Measuring the spearphishing threat.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative.
Dave Bittner: [00:00:10] I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges, for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security, protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Gang Wang: [00:01:42] They start from me getting a lot of phishing emails actually.
Dave Bittner: [00:01:45] That's Gang Wang. He's an assistant professor of computer science at Virginia Tech. The research we're discussing today is "End-to-End Measurements of Email Spoofing Attacks." It's a research paper he coauthored with his colleague, Hang Hu.
Gang Wang: [00:01:59] Spearphishing is basically a phishing email that attackers would try to trick you to do something, often cases about revealing important information, such as your password or your credit card information. We, as a public university, and I'm a faculty member here, so I often get a lot of phishing emails. So sometimes the email sender was impersonating a technical support from Virginia Tech, from our own organization. Sometimes the email sender was impersonating an FBI agency or a government agency, and it tried to lure us to give away our, either internal credentials to the Virginia Tech network and internal system, or sometimes get some personal information, such as your Social Security number or credit card information.
Gang Wang: [00:02:51] So, as a computer scientist, I sort of had the knowledge that the system that we're using to send email is not secure to begin with. So the fundamental protocol is called SMTP. The protocol is pretty old actually, it's a forty-years-old protocol. Now, the protocol itself does not have a security feature, and it has been a while. But what I know is that there has been an effort, and it tried to improve the protocol by adding extensions, and it tried to prevent, you know, attackers from impersonating someone else.
Gang Wang: [00:03:26] That got me curious, so I want to see how well we're doing since, for example, starting from early 2000s, there are people who tried to develop, standardize those defense protocols. And then we start from there and see, you know, it has been ten, twenty years, how well we're doing. But the result is not very encouraging. It shows that, even today, it's actually pretty easy for attackers to impersonate your co-workers, your supervisor, or anyone, literally, they wanted, to send emails to you and trick you to do things.
Gang Wang: [00:04:03] So, the fundamental reason we found is that the anti-spoofing protocols are not widely adopted, or not correctly adopted. So, there are lots of problems. And end-result is that, out of the thirty-five different email service providers we tested, thirty-four of them can be penetrated by at least one of the phishing or spoofing e-mails we sent. And if we actually spoof existing contacts of the victim, then every single email services we tested can be penetrated.
Dave Bittner: [00:04:38] Well, let's back up a little bit. If I want to spoof an email to you, how would I go about doing that?
Gang Wang: [00:04:43] Well, let's see, if I want to spoof your supervisor or a co-worker, all I need to know is that, when I craft an email, I can modify a specific field in the SMTP protocol to say the email was actually sent from a given address, your supervisor's address or your co-workers address, and then I can just through the email to the protocol and it would just go to your inbox. It's just simple like that.
Dave Bittner: [00:05:10] Right. So, as designed, there are no checks or balances in place with SMTP to check that the information that's put in there is accurate?
Gang Wang: [00:05:19] That's correct. When it was, the protocol was initially designed, there was no security features to verify who is the actual sender, there's no security features to actually encrypt the email as well. So, since early 2000s, there start some efforts, but yes, you're right.
Dave Bittner: [00:05:37] So, what are some of the efforts that were put in place to try to improve the situation?
Gang Wang: [00:05:42] Since early 2000s, people has been developed so-called SMTP extension protocols. So one of them is called SPF. The idea is that, when people send emails, they also want to verify if the IP address is actually associated with the actual sender address. So using IP addresses, then you can verify if the sender that they claim to be, actually using the associated IP addresses. So this is just the high-level of how one of the protocols works.
Gang Wang: [00:06:14] They're actually, right now, also a DKIM protocol, and there's also a DMARC protocol, that they try to work with each other and compensate each other's weaknesses. Of course, there's ongoing developments of new protocols that try to further improve the performance of the protocol. But the challenge, as I mentioned, is that any new protocols face a challenge to be widely adopted, especially in the current state of the Internet, it's hard to make everybody to be standing on the same page.
Dave Bittner: [00:06:46] Right. And of course these security protocols are voluntary?
Gang Wang: [00:06:49] That's correct. If you do not implement the security protocol as a sender, the receiver cannot just block all the emails from you. Because, as a email service provider, there's one thing you cannot do, is to lose legitimate emails. So that's why, you know, it's hard to force everybody to be adopting every single protocol we standardize.
Dave Bittner: [00:07:12] Take us through how you approached your research here. Describe to us the experiments that you designed.
