公告

全球区块链监管查询APP

扫一扫下载APP

    电子邮件欺骗并不是过去的事

    与其他流行服务一样,Kraken的客户也会成为骗子的目标,他们试图通过@kraken.com邮箱地址发送钓鱼邮件。你不应该看到这种形式的欺骗电子邮件,因为它应该被邮件提供者拒绝,如Gmail,因为他们 服务器会注意到骗子的邮件不是来自海怪。在幕后,接收邮件的服务器应该查找常见的DNS记录,以验证电子邮件来自正确的地方(即SPF、DKIM、DMARC记录)。 Kraken安全实验室相信“信任,但核实”,并定期测试Kraken的电子邮件安全控制的有效性。在其中一个测试中,我们发现多个邮件提供商没有执行简单的检查,从而使他们的用户(以及潜在的我们的客户)面临网络钓鱼的风险:具体来说,yahoo.com和aol.com的用户面临的风险是,电子邮件从不存在的子域名流行的地方送到他们的收件箱,如admin@verylegitemails.verizon.com.Emails,这不应该出现在你的收件箱。 Kraken安全实验室于2020年10月8日向Verizon Media (aol.com和yahoo.com的所有者)报告了这个问题。不幸的是,它被归类为低严重程度,我们的提交被关闭了,因为低影响。然而,从那时起,似乎对这两个电子邮件系统都进行了改进,修复了下面描述的一些问题。 你可以通过时刻警惕网络钓鱼诈骗来保护自己。如果你现在使用的是aol.com或yahoo.com,你还应该考虑切换到gmail.com或protonmail.com。如果您运行自己的域名,请确保您的DMARC、SPF和DKIM记录是最新的,以限制骗子使用您的域名的能力。 在Kraken安全实验室,我们的任务是教育和增强加密货币持有者的知识,以保护他们的资产,并在他们认为合适的情况下安全地使用他们的资金。 在本文中,您将了解有关电子邮件欺骗技术的更多技术细节,我们如何保护我们的域,以及您可以采取哪些步骤来确保您的安全。技术细节 就在十年前,欺骗曾是一种猖獗的攻击形式。电子邮件服务器没有有效的方法来验证发件人。用欺骗发件人发送的邮件成功率更高,因为许多用户没有意识到这个字段是可以伪造的。来自可识别域(如mail@kraken.com)的消息可能会产生一种权威和安全的错觉,特别是与不熟悉的地址(如mail@example-strange-domain.xyz)相比时。值得庆幸的是,现在大多数邮件提供商对欺骗都有显著的控制。像DMARC这样的标准具有形式化的技术,使得欺骗变得更加困难。确保邮件 电子邮件安全比我们在这里讨论的要复杂得多,但目前防止欺骗的最佳实践集中在SPF、DMARC和DKIM记录上。当邮件服务器收到邮件时,它会对邮件的域进行一些DNS查找,以检查这些记录。 每个电子邮件服务器处理这些检查的方式不同。例如,Gmail标签所有邮件失败SPF检查与相貌吓人的警告标语鼓励用户要小心(即使这些信息应该在技术上不接受邮件服务器),和所有的邮件失败DMARC检查有“拒绝”政策将不被接受。 其他邮件提供程序可能有显著不同的过程,每个过程都有自己的专有算法。例如,一些提供商选择完全屏蔽电子邮件,另一些发送到“垃圾”收件箱,还有一些收件箱带有警告。尝试免费邮件服务 我们担心不同提供者之间的强制执行不一致,所以我们做了一些进一步的测试。我们试图发送一个锁定域欺骗电子邮件到顶级免费电子邮件提供商,并跟踪他们的行为。试验1 -欺骗admin@kraken.com(一个安全的基础域) 我们从一个具有有效的hardfail SPF记录、有效的DMARC记录和配置了DKIM选择器的域发送了一个欺骗电子邮件。 期望:邮件会被拒绝,因为它不是来自一个允许的IP地址,并且没有DKIM签名。 虽然发送垃圾邮件意味着如果用户认为这是一个错误,理论上他们仍然可能被愚弄,但这并不令人惊讶。试验2 -欺骗admin@fakedomain.kraken.com(一个不存在的子域名) 我们从一个不存在的子域名发送了一封欺骗邮件。这个主机名没有任何记录。 期望:邮件被拒绝,因为主机名不存在或没有任何记录(没有A记录,没有SPF或DKIM记录)。另外,DMARC策略设置为“reject”,因此任何不能通过SPF/DKIM认证的邮件都应该被拒绝。 令人惊讶的是,Yahoo.com和AOL.com的邮件服务器接受了这条明显欺骗的信息,并将其放入了受害者的收件箱。这尤其令人担忧,因为这意味着攻击者只需要包含一个子域名,以便他们的邮件被接受,并寻找这些平台的合法用户(例如admin@emails.chase.com)。 AOL.com和Yahoo.com当时属于Verizon Media,所以我们在2020年10月8日向他们报告了这个问题。威瑞森媒体以超出范围和非正式为由结束了这个问题。Kraken安全实验室重申了保护美国在线和雅虎用户免受网络钓鱼侵害的重要性,但没有就解决这些问题提供进一步的沟通。 从那时起,似乎已经实现了改进:电子邮件现在按照DMARC政策被拒绝,而且似乎实施了更好的利率限制。 我们仍然认为雅虎和威瑞森的电子邮件用户面临更高的风险,因为当电子邮件无法验证时,其他供应商对他们的用户有更好的警告(就像根本不使用DMARC/DKIM/SPF的情况)。外卖 尽管域名所有者尽了最大的努力,电子邮件提供商并不总是像预期的那样过滤电子邮件。电子邮件地址为@yahoo.com和@aol.com的用户收到欺骗信息的风险更高,尽管这些信息很容易被这些提供商检测和过滤。虽然行为已经有所改善,但我们仍然建议您将敏感性较高的邮件切换到过滤性能更好的提供商,如Gmail或Protonmail。 如果您正在运行电子邮件服务器,请确保您的DMARC、DKIM和SPF的电子邮件DNS记录总是最新的,并定期检查您的电子邮件控制是否有效。分享:
    翻译
    [原文]

