In a new email scam that looks familiar, often sent by a friend, it’s possible that the email has been sent by someone else in an attempt to compromise your system.
A security researcher has discovered a collection of vulnerabilities in more than 30 popular email client applications that could allow anyone to send spoofed emails bypassing anti-spoofing mechanisms.
Discovered by security researcher Sabri Haddouche, the set of vulnerabilities, dubbed MailSploit, affects Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others. Although most of these affected email client applications have implemented anti-spoofing mechanisms, such as DKIM and DMARC, MailSploit takes advantage of the way email clients and web interfaces parse “From” header.
Email spoofing is an old-school technique, but it works well, allowing someone to modify email headers and send an email with the forged sender address to trick recipients into believing they are receiving that email from a specific person. In a dedicated website went up today, Haddouche explained how the lack of input sanitization implemented by vulnerable email clients could lead to email spoofing attack—without actually exploiting any flaw in DMARC.
To demonstrate this attack, Haddouche created a payload by encoding non-ASCII characters inside the email headers, successfully sending a spoofed email from an official address belonging to President of the United States.
“Using a combination of control characters such as newlines or null-byte, it can result in hiding or removing the domain part of the original email,” Haddouche says in his blog post.
Read the full story over at The Hacker News.
This story was summarized by Canadian Fraud News Inc.
Marina Burghard writes for Canadian Fraud News about fraud-related cases, whistleblower, jurisdiction, identity theft, consumer protection, etc. – essentially about scams and how to protect yourself against this kind of fraudulent criminal behavior. She holds a Master’s degree in Political Science where her interest in criminology grew. Besides fraud, Marina’s scientific interest lies in terrorism, extremism and how to deal with it as a society.