“Even users who are pretty savvy are going to look at the indicators that Gmail or Hotmail or others provide and be fooled,” Paxson says. Think about when you hand a friend a birthday card at their party. You probably only write their first name on the outside of the envelope, and maybe underline it or draw a heart. If you mail that letter instead, though, you need the recipient’s full name and detailed address, a stamp, and ultimately a postmark with a date on it. Sending email across the internet works similarly. Though email services only require you to fill out the “To” and “Subject” fields, there’s a whole list of more detailed information getting filled out behind the scenes. Those industry-standard “headers,” as they’re known, include date and time sent and received, language, a unique identifier called a Message-ID, and routing information.
At the Black Hat security conference on Thursday, researchers will present “darn subtle” flaws in industry-wide protections used to ensure that emails come from the address they claim to. From a report: The study looked at the big three protocols used in email sender authentication — Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) — and found 18 instances of what the researchers call “evasion exploits.” The vulnerabilities don’t stem from the protocols themselves, but from how different email services and client applications implement them. Attackers could use these loopholes to make spearphishing attacks even harder to detect. “I think I’m a savvy, educated user and the reality is, no, that’s actually not enough,” says Vern Paxson, cofounder of the network traffic analysis firm Corelight and a researcher at the University of California, Berkeley, who worked on the study along with Jianjun Chen, a postdoctoral researcher at the International Computer Science Institute, and Jian Jiang, senior director of engineering at Shape Security.