top of page

Hackers In the Pandemic

First things first, there are a bunch of fake emails going around that could be claiming themselves to be from WHO. Some emails claim that they are starting their new job in the world Health Organization and claiming they are from a specific area and demand money. One of the subject matter could be saying "Urgent New Coronavirus warning from the WHO." As the number of coronavirus cases increased, so too do internet scams and hoaxes. Real-looking emails supposedly from the World Health Organization and C.D.C. asking for money. These agencies do not ask for direct donations by email. If you click on a link or download an attachment from those emails, you could be giving hackers your personal information. So what we're looking at here is domain spoofing, and we see it greatly concerning the coronavirus in particular. This really has been totally unprecedented, the teams have never seen anything like this in their lifetimes. Uniting all different types of actors behind an available real pretext for people to do all kinds of things, whether it's stealing their password, is what we call credential phishing. 


Whether or not it's installing malware, it's trying to get you to download a specific file that they have sent. Researchers at I.B.M. found that the file contains malware that captures screenshots and logs your keystrokes and steals username and passwords. Beware of criminals that are pretending to be from the WHO. The WHO has actually published guidance on this and are aware that this is happening. The WHO's number one advice is to verify the sender by checking their email address. We know that it's pretty easy to fake at this point, people don't usually point this out because people might think that if it has the word W.H.O. INT address, that means it's legitimate. In reality it's a necessary but not sufficient condition. What's interesting was that people tried spoofing a bunch of domains and some of them went through the inbox. In yahoo mail you are more vulnerable to get these responses than in Gmail, where they enlist it as spam. People have been looking for this and it seems like the greater context around that is that when email was created back in the eighties, no one bothered to make any way to verify that the sender is who they say they are. Really it is the foundational technologies of the internet being built with no security in mind and no central database of who is who that gives rise to this problem. Since then there has been a lot of attempts to sort of build a verification system. The problem is just that the participation is not as high as it should be. To make sense of this, it might help to think about another type of verification problem. Which is that society doesn't want teenagers to get into bats to buy alcohol.


To prevent that from happening, we need two things: we need a way to verify ages, which is our I.D. system, and we need businesses to then check for their I.D's. Now imagine if that I.D. system was voluntary. So you have a bunch of adults who might not bother to get an I.D. Then, when they come to the bar, the business has a decision to make. Either they require I.D's, knowing full well that plenty of legitimate adults don't have one, or, to avoid pissing people off, they just let them in and maybe end up letting in some kids too by accident. Probably, every bar is going to make a slightly different decision. In comparison, That's similar to what we are now dealing with regarding email authentication



First things first, there are a bunch of fake emails going around that could be claiming themselves to be from WHO. Some emails claim that they are starting their new job in the world Health Organization and claiming they are from a specific area and demand money. One of the subject matter could be saying "Urgent New Coronavirus warning from the WHO." As the number of coronavirus cases increased, so too do internet scams and hoaxes. Real-looking emails supposedly from the World Health Organization and C.D.C. asking for money. These agencies do not ask for direct donations by email. If you click on a link or download an attachment from those emails, you could be giving hackers your personal information. So what we're looking at here is domain spoofing, and we see it greatly concerning the coronavirus in particular. This really has been totally unprecedented, the teams have never seen anything like this in their lifetimes. Uniting all different types of actors behind an available real pretext for people to do all kinds of things, whether it's stealing their password, is what we call credential phishing. 


Whether or not it's installing malware, it's trying to get you to download a specific file that they have sent. Researchers at I.B.M. found that the file contains malware that captures screenshots and logs your keystrokes and steals username and passwords. Beware of criminals that are pretending to be from the WHO. The WHO has actually published guidance on this and are aware that this is happening. The WHO's number one advice is to verify the sender by checking their email address. We know that it's pretty easy to fake at this point, people don't usually point this out because people might think that if it has the word W.H.O. INT address, that means it's legitimate. In reality it's a necessary but not sufficient condition. What's interesting was that people tried spoofing a bunch of domains and some of them went through the inbox. In yahoo mail you are more vulnerable to get these responses than in Gmail, where they enlist it as spam. People have been looking for this and it seems like the greater context around that is that when email was created back in the eighties, no one bothered to make any way to verify that the sender is who they say they are. Really it is the foundational technologies of the internet being built with no security in mind and no central database of who is who that gives rise to this problem. Since then there has been a lot of attempts to sort of build a verification system. The problem is just that the participation is not as high as it should be. To make sense of this, it might help to think about another type of verification problem. Which is that society doesn't want teenagers to get into bats to buy alcohol.


To prevent that from happening, we need two things: we need a way to verify ages, which is our I.D. system, and we need businesses to then check for their I.D's. Now imagine if that I.D. system was voluntary. So you have a bunch of adults who might not bother to get an I.D. Then, when they come to the bar, the business has a decision to make. Either they require I.D's, knowing full well that plenty of legitimate adults don't have one, or, to avoid pissing people off, they just let them in and maybe end up letting in some kids too by accident. Probably, every bar is going to make a slightly different decision. In comparison, That's similar to what we are now dealing with regarding email authentication.





With Email Authentication right now, we have an I.D. system Called DMarc, But it is voluntary. So if an email comes in with the person's email address, for example, Rick@something.com, the email service, weather yahoo, outlook, or Gmail, is going to check if that domain something.com has a DMARC record. DMarc record basically does three things. First, it says that the email has to come from a particular set of I.P. addresses that something trusts, second it says that the email has to carry a unique signature that only something can create. Third, it says that if the emails fail either of those two tests, then the email service receiving the email should reject it, should throw it away so that it never reaches anybody's inbox. 



So supposedly an email comes in from a domain that does not have a DMARC record or has set their DMARC policy to something other than "reject," that email is going to have a higher chance of getting through now, the email providers all have spam filters. They have these algorithms that are looking through these emails to check and see if anything is fishy, but that does not stop hackers from getting into your email in yahoo inbox. It is assumed that the W.H.O. does not have a firm DMARC Policy set up. If they have one at all, there is a way to double-check this; you can go to their DMARC record page and see if they publish their own. If you look at it closely to the White House DMARC P, equals None meaning that they are not telling email providers to reject Emails that from other I.P. addresses or that generally are not from their approved domain senders. The weird thing about that is that their guidance on what all federal agencies are supposed to do "all agencies are required to, within one year after issuance of this, set a DMARC policy of reject for all second-level domains and mail-sending hosts."  At the very least, they are acknowledging that a DMARC policy of rejection is the most substantial protection, and it is apparent that they are not using that protection and ironically violating their policy. If you look at the W.H.O, DMARC, it says basically "Not protected against impersonation attacks" they have not published a DMARC record at all. Understandably, the W.H.O. has a lot in their hands right now leading the global effort against the giant pandemic, but it seems like they should have done this before. It is not like the W.H.O. is alone in this There is this report by ValiMail, that shows that less than 15% of domains with DMARC have set their policy to reject spoofed emails or send them to spam. There is an incentive issue at play, which is that you publish the record to protect other people from being phished and the trade-off there is that if you do not configure it properly, and it does take some work to set up correctly, you risk some of your emails not being delivered. I think that the W.H.O is in a rough spot right now because it is incredibly important at this moment that their emails get through and also an increase that it is coming from a fake domain.




Comments


More Posts

bottom of page