    Email spoofing is not a thing of the past

    Kraken, like any popular service, has clients that are targeted by scammers who try to send phishing emails from @kraken.com email addresses. You should never see this form of spoofed email because it should be rejected by mail providers like Gmail because their  servers will notice that the scammer’s mail is not coming from Kraken. Behind the scenes, the accepting mail server is supposed to lookup common DNS records to verify that the email is coming from the right place (i.e., SPF, DKIM, DMARC records).  Kraken Security Labs believes in “trust, but verify”, and regularly tests the effectiveness of Kraken’s email security controls. During one of these tests we discovered that multiple mail providers are not performing simple checks and are thus putting their users (and potentially our clients) at risk for phishing: Specifically, yahoo.com and aol.com users were at risk of having email delivered to their inbox from non-existent subdomains of popular places, like admin@verylegitemails.verizon.com.Emails such as this should NOT land in your inbox. Kraken Security Labs reported this issue to Verizon Media (who owned aol.com and yahoo.com) on October 8, 2020. Unfortunately it was classified as low severity and our submission was closed due to low impact. However, since then, it seems like improvements to both email systems have been implemented, fixing some of the issues described below. You can protect yourself by always being on the lookout for phishing scams. You should also consider switching your email service to gmail.com or protonmail.com if you are currently using aol.com or yahoo.com. If you run your own domain, ensure that your DMARC, SPF and DKIM records are up to date to limit the ability for scammers to use your domain. At Kraken Security Labs, our mission is to educate and empower cryptocurrency holders with the knowledge they need to protect their assets and safely utilize their funds as they see fit.  In this article, you will learn more technical details about this email spoofing technique, how we protect our domains and what steps you can take to ensure your security.Technical details Spoofing was once a rampant form of attack just ten years ago. Email servers had no effective way to verify senders. Mail with a spoofed sender has a higher success rate, since many users don’t realize this field can be forged. A message from a recognizable domain (like mail@kraken.com) can create an illusion of authority and security, especially when compared to an unfamiliar address like mail@example-strange-domain.xyz. Thankfully, nowadays most mail providers have significant controls against spoofing. Standards such as DMARC have formalized techniques to make spoofing much more difficult.Securing Mail Email security is more complex than what we’ll cover here, but the current best practices to prevent spoofing center around SPF, DMARC, and DKIM records. When a mail server receives mail, it does a few DNS lookups to the mail’s domain to check these records. Each email server handles these checks differently. For example, Gmail tags all mail that fail SPF checks with a scary-looking warning banner encouraging users to be careful (even though these messages should technically never have been accepted by the mail server), and all emails that fail DMARC checks that have a “reject” policy will not be accepted at all. Other mail providers can have dramatically different procedures, each with its own proprietary algorithm. For example, some providers choose to completely block emails, others send to a “junk” inbox, still others inbox emails with warnings.Experimenting With Free Mail Providers Inconsistent enforcement among different providers is concerning for us, so we did some further testing. We attempted to send spoofed emails for a locked down domain to the top free email providers and tracked their behavior.Trial 1 – Spoofing of admin@kraken.com (a secured base domain) We sent a spoofed email from a domain that had a valid hardfail SPF record, a valid DMARC record, and a DKIM selector configured. Expectation: Mail gets rejected because it isn’t from an allowed IP address and doesn’t have a DKIM signature. No major surprises here, although sending a message to junk or spam means that users could theoretically still be fooled if they assumed it was a mistake.Trial 2 – Spoofing of admin@fakedomain.kraken.com (a Nonexistent Subdomain) We sent a spoofed email from a subdomain domain that doesn’t exist. There are no records of any kind for this hostname. Expectation: Mail gets rejected because the hostname doesn’t exist or have any records (no A record, no SPF or DKIM record). In addition, the DMARC policy was set to “reject”, and so any email that can not be authenticated by SPF/DKIM should be rejected. Surprisingly, Yahoo.com and AOL.com mail servers accepted this obviously spoofed message and put it into the victim’s inbox. This is especially concerning, because it means an attacker simply needs to include a subdomain for their mail to be accepted and to look legitimate for users of these platforms (e.g., admin@emails.chase.com). AOL.com and Yahoo.com were at the time owned by Verizon Media, so we reported this issue to them on October 8th, 2020. Verizon Media closed the issue as being out-of-scope and informal. Kraken Security Labs reiterated the importance of protecting AOL & Yahoo users against phishing, but no further communication on fixing these issues was provided. Since then it seems like improvements have been implemented: Emails are now rejected in accordance with the DMARC policy and better rate-limiting seems to be implemented. We still argue that Yahoo & Verizon email users are at a higher risk, as other vendors have significantly better warnings towards their users when emails can not be authenticated (as is the case when no DMARC/DKIM/SPF is used at all).Takeaways Despite a domain owner’s best efforts, email providers are not always filtering email as expected. Users with @yahoo.com and @aol.com email addresses were at a higher risk of receiving spoofed messages, even though these messages could easily be detected and filtered by these providers. While the behaviors have improved, we still recommend switching your higher-sensitivity email to a provider that does better filtering, such as Gmail or Protonmail. If you are running an email server, ensure your email DNS records for DMARC, DKIM & SPF are always up-to-date, and regularly verify whether your email controls are working.Share this: - Twitter - Facebook - Like this:Like Loading...