail servers.

As a result, an attacker can create a spoofed email (an email with a false identity) pretending, for example, to come from the State Department, and then forward it through their personal Outlook account. Once this is done, the spoofed email will now be treated as legitimate by the recipient because it came from an Outlook mail server.

Versions of this flaw also exist for five other email providers, including iCloud. Researchers also discovered other, smaller issues affecting users of Gmail and Zohomail, a popular email provider in India.

The researchers reported the issue to Microsoft, Apple, and Google, but to their knowledge it has not been fully resolved.

“This is not surprising since it would require a major effort, including dismantling and repairing four decades of existing systems,” said Alex Liu, a Ph.D. student in the Department of Computer Science and Engineering at the Jacobs School at UC San Diego.

“While there are some near-term mitigation measures that will significantly reduce exposure to the attacks we’ve outlined here, email ultimately needs to be put on a stronger security foundation if it is to effectively resist email attacks. “identity theft in the future,” Liu continued.

Different attacks

The researchers developed four different types of attacks using forwarding.

For the first three, they assumed that an adversary controls both the accounts that send and forward the emails. The attacker must also have a server capable of sending spoofed email messages and an account with a third-party provider that allows open forwarding.

The attacker first creates a personal account for the transfer, then adds the spoofed address to the account whitelist, a list of domains that will not be blocked even if they do not meet security standards. The attacker configures his account to forward all emails to the desired target. The attacker then spoofs an email to make it appear to be from state.gov and sends the email to their personal Outlook account. The attacker then simply has to transmit the spoofed email to his target.

More than 12% of the most popular Alexa email domains (the most popular domains on the Internet) are vulnerable to this attack. These include a large number of news organizations, such as the Washington Post, the Los Angeles Times and the Associated Press, as well as domain registrars like GoDaddy, financial services such as Mastercard and Docusign and major law firms.

Additionally, 32% of .gov domains are vulnerable, including the majority of U.S. cabinet agencies, a number of security agencies, and agencies working in public health, such as the CDC. At the national and local levels, virtually all major state government domains are vulnerable, and more than 40% of all .gov domains are used by cities.

In a second version of this attack, an attacker creates a personal Outlook account to forward spoofed emails to Gmail. In this scenario, the attacker impersonates a domain also served by Outlook, then sends the spoofed message from their own malicious server to their personal Outlook account, which in turn forwards it to a series of Gmail accounts.

Researchers also discovered variations of this attack that work for four popular mailing list services: Google Groups, mailman, listserv, and Gaggle.

Potential solutions

The researchers disclosed all vulnerabilities and attacks to the vendors. Zoho fixed their issue and awarded the team a bug bounty. Microsoft also assigned a bug bounty and confirmed the vulnerabilities. Mailing list service Gaggle said it would change protocols to resolve the issue. Gmail has also fixed the issues reported by the team and iCloud is investigating.

But to really get to the root of the problem, researchers recommend disabling open forwarding, a process that allows users to configure their account to forward messages to any designated email address without any verification by the address destination. This process is in place for Gmail and Outlook. Additionally, providers like Gmail and Outlook implicitly trust top-tier email services, delivering messages forwarded through those emails anyway.

Vendors should also let go of the assumption that emails from another major vendor are legitimate, a process called relaxed validation policies.

Additionally, researchers recommend that mailing lists request confirmation of the sender’s real address before sending an email.

“A more fundamental approach would be to standardize various aspects of transfer,” the researchers write. “However, making such changes would require system-wide cooperation and would likely encounter many operational issues.”

Email Forwarding Methods

For each service, the researchers created several test accounts and used them to forward emails to the recipient accounts they controlled. They then analyzed the resulting email headers to better understand which transfer protocol the service was using. They tested their attacks on 14 email providers, which are used by 46% of the most popular Internet and government domains.

They also created mailing lists as part of existing services provided by UC San Diego and by the Gaggle mailing list service.

The researchers only sent fake emails to accounts they created themselves. They first tested each attack by spoofing the domains they had created and controlled. Once they verified that the attacks worked, they conducted a small series of experiments aimed at spoofing emails from real domains. However, the spoofed emails were only sent to test the accounts created by the researchers.

“A fundamental problem is that email security protocols are distributed, optional, and independently configured components,” the researchers write. This creates a large and complex attack surface with many possible interactions that cannot be easily anticipated or managed by a single party. “