Placeholder Image

Subtitles section Play video

  • Hello?

  • First things first.

  • Check your e-mail.

  • I got one.

  • Fake Dylan at W.H.O.

  • This is the WHO's real domain, right?

  • W.H.O. dot I.N.T.

  • So Fake Dylan is a internet security researcher that I worked with to send all of our emails

  • a bunch of fake messages.

  • And he was able to send these messages from the real W.H.O. domain.

  • I'm going to say I'm coming to you from my new job in the World Health Organization.

  • I spent all my money moving to Geneva, Switzerland.

  • Please, send me some bitcoin to tide me over?

  • It might saythis is a jokein our example here, but the more serious ones would be like,

  • there's an urgent new coronavirus warning from the W.H.O.”

  • As the number of coronavirus cases increases, so too do Internet scams and hoaxes.

  • Real-looking emails supposedly from the World Health Organization and CDC asking for money.

  • These agencies do not ask for direct donations by e-mail.

  • If you click on a link or download an attachment from those e-mails, you could be giving hackers

  • your personal information.

  • So what we're looking at here is domain spoofing and we're seeing it a lot with respect to

  • the coronavirus in particular.

  • So this really has been totally unprecedented.

  • The teams have never seen anything like this in terms of a single lure, uniting all different

  • types of actors behind a single real pretext for people to do all kinds of things, whether

  • it's actually just steal their password, what we call credential phishing, whether it's

  • install malware.

  • So this is just one example sent from what looks like the W.H.O. e-mail address, just

  • like the one that came to you.

  • Clearly it's trying to get you to download a specific file that they have sent.

  • And researchers at IBM found that that file contains malware that captures screenshots

  • and logs your keystrokes and steals usernames and passwords.

  • Huh, “beware of criminals pretending to be W.H.O.”

  • The W.H.O. has actually published guidance on this and they are aware that this is happening.

  • But its top advice, its number one advice, is: “Verify the sender by checking their

  • email address.”

  • We know that that's pretty easy to fake at this point.

  • Wow.

  • I'm surprised they don't point that out because people might think that if it has a W.H.O.

  • dot I.N.T address, that means it's legitimate.

  • But really, it's a necessary but not sufficient condition.

  • Correct.

  • Yeah.

  • What I found super interesting was that we tried spoofing a bunch of domains, and only

  • some of them went through to the inbox.

  • The CDC and Vox emails didn't, but WHO and Whitehouse.gov emails did.

  • And I should say, it was only the Yahoo emails that we set up.

  • The Gmail and Outlook emails both put them in spam.

  • So I've been looking into this and it seems like the greater context around this is that

  • when email was created back in the eighties, no one bothered to make any way to verify

  • that the sender is who they say they are.

  • Really it is the foundational technologies of the Internet being built with no security

  • in mind and no central database of who is who that gives rise to this problem.

  • And since then, there've been lots of attempts to sort of build this sort of verification

  • system.

  • The problem is just that the participation is not as high as it should be.

  • So of make sense of this, it might help to think about another type of verification problem,

  • which is that society doesn't want teenagers to get into bars to buy alcohol.

  • To prevent that from happening, we need two things: We need a way to verify ages, which

  • is our ID system, and we need businesses to then check for IDs.

  • Now, imagine if that ID system was voluntary.

  • So you have a bunch of adults who might not bother to go get an ID.

  • Then when they come to the bar, the business basically has a decision to make.

  • Either they require IDs knowing full well that plenty of legitimate adults don't have

  • one.

  • Or, to avoid pissing people off, they just let them in and maybe they end up letting

  • in some kids too.

  • And probably every bar is going to make a slightly different decision.

  • That's kind of where we're at.

  • With email authentication right now.

  • We have an I.D. system.

  • It's called DMARC, but it's voluntary.

  • So if an e-mail comes in with my email address, joss@vox.com, the email service, whether that's

  • Yahoo! or Outlook or G-mail, is going to check if that domain, Vox.com, has a DMARC record.

  • And we do!

  • Thankfully, Vox took the time to set up a DMARC record, which basically does three things:

  • First, it says that the email has to come from a certain set of IP addresses that Vox

  • trusts.

  • Second, it says that the email has to carry a unique signature that only Vox can create.

  • And third, it says that if the email fails either of those two tests, then the email

  • service receiving the email should reject it, should just throw it away so that it never

  • reaches anybody's inbox.

  • Because of that, my Vox e-mail address, your Vox e-mail address, we can't be easily impersonated.

  • OK, so say an e-mail comes in from a domain that doesn't have a DMARC record or has set

  • their DMARC policy to something other thanreject,” that e-mail is going to have

  • a higher chance of getting through.

  • Now, the e-mail providers all have spam filters.

  • They have these algorithms that are looking through these emails to check and see if anything's

  • fishy.

  • But obviously that didn't stop Dylan's fake e-mail from getting into my Yahoo! inbox.

  • I would guess that the W.H.O. does not have a strong DMARC policy set up, if they have

  • one at all.

  • OK, there's actually a way that we can double check this.

  • Oh, nice.

  • It has this nice little green box that comes up.

  • But this is the actual DMARC record.

  • V equals DMARC1, P equals reject.

  • So this is telling us that our policy is, “reject this e-mail.”

  • And this is true, I think, ofyeah, the CDC as well.

  • What about the White House?

  • Yeah.

  • Let me try the White House

  • Huh.

  • OK.

  • So the White House has published a DMARC record, but if you look at it, P equals none, meaning

  • that they are not telling email providers to reject e-mails that come from other IP

  • addresses or that generally are not from their approved domain senders.

  • The weird thing about that

  • So this is their guidance on what all federal agencies are supposed to do.

  • All agencies are required to, within one year after issuance of this directive, set

  • a DMARC policy of reject for all second level domains and mail-sending hosts.”

  • Wow.

  • So the White House is violating its own policy.

  • At the very least, they're acknowledging that a DMARC policy of reject is the strongest

  • protection.

  • And it is very clear that they are not using that protection.

  • So now let's try the W.H.O.

  • Not protected against impersonation attacks!”

  • They have not published a DMARC record at all.

  • And I can understand.

  • Like the W.H.O. has a lot on their hands right now.

  • They're basically leading the global effort against this giant pandemic.

  • But damn, it really seems like they should have done this.

  • Yeah.

  • And to be fair, it's not like the WHO is alone in this.

  • There's a report by ValiMail, that shows that less than 15 percent of domains with

  • DMARC have actually set their policy to reject spoofed emails or send them to spam.

  • There's kind of an incentive issue at play, which is that you publish the record to protect

  • other people from being phished.

  • And the tradeoff there is that if you don't configure it properly, and it does take some

  • work to set up correctly, you risk some of your e-mails not being delivered.

  • I think that the W.H.O. is in a tough spot right now because it is incredibly important

  • in this moment that their e-mails get through.

  • And also there's an increase in the risk that it's coming from a fake domain and that, you

  • know, maybe they have some more responsibility than they might have before in terms of protecting

  • people from fake e-mails.

  • Hey, do it for us, because we're all, you know, vulnerable out here on the internet

  • looking for information.

  • Yeah.

  • It is the sort of thing that every good citizen of the internet should do.

  • But, you know, like eating your vegetables and working out every day, it's not something

  • that every organization does.

Hello?

Subtitles and vocabulary

Operation of videos Adjust the video here to display the subtitles

B1 Vox mail email reject domain policy

Why coronavirus scammers can send fake emails from the WHO

  • 4 1
    林宜悉 posted on 2020/08/31
Video vocabulary