People aren’t always who they seem on the Internet. There are thousands of Nigerian princes out there, and 60-year-old men pretending to be 20-year-old women who look like supermodels. I remember my days in the ‘90s as a teenager on IRC. I knew that kids my age were disrespected, so I pretended to be a quadragenarian woman from San Francisco.
So, phishing has been a big cybersecurity problem for a long time, becoming common as more and more homes and offices got Internet access. It’s still a big problem these days, and it might be getting worse.
Phishing is a type of social engineering attack that involves attackers pretending to be trusted entities using email or websites. A classic example is when an attacker sends a target an email that appears to be from their bank. The email might spoof the bank’s domain name in its displayed email address of origin, and it might have graphics embedded in an HTML body which imitate visual designs that the bank uses.
The text body could say something like, “a hacker tried to access your online banking. Click here to change the password on your account.” Clicking the link could lead to a phishing website that imitates the bank’s online UI that asks for login credentials in a web form, effectively tricking the target into voluntarily disclosing their username and password.
DMARC of Authenticity
In the good old days of the ‘80s, ‘90s and the first decade of the 21st century, spoofing a sender’s email address was often as simple editing an email header and replacing the sender field with whatever email address you could imagine.
Add a psychological element to the mix and an email from “auditing@irs.gov” could make a recipient really nervous, or one from “bgates@microsoft.com” could make a fool expect to receive a financial windfall from Redmond, Washington - because billionaires email random ordinary people to give them millions of dollars to all the time. Really.
Sadly, an attack method as simple as editing the sender field often works, depending on the email clients and mail transfer agents involved.
I’ve never used email spoofing maliciously. But on April Fools Day each year, my friends can always expect me to send them emails from The Doctor (thedoctor@gallifrey.org) or Captain Picard (jlpicard@starfleet.org.) There are lots of email spoofing applications out there. I’ve personally used Emkei’s Mailer web app.
In 2010, a group including AOL, Comcast, Google, Microsoft, Yahoo, American Greetings, Bank of America, Facebook, JP Morgan Chase, LinkedIn, PayPal, and the Trusted Domain Project got together to start working on a way to make email spoofing more difficult. Their brands, technologies, and customers were at stake.
Email authentication technologies such as DKIM (Domain Keys Identified Mail) and SPF (Sender Policy Framework) already existed, but they alone didn’t seem to be enough to make a dent in how many successful email phishing attacks there were every year.
What the coalition ultimately created is DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance. It’s an email authentication system, policy, and reporting protocol all in one standard. DMARC uses DKIM and SPF in its own system in a more effective way.
DMARC in a Nutshell
There are a lot of technical details and variations in how DMARC is deployed, but here’s a basic explanation of how DMARC works:
An administrator of a domain which is used for email publishes their practices for email authentication, and how receiving email servers should handle policy violations. The resulting DMARC policy is published in the domain’s DNS record.
The server which receives the email checks the DNS associated with the domain name used in the sender’s stated email address. The receiving email server checks for DKIM validation, IP addresses allowed in the sending domain’s SPF records, and a concept referred to as domain alignment.
The receiving server can then apply the sending domain’s DMARC policy to decide whether the sent email should be accepted, rejected, or flagged. A flagged email will probably end up in a spam folder.
After applying a domain’s DMARC policy, the receiving email server will send information about the validation outcome to the sending domain’s owner regardless of the action taken.
Enter Mailsploit
On December 5, 2017, security researcher Sabri Haddouche launched Mailsploit, a way to bypass DMARC in order to spoof email addresses in a way that exploits vulnerabilities in most major email clients.
Here’s how Mailsploit works: Email headers must only contain ASCII characters, but RFC 1342 was published in 1992, a standard which allows non-ASCII characters to be used in headers, including email headers including the “From” header. Haddouche has found that most email clients don’t properly sanitize the header strings after decoding them.
Here’s how Haddouche describes exploiting RFC 1342 implementation in many email clients:
“Here is what it looks like:
=?utf-8?b?[BASE-64]?=
=?utf-8?Q?[QUOTED-PRINTABLE]?=
Either base64 or the quoted printable representation can be used.
Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email, allowing us to replace it. Here is why:
· iOS is vulnerable to null-byte injection
· macOS is vulnerable to “email(name)” injection
Mixing both of them turns out to work perfectly on both OSs:
From: =?utf-8?b?${base64_encode('potus@whitehouse.gov')}?==?utf-8?Q?=00?==?utf-8?b?${base64_encode('(potus@whitehouse.gov)')}?=@mailsploit.com
Which becomes:
From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com
Which, once decoded by Mail.app, becomes:
From: potus@whitehouse.gov\0(potus@whitehouse.gov)@mailsploit.com
Using this payload, both macOS and iOS will show that the email comes from potus@whitehouse.gov and not …@mailsploit.com.”
Hopefully companies like Apple and Microsoft are working on patching those vulnerabilities in their email clients as I write this! We’ll see.
Phishing is on the Rise
Addressing these sorts of vulnerabilities is very important, because Mimecast finds that email phishing is on the rise. They recently released their latest Email Security Risk Assessment report (ESRA).
Mimecast analyzed nearly 56 million emails. 12 million of those emails were spam, 11,590 came with harmful files or malware, and 18,971 were confirmed email impersonation attacks. Email impersonation attacks increased about 50% from their previous quarter ESRA, which is quite shocking.
I hope the findings of companies like Mimecast and security researchers like Sabri Haddouche compel developers to make email servers and clients more secure, and act as a warning to users to up their game where security practices are concerned.