How Scammers Exploit Email Forwarding to Impersonate Top Domains

Scammers Can Exploit Email Forwarding Flaws to Impersonate High-Profile Domains

The process of sending emails with forged addresses has been found to be easier than previously thought due to flaws in email forwarding, according to research conducted by computer scientists at the University of California San Diego. The vulnerabilities discovered by the researchers have a significant impact, affecting the integrity of emails sent from tens of thousands of domains, including those representing U.S. government organizations, major financial service companies, and top news organizations.

Forwarding-Based Spoofing

The research team identified a method called forwarding-based spoofing, which allows scammers to send email messages impersonating high-profile organizations and bypass the safeguards implemented by email providers like Gmail and Outlook. This type of spoofing exploits vulnerabilities in the protocols used to authenticate the origin of an email.

Traditionally, the assumption was that each organization operates its own mailing infrastructure, with specific IP addresses not used by other domains. However, as many organizations now outsource their email infrastructure to third-party providers like Gmail and Outlook, the problem arises. These providers validate that their users only send email on behalf of domains they operate. Still, this protection can be bypassed by email forwarding, which allows scammers to create emails with fake identities and make them appear legitimate by forwarding them through personal accounts with these providers.

Implications for Email Security

This research has significant implications for the security of email communications, as scammers can exploit these vulnerabilities to trick recipients into opening malicious attachments or clicking on links that install spyware on their devices. High-profile domains, including those representing government organizations, financial service companies, and news organizations, are all susceptible to this type of attack.

Short-Term Mitigations and Long-Term Solutions

While the researchers have reported these vulnerabilities to providers such as Microsoft, Apple, and Google, to date, they have not been fully fixed. Fixing these flaws would require a major effort, including dismantling and repairing decades worth of legacy systems. However, there are short-term mitigations that can significantly reduce the exposure to these attacks.

The researchers recommend disabling open forwarding, a process that allows users to forward messages to any designated email address without verification. Providers should also reconsider their relaxed validation policies, which assume that emails coming from major providers are legitimate. Additionally, mailing lists should request confirmation from the true sender address before delivering email.

Addressing the Fundamental Issues

The researchers note that a more fundamental approach would be to standardize various aspects of email forwarding. However, implementing such changes would require system-wide cooperation and may encounter operational obstacles. Email security protocols are currently distributed, optional, and independently configured components, creating a complex attack surface that is challenging to manage.

Conclusion: Protecting Against Email Spoofing

Email spoofing presents an ongoing challenge in the digital era, and this research highlights the vulnerabilities in email forwarding that scammers can exploit to impersonate high-profile domains. It is crucial for email providers, organizations, and individuals to be aware of these risks and take steps to protect themselves from falling victim to these malicious attacks.

Email users should be cautious when opening attachments or clicking on links in unsolicited or suspicious emails. Verifying the authenticity of the sender before taking any action is essential. Additionally, organizations should implement stricter authentication and validation processes to verify the origin of emails and minimize the risk of impersonation.

Ultimately, a comprehensive solution requires collaboration between email providers, government agencies, and cybersecurity experts to strengthen the security of email communications for organizations and individuals alike.