Email-Forwarding Flaw Abused by Scammers

This post is also available in: עברית (Hebrew)

Sending an email with a fake address is now easier than ever due to flaws in the process of email forwarding, according to a research team at the University of California San Diego.

The researchers uncovered issues with a wide impact across high-profile organizations in the US, like the government, financial services, and news organizations.

According to Techxplore, the weakness is called forwarding-based spoofing, and it enables malicious actors to impersonate these organizations and bypass the safeguards deployed by email providers. People who receive the email are very likely to trust the source and be infected with the attached malware.

Nowadays, many organizations outsource their email infrastructure to Gmail and Outlook, and as a result, thousands of domains have delegated the right to send email on their behalf to the same third party. While there is protection in place, it can be bypassed by email forwarding.

Having reported all vulnerabilities and attacks to providers, the researchers report that the companies Zoho, Microsoft, Gmail, and iCloud have responded and are working on fixing the issue.

Nevertheless, the researchers recommend disabling “open forwarding”, a process that allows users to configure their account to forward messages to any designated email address without any verification by the destination address.

Other recommendations are dealing with a “relaxed validation policy”, which is the assumption that emails coming from another major provider are legitimate, and having mailing lists request confirmation from the true sender address before delivering email.

The researchers conclude that a more fundamental approach would be to standardize various aspects of forwarding, but reiterate that making such changes would require system-wide cooperation and will likely encounter many operational issues.

“One fundamental issue is that email security protocols are distributed, optional and independently configured components,” the researchers write. “This creates a large and complex attack surface with many possible interactions that cannot be easily anticipated or administrated by any single party.”

The research is published on the arXiv preprint server.