Scammers Sending Emails from Spoofed Authoritative Domains Via Forwarding Flaws

The integrity of emails sent from thousands upon thousands of domains can easily be compromised, researchers said. File photo: Fatmawati Achmad Zaenuri, Shutter Stock, licensed.

LA JOLLA, CA – According to research conducted by the University of California San Diego, due to flaws inherent in the process of forwarding emails, the ability for scammers and attackers to send unsuspecting victims e-mails from the spoofed addresses of top-level government or corporate domains is actually much easier than many experts were initially suspecting, opening up disturbingly new and effective avenues for online fraud.

The integrity of emails sent from thousands upon thousands of domains can easily be compromised, researchers said, up to and including U.S. cabinet e-mail domains – for example, state.gov – and national security agencies. In addition, corporate and financial entities – such as Mastercard – and numerous news agencies – such as The Washington Post and The Associated Press – are also vulnerable to this issue.

Known as forwarding-based spoofing, it allows scammers to bypass safeguards put in place by e-mail providers such as Gmail, iCloud, and Outlook and send messages impersonating official organizations. When a victim sees an e-mail that looks like an important message from a legitimate source, they are more likely to open it and click on attachments or links that may unleash malware or spyware upon their computer.

#Dontmiss #News #bugbounty #cybersecurity #email Email forwarding flaws enable attackers to impersonate high-profile domains https://t.co/izXxkkzvwb

— The Cyber Security Hub (@TheCyberSecHub) September 11, 2023

Forwarding-based spoofing arises from several vulnerabilities associated with forwarding emails, especially for organizations that outsource their e-mail infrastructure to third parties such as Gmail and Outlook. The main issue lies in the assumption that these organizations are operating their respective mailing infrastructure by utilizing specific IP addresses not associated with other domains. But when these organizations outsource their infrastructure to third-party e-mail providers, the ability exists to bypass the validation process of their domains by utilizing e-mail forwarding.

An attacker could create a spoofed e-mail with a state.gov domain address, taking advantage of the fact that the Department of State sends their emails through Outlook; as a result, any e-mail claiming to be from state.gov would be validated if it was sent through Outlook’s e-mail servers.

The researchers noted that they have reported the issue to Microsoft, Apple and Google, who are all said to be investigating and actively working on potential fixes.