Phishers Spoofing Email Senders to Muck around with Victims' Web Accounts

Users encounter phishing attacks across every medium of their digital lives. Fortunately, there are lots of ways they can protect themselves. When a suspect email lands in their inbox, for example, recipients can check for grammar/spelling errors and other suspicious indicators. They can also verify the source by hovering over or clicking on the sender's email address. If the domain does not appear as one would expect, users should delete the email or report it. They should not click on any of its links or email attachments. By now, most users know to verify the sender of a suspicious inbound email but that doesn't mean they're entirely safe from phishers. Many online services offer members a feature by which they can email the service. The receiving service, in turn, uses that email to perform an action if it recognizes the sender. But matching the sender to a database entry isn't the same as validating it. Indeed, it's trivial for attackers to spoof an email address and get away with it because many of these services don't check the 'MAIL FROM' element. Consequently, they can use a convincing sender email to mess around with a target's web accounts. Richard de Vere, principal consultant at The AntiSocial Engineer Limited, is well-aware of this attack vector. In fact, he researched several web services to see if a bad actor could abuse them using email. He found that several services' email-based features were vulnerable to attack. Take Wunderlist, for example. Wunderlist is a service that lets users create to-do lists. If they receive an email they would like to add to their list, they can forward it to "[email protected]." When they sign in again, they will see a new task waiting for them. Unfortunately, De Vere discovered that attackers can exploit this functionality. He explains how in a blog post:

"You can send an email to '[email protected]' from [email protected] and it will forward a todo to the account that uses [email protected]. If you want to interact with this account you could just spoof the email address '[email protected]' and send your emails to '[email protected]. [sic]'"

The researcher observed that attackers could also use that same feature to add malicious PDF documents to a target's to-do list. All they would need to do is attach the documents to their emails. They could then use the "*" character, per Wunderlist's service, to flag that email and its attachments as important. Fortunately, it's not hard to fix the issue. Web services can take a cue from companies like Google, Evernote and Facebook and begin using unique secret email addresses for each account. This address connects a generic mail-in account to the user's account. To mess with the system, someone would need to know the secret email address for the target's account and the company's generic mail-in email address. Still, lots of services have yet to institute this fix and properly protect their users. De Vere reflects on this state of play:

"We have reached out to several companies effected to ensure they are aware of the issue, due to the nature of the issue it will not be fixed by everyone that uses a static email address. Whilst this does bring several fairly obvious concerns the companies mentioned were only the ones I ran into – thousands more remain and should not be viewed in a negative manner because of this post. It’s the internet, everything has a bug in – some can’t be fixed. [sic]"

Users can't do much to protect themselves against these attacks. They can contact a company and ask if they use secret email addresses. If they don't, users should investigate whether it's possible for them to disable those email-based features on their accounts.