Gang Wang: [00:07:19] It's more like a black-box testing, that you control the input to the black box and you observe the output coming out of the black box. So here, we're treating a given email service provider, for example, Gmail, as the black box.
Gang Wang: [00:07:36] So what we do is that, we set up our own accounts in Gmail, so we can create our own email addresses. Then we treat them as the receiver. Then we, kind of, sending emails, with different kind of configurations and parameters, to Gmail's, to that particular receiver address that we set up. So in this way, we can control the input by changing the configuration, for example, who is spoof? What's the email content, or what IPs we're using, and then observe what's happening in the output, which is whether that email was delivered to the inbox, whether the email was placed into the spam folder, or is completely blocked in the process.
Gang Wang: [00:08:21] So, this is basically the high-level setup for the experiment. So this allowed us to see, you know, given a certain condition of the spoofing email, how likely we can penetrate the email service that we're testing.
Dave Bittner: [00:08:34] And so you tested a variety of email services?
Gang Wang: [00:08:37] That's correct. So in total we tested thirty-five different email services, including the most popular ones, for example, Gmail, Apple's iCloud, Microsoft Outlook or Hotmail, whether you want to name it, and also Yahoo Mail as well.
Dave Bittner: [00:08:53] And so how did they do? Did some of them shine as being better than the others?
Gang Wang: [00:08:58] Well, it depends, right? So if you'll look at the so-called penetration rate, or inbox rate, so we calculate, what's the percentage of the emails that eventually reach your inbox. So the result we found is not very encouraging. So, basically, thirty-four out of thirty-five have at least one spoofing email arrive in the inbox. So, the only exception, or the only one that blocked every email we sent, is Hotmail, or Outlook, but they are not, you know, a hundred percent secure, which means that if you actually spoof an existing contact of the receiver, then Hotmail will let that spoofing email go through to the inbox. Technically, it's thirty-five out of thirty-five.
Dave Bittner: [00:09:47] One of the things I noticed in your research that stood out to me was that you noted that twenty-five out of the thirty-five providers would automatically load the spoofed sender's photo.
Gang Wang: [00:09:57] Yeah.
Dave Bittner: [00:09:57] So if I was pretending to be someone in your organization then, in addition to the email getting through, it would pop up a photo, which of course just reinforces, in the receiver's mind, that this is probably a legit email.
Gang Wang: [00:10:10] That's correct. When the emails come to a user's inbox, for usability purposes, email service providers often implement those UI elements to remind you who the sender is. So, for example, sometimes they load a profile photo of the sender. Sometimes they do even more, for example, listing the previous conversations you have with that particular user. Or, sometimes they have this kind of, a little, you know, a name card listing all the other information about that user to remind you who this user is. But again, if the user's, or the sender address is not verified, sometimes it's spoofed by the attacker that reinforced the so-called trust, or fake sense of security, to the victim.
Dave Bittner: [00:10:55] Now, one of the things you looked into was how the various email providers alert the user that perhaps something needs a little more attention. Can you take us through, what was your methodology there, and what did you discover?
Gang Wang: [00:11:08] Again, as I said, you know, thirty-five out of the thirty-five email service providers have some part of the spoofing email delivered to the inbox. So once the email's in the inbox, what we do is try to check the emails through different user interfaces. So, for example, we check emails by opening up a browser and check emails, we check emails by using the dedicated mobile applications, for example, Gmail or Yahoo Mail have their mobile apps. And we also check emails through the third-party email clients, for example, Microsoft Outlook has a email client that works for different email providers.
Gang Wang: [00:11:48] Now what we found is that, only a small number of email services or email providers have some security indicator on their interface to warn users that the email is not verified. So, for example, if you are a Gmail user, when the sender is not verified you can see a little red question mark on the sender's profile photo, which essentially means that the sender address is not verified. And if you move your mouse over that question mark, it shows a text message of explanation to say, hey, Gmail cannot verify the sender and this is not a spammer. So that showed up to, I think, eight out of the thirty-five email services we tested. And this is on a web interface.
Gang Wang: [00:12:38] On the mobile interface, there is even a smaller number of service providers that have that. I think the number is six out of thirty-five, has the same indicator on the mobile interface. So, it is understandable, because mobile interfaces have a very limited screen size, that they want to keep a clean interface by removing some of the information away. So unfortunately, security information is one of the information that has been moved away, compared to the web interface.
