As cyberattacks are growing ever more sophisticated, the need to develop ways to identify and thwart such attacks are becoming increasingly necessary.
A new study from Virginia Tech determined exactly how capable email providers are at combating phishing attacks, a type of scam in which cyberthieves attempt to steal personal information or install malicious software via email.
The threat of phishing
Phishing attacks have existed since the inception of email. Typically, they involve using a disguised email to trick victims into providing sensitive information, such as credit card information or important identity information.
Phishing attacks are one of the most common email scams, accounting for nearly half of the more than 2,000 security breaches reported by Verizon in the last two years. This includes attacks on individuals, generally extracting personal financial information, as well as attacks on businesses, which can lead to major data breaches within the company.
These attacks, whether targeting individuals or corporations, can be very costly, accounting for the leakage of billions of records and costing millions of dollars.
Phishing attacks have gradually become more sophisticated. Email hackers have developed ways to copy trusted addresses, such as friends, co-workers, or familiar businesses, and send forged emails. This kind of hacking is referred to as “spoofing,” and can be one of the most dangerous kinds of attacks.
Spoofing attacks are particularly dangerous because the current email system has no built-in mechanism to prevent it.
“The SMTP system we are using today was designed without security in mind,” Gang Wang, an assistant professor of computer science in Virginia Tech’s College of Engineering, said in a statement. “That’s something that has plagued the system since its inception.”
There have been attempts to create a more secure email system using SMTP extensions, including SPF (sender policy framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication). These all function to help authenticate the sender, thereby helping users identify threatening messages.
While a number of email providers have taken steps to make their domains more secure for users, an analysis by the Virginia Tech researchers concluded that, of the top 1 million domains, only 45 percent have SPF and 5 percent have DMARC, suggesting that email providers could go a long way to ensure the protection of their users.
The study
Wang, along with Hang Hu, a doctoral student at Virginia Tech, sought to find out exactly how vulnerable email users were across different providers.
To do so, they staged end-to-end spoofing experiments on popular email providers. This involved creating user accounts on 35 providers, including Gmail, iCloud, and Outlook. These accounts modeled the receiver, or the victim, in their experiments.
They then used an experimental server to send forged emails with fake sender addresses to these accounts. In theory, if the spoofed domain has a valid SPF, DKIM or DMARC record, then the receiver is able to detect spoofing.
Because email content can affect how spam filters handle the email, the researchers embedded the email with five different types of email content: a blank email, a blank email with a benign URL, a blank email with a benign attachment, a benign email with actual content, and a phishing email with content that impersonates technical support that directs the user to a URL.
In doing so, the researchers sought to minimize the impact that spam filtering had on their results.
Through performing these experiments,the researchers found that email providers did not provide very effective safeguards against spoofed emails.
“Our experiment results show that forged emails have a good chance to bypass email providers and arrive in the user inbox,” said Wang. “For example, out of the 35 email services we tested, 34 of them would deliver at least one forged email to the user inbox (including popular email services such as Gmail, Yahoo Mail, iCloud). If we spoof an ‘existing contact’ of the email receiver, then all 35 email services can be penetrated.”
The results also showed that 30 services allowed at least one phishing email to get into the inbox.
In many cases, emails that failed authentication were still delivered to the users.
This occurred even on email providers with more extensive security protocols such as Gmail and iCloud. Furthermore, only six email services — Gmail, Protonmail, Naver, Mail.ru, 163.com, and 126.com — displayed a security warning on forged emails.
To test the effectiveness of security cues, the researchers also conducted two user studies with real participants.
In the first study, participants took part in a role-playing experiment where they were presented with a spoofed email and asked how they would respond to this email.
In the second study, the participants were sent phishing emails over their actual email address. For the next 20 days, the researchers monitored the user’s response.
The researchers found that users who received the email with a security indicator clicked through the email at a 17.9 percent rate. Without a security cue, the click-through rate was 26.1 percent.
Among those who opened the email, the click-through rate rose to 37.2 percent for those who received a cue and 48.9 percent for those who did not.
Takeaways
Wang suggested that the study’s results demonstrate that email providers have a long way to go to provide full security for their users.
“The reason is that not all the internet hosts have adopted SPF, DKIM or DMARC,” he said. “If the email provider cannot verify the sender of an email, unless the email has a clear malicious signal, the email provider tends to prioritize email delivery. As a result, forged emails have a chance to get into the inbox.”
He added that in order to provide the best protection for users, email providers should adopt these protective SMTP extensions and mark emails with unverified server addresses with security indicators. He also said they should also improve mobile email apps so as to allow users to access security information for emails.
For users, Wang has two pieces of advice.
First, “Be skeptical, particularly, do not trust the sender address of the emails.”
Second, “For important emails (e.g., sharing important information, making big payments), use additional channels to confirm with the sender (e.g., making a phone call).”
Moving forward, Wang intends to learn how to design effective security indicators to inform users of unverified emails. He also intends to explore using machine to provide users with targeted security advice based on the specific email context.