As a fundamental communicative service, email is playing an important role in both individual and corporate communications, which also makes it one of the most frequently attack vectors. An email's authenticity is based on an authentication chain involving multiple protocols, roles and services, the inconsistency among which creates security threats. Thus, it depends on the weakest link of the chain, as any failed part can break the whole chain-based defense. This paper systematically analyzes the transmission of an email and identifies a series of new attacks capable of bypassing SPF, DKIM, DMARC and user-interface protections. In particular, by conducting a "cocktail" joint attack, more realistic emails can be forged to penetrate the celebrated email services, such as Gmail and Outlook. We conduct a large-scale experiment on 30 popular email services and 23 email clients, and find that all of them are vulnerable to certain types of new attacks. We have duly reported the identified vulnerabilities to the related email service providers, and received positive responses from 11 of them, including Gmail, Yahoo, iCloud and Alibaba. Furthermore, we propose key mitigating measures to defend against the new attacks. Therefore, this work is of great value for identifying email spoofing attacks and improving the email ecosystem's overall security.
翻译:作为基本的通信服务,电子邮件正在个人和公司通信中发挥重要作用,这也使它成为最常见的攻击矢量之一。电子邮件的真实性基于涉及多个协议、角色和服务、造成安全威胁的不一致性的认证链链。因此,它取决于链链的最薄弱环节,因为任何失败部分都可能打破整个链基防御系统。本文系统分析电子邮件的传输,并查明一系列能够绕过SPF、DKIM、DMARC和用户界面保护的新袭击。特别是,通过进行“鸡尾酒”联合袭击,可以伪造更现实的电子邮件,以渗透著名的电子邮件服务,如Gmail和Outlook。我们对30个流行电子邮件服务和23个电子邮件客户进行大规模实验,发现所有这些客户都容易受到某些类型的新袭击。我们向相关电子邮件服务提供商适当报告了已确定的弱点,并收到了其中11家(包括Gmail、Yahoo、iCloud和Alibaba)的正面回应。此外,我们提议采取重要的缓解措施,以防范新的生态系统袭击。我们提议采取降低电子邮件价值的措施,以防范新的袭击。
相关内容
微信扫码咨询专知VIP会员