Dave Bittner: [00:13:08] Now, one of the things that you pointed out was that email providers tend to err on the side of delivering the e-mail. When in doubt, I guess they consider it better to deliver that email than not.
Gang Wang: [00:13:20] That is correct. Because, as the email service provider, they cannot afford losing legitimate emails. So, imagine you're a Gmail user and you lose an e-mail from an important client or a customer and that's unacceptable. So that's why this is a really hard tradeoff. Because, as I previously mentioned, not every single email services, or not every single internet host, have adopted those anti-spoofing protocols. So if there's a legitimate email sender that did not adopt that protocol, you as Gmail or you as Yahoo Mail, cannot effectively verify if the sender is trusted. In those cases, you cannot simply say, hey, everybody who has an unverified address needs to be dropped. That's not acceptable because, from the user perspective, their first priority is to receive emails.
Gang Wang: [00:14:13] So that's why you can see that, if you spoof the right sender and if you configure the email content correctly, then the spoofing e-mail can directly penetrate a service provider and get to the inbox
Dave Bittner: [00:14:27] And one of the things you noted in the research is that there's a relatively low adoption rate of these authenticating extensions.
Gang Wang: [00:14:35] Yes. The adoption rate is relatively low. So what we observe is that, out of the top one million hosts ranked by Alexa, only forty-four percent of the hosts have SPF protocols adopted, and only five percent of the hosts have DMARC protocols adopted, because DMARC is relatively new. So this is basically a concern, because not every internet host or email senders are playing the same game. So the receivers cannot treat them as attackers, they are legitimate hosts.
Dave Bittner: [00:15:10] Now, what did you discover in terms of what were the most effective ways to get a spoofed email through? You looked at different techniques, yes?
Gang Wang: [00:15:19] That's correct. So there are different factors, right? So, for example, we have tested whether it is easy to deliver an email by spoofing particular senders, or whether it is easier to change the email content or change your IP address.
Gang Wang: [00:15:36] So what we found is that the most important factor is actually to look at whether the e-mail receiver has adopted the protocol. So, for example, if I wanted to send an email to a Gmail user, it's slightly harder because Gmail has all the protocols adopted. It would check every single email's sender address and try to verify, if possible. But, on the other hand, other email services who have not adopted those protocols, who didn't check the email sender at all, they are easier to penetrate.
Gang Wang: [00:16:10] The second most important factor, which is very obvious, is that it matters who you are spoofing. So, for example, if you spoof an email sender that has not published their SPF or DKIM record, it's easier to spoof them. So, the takeaway is that you can have a higher success rate by spoofing a sender that is not protected, or send emails to a receiver that does not track the authenticity of the sender.
Dave Bittner: [00:16:39] In terms of the takeaways from your research, you know, given the ubiquity of email and the fact that most of us still need to use it, what are your recommendations for folks to do the best job possible to protect themselves?
Gang Wang: [00:16:52] Well, from the user's perspective, given the current situation, I think we should at least, at first, eliminate some of the bad advice to users. So, for example, I still remember that I saw some of the security advice online, that you should always check who is sending you the email and see if they are someone you can recognize. That's bad advice, because attackers can easily impersonate whoever you know in real life. So I guess better advice, or more accurate advice, is don't trust the sender address, given the current situation that email providers cannot fully authenticate them.
Gang Wang: [00:17:29] Another advice is, you know, from the user perspective you should always stay skeptical and alert. So, for a very important operation such as, for example, if there an email that asks you to give away critical information or making big payments, always try to perform additional confirmation through a different channel. So, for example, maybe you can make a phone call to the sender and check if this is really that sender that tried to ask you to do this.
Gang Wang: [00:18:00] As an additional bonus, if you actually want to see a quick demo, I can actually spoof one of your co-workers, if you like, to actually send an email to you and, for you to sort of see if this kind went through.
Dave Bittner: [00:18:15] Oh yeah, let's do it.
Gang Wang: [00:18:16] This actually depends on whether your email service provider, which is CyberWire, actually can block this.
Dave Bittner: [00:18:23] Okay.
Gang Wang: [00:18:23] Maybe you guys are doing a better job than others.
Dave Bittner: [00:18:25] All right, well let's try it out.
Gang Wang: [00:18:27] So if you can send me a name and an email address that you want me to impersonate, I can try to do that and see how it goes.
Dave Bittner: [00:18:34] Here I'll send you that on...
Gang Wang: [00:18:36] Okay, just this.
