By now you're hopefully familiar with the usual advice to avoid phishing attacks: Don't be too quick to download attachments, don't enter passwords or send money somewhere out of the blue, and of course, don't click links unless you know for sure where they actually lead. You may even scrutinize each sender's email address to make sure that what looks like email@example.com isn't really firstname.lastname@example.org. But new research shows that even if you check a sender's address down to the letter, you could still be deceived.
At the Black Hat security conference on Thursday, researchers will present "darn subtle" flaws in industry-wide protections used to ensure that emails come from the address they claim to. The study looked at the big three protocols used in email sender authentication—Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting and Conformance (DMARC)—and found 18 instances of what the researchers call "evasion exploits." The vulnerabilities don't stem from the protocols themselves but from how different email services and client applications implement them. Attackers could use these loopholes to make spear-phishing attacks even harder to detect.
"I think I’m a savvy, educated user, and the reality is, no, that’s actually not enough," says Vern Paxson, cofounder of the network traffic analysis firm Corelight and a researcher at the University of California, Berkeley, who worked on the study along with Jianjun Chen, a postdoctoral researcher at the International Computer Science Institute, and Jian Jiang, senior director of engineering at Shape Security.
"Even users who are pretty savvy are going to look at the indicators that Gmail or Hotmail or others provide and be fooled," Paxson says.
Think about when you hand a friend a birthday card at their party. You probably only write their first name on the outside of the envelope, and maybe underline it or draw a heart. If you mail that letter instead, though, you need the recipient's full name and detailed address, a stamp, and ultimately a postmark with a date on it. Sending email across the internet works similarly. Though email services only require you to fill out the "To" and "Subject" fields, there's a whole list of more detailed information getting filled out behind the scenes. Those industry-standard "headers," as they're known, include date and time sent and received, language, a unique identifier called a Message-ID, and routing information.
The researchers found that by strategically manipulating different header fields they can produce different types of attacks, all of which can be used to deceive the person on the other end of an email. "What’s the account sending it, and where is it from? There's not much that enforces that they actually align," Paxson says.
The 18 exploits fall into three categories. The first set, called "intra-server" attacks, prey on inconsistencies in how a given email service pulls data from headers to authenticate a sender. Take the fact that email headers actually have two "From" fields, HELO and MAIL FROM. Different authentication mechanisms can be set up to reconcile those two fields in different ways. For example, some could be implemented to interpret an email address that begins with an open parenthesis—like (email@example.com—as an empty MAIL FROM field, causing it to rely instead on the HELO field for integrity checks. Those sorts of incongruities create openings for attackers to set up strategic email domains or manipulate message headers to pose as someone else.
The second category focuses on manipulating similar inconsistencies, but between the mail server that receives your message and the app that actually displays it to you. The researchers found, for example, vast inconsistencies in how different servers and clients handle "From" headers that list multiple email addresses or addresses surrounded by different numbers of spaces. Services are supposed to flag such messages as having an authentication issue, but in practice, many will accept either the first address in the list, the last address in the list, or all of the addresses as the From field. Depending on where the email service lands on that spectrum—and how the mail client is configured—attackers can game this progression to send emails that look like they came from a different address than they really did.
The researchers call the third category "ambiguous replay," because it includes different methods of hijacking and repurposing (or replaying) a legitimate email an attacker has received. These attacks take advantage of a known quality of the cryptographic authentication mechanism DKIM where you can receive an email that has already been authenticated, craft a new message where all of the headers and the body are the same as they were in the original email, and essentially resend it, preserving its authentication. The researchers took this a step farther, realizing that while you can't change the existing headers or body if want to maintain the authentication, you can add additional headers and body text onto what's already there. In this way, attackers could add their own message and subject line, hiding the real message in an obscure place, like as an attachment. That bit of misdirection makes it look like the attacker's message came from the original, legitimate sender and has been fully authenticated.
“All Sorts of Junk”
Though most people use their email accounts without ever checking what's in all of these hidden headers, email services provide the option. How you access it varies by email provider, but on Gmail, open the message you want to inspect, click More, the three vertical dots next to Reply in the upper right-hand corner, select Show Original, and the unsimplified original email will open in a new tab. The problem is that even someone combing through all of the granular headers might not detect that anything is amiss if they don't know what to look for.
"You get all sorts of junk floating around, legitimate junk in network traffic that's not malicious, and you write things to try to deal with it in various ways," Corelight's Paxson says. "You want to deliver the mail if you can, don’t drop it on the floor because of some littler syntactic thing. So it's a rush to compatibility as opposed to rigor. I don’t think people appreciated that these corner-case interactions were even there. It's almost silly and yet very real."
In all, the researchers found 10 email providers and 19 email clients that were vulnerable to one or more of their attacks, including Google's Gmail, Apple's iCloud, Microsoft Outlook, and Yahoo Mail. The researchers notified all of the companies of their findings and many awarded them bug bounties and fixed the issues or are working on fixing them. Microsoft told the researchers that attacks involving social engineering are out of scope for software security vulnerabilities. Yahoo has not yet taken action.
The researchers say they currently have no way of knowing whether attackers have exploited these weaknesses over the years. In analyzing his own email archive, Paxson says he saw a few minor examples of some of these manipulations, but they seemed to be unintentional errors, not malicious attacks.
The findings shouldn't prompt you to throw out all the advice you've heard about phishing. It's still important to avoid clicking random links and to check the email address a message seems to have come from. But the research does underscore the futility of victim-blaming when it comes to phishing attacks. Even when you do everything right, attackers could still slip by.