Email is a hacker’s best friend!
Some of us probably use up to a handful of different mail clients on different platforms at home, at work, and in our mobile lives. Counting different product versions still in use, there are almost 100 potential mainstream mail clients that might be used. That is why it is not surprising that a security researcher recently found over 30 mail clients that had a vulnerability he dubbed Mailsploit. The researcher used the extension of the ASCII coding scheme that the email wrapper can utilize to instead spoof header info, circumvent anti-spoofing software, and introduce code injection into certain lesser-known mail clients.
This is why it is extremely important if users have a mail client of personal preference due to features or taste, they recognize they have the possibility of being spoofed. If they choose to use a value-added mail client/app they should be aware that they are accepting risk. Outlook, Outlook Web Access, Gmail do not have the Mailsploit vulnerability risk, but the Mailsploit client list shared by the researcher also points out what clients/apps can be exploited. Some of these are very mainstream clients on millions of devices. Most of us think very little about their mail client on a daily basis, as an example many Outlook users believe they can easily recall messages via the Recall function. They have no concept of both the Exchange Store dependency or the fact the recipients have to be using Outlook too on the function for a successful recall of an email; thus many recalled messages thought to be recalled are never really recalled. How could a user be expected to understand what happens when an email header is unwrapped?
Not only is email is a hacker’s best friend but at phishing time email is a very loyal companion!
Phishing has overtaken brute force as the preferred method to get credentials. The sophistication of some phishing attacks’ impersonation of legitimacy is quite astonishing. As most updated browsers now alert users to sites that are “Not secure” – in other words sites that do not use https – the Phishers have been moving their attack servers to SSL_certificated servers. PhishLabs reports a quarter of all attacks now link to a site that is https with a valid certificate and will appear in the browser icon as secure (green lock “Secure” in Chrome). What compounds the problems is the phishers also make sure the certificated site’s URL appears legitimate at a glance:
As a point of education, go to PhishTank and — if you have an hour — page through all the reported phishing sites detected in a single hour. It may take you an hour to do an hour of phishing sites reported– it is staggering. Take time to click a few that seem of interest by their name that will give you a safe framed look and you can safely see how legitimate the phishers’ credential capture entry screens appear. Many security firms have pointed out training on phishing is most effective when users are sent emails that measure whether the targeted users click a link in an internal potential phishing link. An IT-prepared unanticipated pseudo-phish email to judge users needing training on phishing is worth a dozen abstract warnings. When it comes to changing phishing behavior, training that help users learn by doing has been measured as far more effective than just getting a “be aware …” email.
20th century folks use to worry about their snail mail being stolen and getting a paycheck or compromising their accounts, in the 21st century the worry is you might click the email link that compromises your life!
So as we get those New Year’s emails from old acquaintances – hopefully not forgotten – or what looks like a Facebook email reminder on a holiday party photo you are tagged in we really need to know what we’re clicking on. Or better yet your Security Team hopes you enjoy the holidays with as little work clicking as absolutely necessary!