Dave Bittner: [00:18:38] Yep, just like that. Just like it is there in the email.
Gang Wang: [00:18:40] So, I assume this is your co-worker?
Dave Bittner: [00:18:42] Yup. He's my boss, actually.
Gang Wang: [00:18:45] Ah, okay. Even better.
Dave Bittner: [00:18:46] Yeah, yeah. (laughs)
Gang Wang: [00:18:50] All right. See, it's very easy. I just sent it.
Dave Bittner: [00:18:54] All right.
Gang Wang: [00:18:54] So let's wait and wait, uh, from my side it says the message sent successfully. It'll probably take a minute or so to arrive, and if you didn't receive any email in the inbox, please try to check the spam folder, which means, great, you guys sort of block it, at least put it in the spam folder. If you see nothing, that means you completely dropped that email, that's even better.
Dave Bittner: [00:19:18] All right, I haven't had anything come through directly. Let's look in the in the junk--Oh, "Hey Dave, this is Peter," is that it?
Gang Wang: [00:19:28] Yup.
Dave Bittner: [00:19:29] That's it. Yup, it went in the junk mail.
Gang Wang: [00:19:31] Okay, that's good.
Dave Bittner: [00:19:32] Yep, it says, "This message appears to be junk mail. Beware of links in this message." So I got an indication in Outlook, with a little red envelope and a warning message. So I got the message from you. Excellent. So tell me, what's going on here? So you tried to spoof an email to me, what do you suppose my email software did to flag this? How do you suppose it sensed it?
Gang Wang: [00:19:56] So, currently, what happened is that I tried to spoof an email that pretended to come from your own email service. So, for example, both you and Peter are using the same email service provider.
Dave Bittner: [00:20:11] Right.
Gang Wang: [00:20:12] And that email provider has the ability to actually cross-check themselves to say, if this email actually sent through my own service. If it is not, they can easily flag this as, okay, this is not real.
Dave Bittner: [00:20:26] Right.
Gang Wang: [00:20:27] So, if I actually spoof a different email service provider, let's see, Gmail.com, things might be different, but in that case, if I spoof Gmail.com, what your email provider can do is to check if the sender address, which is Gmail.com, actually authenticated that e-mail. Gmail has SPF records to show a list of IPs that it can send emails on behalf of Gmail. And obviously I don't own that IP address, which means that your email service provider should be able to detect that and block it.
Dave Bittner: [00:21:03] All right, I just sent you another one. This is my wife.
Gang Wang: [00:21:06] Oh, okay.
Dave Bittner: [00:21:07] So let's see if this one works. This is fun.
Gang Wang: [00:21:10] All right, let's see. So from address, okay, this is a different email provider.
Dave Bittner: [00:21:16] Yup.
Gang Wang: [00:21:18] All right, so I also need to get to your email which is Dave... yes, I got it. So I got everything. So, subject, let's make it easier, "test" and "test." So, it went through to you. So, let's see, this time, it's in the inbox or also the spam folder.
Dave Bittner: [00:21:42] Yeah. Let's check it out. All right, let's see.
Gang Wang: [00:21:46] This particular email is, while technically it will be harder to find because this is no longer from the own email services that you are using now. So they need to go an extra mile to track if the current email, sort of, this sender would instruct your email provider to block them.
Dave Bittner: [00:22:07] Right. Right. Oh, yup, came through. Yeah, looks like it came through free and clear, no problems. Yup.
Gang Wang: [00:22:14] Oh wow, this one actually went to the inbox.
Dave Bittner: [00:22:17] Yeah. Yeah.
Gang Wang: [00:22:18] Oh, okay.
Dave Bittner: [00:22:19] Yeah. Well there we go.
Gang Wang: [00:22:20] We got a one-out-of-two.
Dave Bittner: [00:22:22] All right. Well it's, uh, as much fun as it was, I'm glad that you're a good guy, but it certainly does demonstrate how easy it is, and how we should be aware of it.
Gang Wang: [00:22:33] Yeah. So as I said, never trust the email sender. It's a field that you should just ignore.
Dave Bittner: [00:22:39] Right.
Dave Bittner: [00:22:43] Our thanks to Gang Wang for joining us. The research is titled "End-to-End Measurements of Email Spoofing Attacks." We'll have a link to the research paper in the show notes of this episode.
Dave Bittner: [00:22:55] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.
Dave Bittner: [00:23:03] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:23:11] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.