Edit: 挨 kick sister
Image: worm creative
Source: IT Times
“Hi, I am Tim Cook, you are selected as Apple's Koi, click on the link below, Apple will send you an iPhone XS"; Dear users, Marriott International is taking steps to investigate and process bookings involving Starwood guests For database security incidents, please log in to the following address to modify your information ”, “××, Hello, just someone is using your Apple ID, I suggest you go to ⋯⋯ change your password & rdquo;“× ×, the last time the contract has been signed, please remit 100,000 yuan to this account these mails have recently appeared in the reporter's mailbox, of course, they are fake, even though the addresses and true of these mailboxes The same.
Recently, a white hat team broke the news to the "IT Times" reporter. At present, there is a loophole in the mail server of the global mainstream e-mail. The hacker can directly forge an official mail to the user without having to break into the server. The content is usually fishing. Website or Trojan virus.
Different from the previous mail scams, the address of the fake mail is the same as the real address, and the user can't distinguish the authenticity at all. According to tests, Apple, Marriott, Gmail, Tencent QQ mailbox, NetEase 163 mailbox, 139 mobile phone mailbox, and other domestic and foreign mainstream mail servers all in the middle, at least hundreds of millions of users have mailboxes with security risks.
Pro test: 2 minutes to make a "Boss mail" & rdquo;
On December 3, White Hat Jinke (a pseudonym) gave a demonstration to the reporter: In a box with only a palm-sized size, it encapsulated a set of “hackers” programs. Through this software, Jinke can write one at will. Seal the message and set its email address, then send it to the specified mailbox.
After 2 minutes, the reporter's mobile phone QQ mailbox received an email from the boss. The address of the email is exactly the same as the real address, and the suffix is @it-times.com.cn. Subsequently, the reporter's mailbox has received emails from email@example.com, firstname.lastname@example.org and other mailboxes to change the password, and even a photo of the koi mail sent by Cook (email@example.com). . Of course, these are all from Jinke.
In the tests conducted by Jinke, almost all the domestic and foreign mainstream mailboxes have the same vulnerabilities. Whether it is a free mailbox like Gmail, QQ, 163, 139, or a corporate public mailbox of companies such as Apple and Marriott, almost all of them can be used. Being counterfeited, and the greater risk is that for these fake emails, the recipient mailbox is difficult to identify.
“The mobile mail client is especially the hardest hit area,” Jinke told reporters that some webpages of emails will have a hint for these fake emails: by ×××@×××.com However, the displayed proxy address can also be set in advance, and the inbox of the mobile app does not have any prompt. In the recipient's opinion, this is a normal email from the official.
Reason: mail server & ldquo; lazy & rdquo;
“If security measures are not properly configured, they will become new vulnerabilities. & rdquo; Jin Ke told reporters that a few months ago, this new type of mail scam was gradually emerging in foreign countries. The root cause was the DMARC protocol originally used for mail security. Because the service provider misconfigured, not only the anti-phishing function was completely invalid, other Almost all precautions to protect recipients from fraudulent email, such as spam filters, IP reputation queries, SPF, and DKIM policies, no longer work.
DMARC (Domain-based Message Authentication, Reporting and Conformance domain-based message authentication, reporting and consistency) is a new e-mail security protocol promoted by Paypal, Google, Microsoft, Yahoo, ReturnPath, etc. on January 30, 2012. Since then, China's Netease, QQ and other mailbox service providers have also joined.
The underlying principle of DMARC is to allow domain owners to publish a policy that tells the recipient what to do if the message does not pass security verification.
For example, when the recipient receives a suspicious email, it sends a signal to the sender requesting a DMARC check. It will ask the real sender, “ I received a suspicious email, please ask me. How to deal with it? & rdquo; DMARC protocol, how to reply to the recipient has been clearly stated, the processing method from light to heavy: none for no processing; quarantine for marking the message as spam; reject is to reject the message. The initial recommendation of the DMARC protocol is set to none, but security companies generally recommend that you set at least quarantine, which is safe and should be rejected directly.
