The email system is the central battleground against phishing and social engineering attacks, and yet email providers still face key challenges to authenticate incoming emails. As a result, attackers can apply spoofing techniques to impersonate a trusted entity to conduct highly deceptive phishing attacks. In this work, we study email spoofing to answer three key questions: (1) How do email providers detect and handle forged emails? (2) Under what conditions can forged emails penetrate the defense to reach user inbox? (3) Once the forged email gets in, how email providers warn users? Is the warning truly effective? We answer these questions through end-to-end measurements on 35 popular email providers (used by billions of users), and extensive user studies (N = 913) that consist of both simulated and real-world phishing experiments. We have four key findings. First, most popular email providers have the necessary protocols to detect spoofing, but still allow forged emails to get into user inbox (e.g., Yahoo Mail, iCloud, Gmail). Second, once a forged email gets in, most email providers have no warnings for users, particularly on mobile email apps. Some providers (e.g., Gmail Inbox) even have misleading UIs that make the forged email look authentic. Third, a few email providers (9/35) have implemented visual security cues for unverified emails, which demonstrate a positive impact to reduce risky user actions. Comparing simulated experiments with realistic phishing tests, we observe that the impact of security cue is less significant when users are caught off guard in the real-world setting.
翻译:电子邮件系统是反对钓鱼和社会工程攻击的中心战场, 但电子邮件提供者仍面临验证收到电子邮件的关键挑战。 因此, 攻击者可以使用假冒技术假冒受信任的实体进行高度欺骗性的钓鱼攻击。 在这项工作中, 我们研究电子邮件假冒以回答三个关键问题:(1) 电子邮件提供者如何检测和处理伪造电子邮件? (2) 在什么条件下可以伪造电子邮件进入防御以达到用户信箱? (3) 一旦伪造电子邮件进入, 电子邮件提供者如何警告用户? 警告是否真正有效? 我们通过对35个流行电子邮件提供者( 数十亿用户使用)的端对端测量来回答这些问题, 以及广泛的用户研究( N= 913 ), 包括模拟的和真实世界的钓鱼实验。 我们有四个关键发现。 首先, 最受欢迎的电子邮件提供者拥有必要的协议来检测pofofing, 但允许伪造的电子邮件进入用户数个的用户( 例如, Yahoo、 iclod、 Gmail) 仍然可以使用肯定的邮箱( 例如, email 正在我们观察, irealbling ) 的电子邮件使用者们一旦在虚拟电子邮件服务器上设定一个真正的电子邮件, 真正的电子邮件供应商, 就会显示一个真正的电子邮件供应商将一个真正的电子邮件供应商进行一次真正的电子邮件试验。