According to researchers at Virginia Tech, a new generation of hackers can easily spoof the email address of a co-worker or seemingly from a business, and use this to send forged emails to victims. To work well this not only requires computer skills, since the words need to appear genuine too. Trials show that with the right amount of social engineering, it is relatively straightforward to obtain sensitive information from an unsuspecting recipient.
Many users of business email are cognizant about strange email addresses, especially emails containing links or attachments. People are less vigilant when an email appears to come from a trusted source. People also tend to be cautious of emails written poorly.
However, hackers are becoming more sophisticated. Writing has, in many cases improved and when this is coupled with a hacker obtaining the email address of a co-worker or from corporate, then it is much easier to fall for a scam.
According to Professor Gang Wang: “These kinds of phishing attacks are especially dangerous. Technology changes so quickly, and now a hacker can obtain your information easily.”
He explains further: “This information can be used to commit cyberattacks that run the gamut from being mildly annoying, like having to deal with a checking account that has been hacked, to serious consequences of physical life and death if information, for example, to a hospital’s computer mainframe is obtained.”
He adds that most email systems (which use the international Simple Mail Transfer Protocol) were designed without spoofing in mind, and this leaves them vulnerable. Even with no protocols, there are vulnerabilities.
In his research Professor Wang has assessed SMTP extensions, such as SPF (sender policy framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication), and found almost half to be poorly configured and hence vulnerable to phishing attacks.
To show this, Wang and his team set up user accounts under the target email services as the email receiver and then used an experimental server to send forged emails, with a fake sender address, to the receiver account. The study used 35 popular email services, such as Gmail, iCloud, and Outlook. The click through rate from recipients was up to 26 percent.
From this Professor Wang has recommended tighter security protocols. The findings will be presented to the 27th Annual USENIX Security Symposium in Baltimore, Maryland, in August 2018.