That is to say, those spoofed mailbox servers, despite setting the DMARC check, have not modified the initial state. When the inbox "callback" asks if the received mail is safe, these are counterfeit. The sending server directly replies to "do not process", which is the default security. Convenient collection naturally puts fake mail into the inbox, and no longer uses other spam tools to filter. This process is a bit like the popular “replacement software”, the scammer uses “replacement software” Display your own network IP phone as a phone number such as 110 or 95588 to gain the trust of the recipient. The best way for the recipient to identify is to hang up and call back. But the DMARC checksum "none" setting is like you call 110, ask me just received a phone that is suspected of counterfeit 110, what should I do? The other party tells you that you don't have to deal with it, the default is just fine.
Of course, if you don't do DMARC check, the risk is even greater, because the attacker can use the normal envelope address to send the mail, but modify the letterhead address, so that the mail server of the recipient is only checking if it does not do DMARC. The envelope address, without checking the sender's address of the letterhead, makes it easy for fake messages to go directly to the inbox.
In Jinke's test, I found that both Gmail and QQ mailboxes do Dmarc, but p=none, 163 mailboxes and 139 mailboxes do not do Dmarc. He tried to spoof the sender from these domain names, and eventually the phishing message would go to the recipient's inbox.
The reason for this setting, Jinke analysis, one may be the security staff of these companies "lazy", on the other hand, may also be worried that their marketing emails are also rejected by the recipient, so simply give all inquiries “Open the green light”.
Hazard: Precision fishing & ldquo;Whales”
“ The biggest danger of this renamed email is that users can't tell. & rdquo; Zhang Wei, deputy director of the Shanghai Information Security Industry Association expert committee told the "IT Times" reporter, hackers use "rename the software" scams usually have two means: one is a one-time attack, the purpose is to defraud you click, Implanted Trojans; there is also a precision attack, the jargon is called "Whale Fishing", targeting some high-end crowds, analyzing social relationships through existing social work libraries, and then accurately fishing through emails, such as counterfeit boss email addresses. Send an e-mail requesting payment to the accountant, or use a fake Apple e-mail address to trick the user into clicking on the phishing website to steal the Apple ID and password. This method is called “> ”.
As an Internet scam that is “old”, phishing emails are not only still in large numbers, but they are constantly making new tricks. According to incomplete statistics, the number of phishing emails delivered worldwide is about 100 million per day.
Zhang Wei believes that from this loophole, many public mailboxes and enterprises lack professionalism in security precautions, thinking that they can buy “safety” when they spend money. As everyone knows, if the security tools are not deployed properly, their harm may even Higher than no tools.
In foreign countries, this issue has begun to be taken seriously. On October 19, 2017, the US Department of Homeland Security (DHS) issued the Binding Operation Directive 18-01 (BOD 18-01), requiring federal agencies to apply two agreements within 90 days: DMARC and STARTTLS, and clearly stated Within one year after the release of the directive, set the DMARC<reject" (reject) policy for all second-level domain names and mailing hosts (reject unverified emails on the mail server).
However, Zhang Wei also pointed out that in addition to the lack of awareness of relevant institutions, this deployment is not simple. Even though DHS has already specified the point in time, as of September 14 this year, the adoption rate of DMARC in all US .gov domain names is 83. %, and the administrative department domain name that has been run using the policy of "ld = reject" is only 64%. "To deploy DMARC in all its domain names, the workload is still very large, especially for some SMEs in QQ mailbox. Netease mailboxes and other public mails have deployed their own corporate mailboxes, which need to be modified by themselves, but these enterprises often do not have such capabilities. Therefore, these public mailboxes must not only modify their own servers, but also tell these enterprise customers how to operate them. . ”
On December 5th, the third day after the test, Apple modified its DMARC verification strategy, and fake Apple emails were sent to the spam mailbox, which meant that it responded to the recipient’s inquiry for true and false mails from none. Quarantine, but still refuses.