Name: Why coronavirus scammers can send fake emails from the WHO
Uploaded: 2020-08-31T18:05:12.000Z
Duration: 8 min 31 s
Description: Thousands of YouTube videos with English-Chinese subtitles! Now you can learn to understand native speakers, expand your vocabulary, and improve your pronunciation...

So Fake Dylan is a internet security researcher that I worked with to send all of our emails

And he was able to send these messages from the real W.H.O. domain.

I'm going to say I'm coming to you from my new job in the World Health Organization.

I spent all my money moving to Geneva, Switzerland.

Please, send me some bitcoin to tide me over?

It might say “this is a joke” in our example here, but the more serious ones would be like,

“there's an urgent new coronavirus warning from the W.H.O.”

As the number of coronavirus cases increases, so too do Internet scams and hoaxes.

Real-looking emails supposedly from the World Health Organization and CDC asking for money.

These agencies do not ask for direct donations by e-mail.

If you click on a link or download an attachment from those e-mails, you could be giving hackers

So what we're looking at here is domain spoofing and we're seeing it a lot with respect to

So this really has been totally unprecedented.

The teams have never seen anything like this in terms of a single lure, uniting all different

types of actors behind a single real pretext for people to do all kinds of things, whether

it's actually just steal their password, what we call credential phishing, whether it's

So this is just one example sent from what looks like the W.H.O. e-mail address, just

Clearly it's trying to get you to download a specific file that they have sent.

And researchers at IBM found that that file contains malware that captures screenshots

and logs your keystrokes and steals usernames and passwords.

Huh, “beware of criminals pretending to be W.H.O.”

The W.H.O. has actually published guidance on this and they are aware that this is happening.

But its top advice, its number one advice, is: “Verify the sender by checking their

We know that that's pretty easy to fake at this point.

I'm surprised they don't point that out because people might think that if it has a W.H.O.

dot I.N.T address, that means it's legitimate.

But really, it's a necessary but not sufficient condition.

What I found super interesting was that we tried spoofing a bunch of domains, and only

The CDC and Vox emails didn't, but WHO and Whitehouse.gov emails did.

And I should say, it was only the Yahoo emails that we set up.

The Gmail and Outlook emails both put them in spam.

So I've been looking into this and it seems like the greater context around this is that

when email was created back in the eighties, no one bothered to make any way to verify

that the sender is who they say they are.

Really it is the foundational technologies of the Internet being built with no security

in mind and no central database of who is who that gives rise to this problem.

And since then, there've been lots of attempts to sort of build this sort of verification

The problem is just that the participation is not as high as it should be.

So of make sense of this, it might help to think about another type of verification problem,

which is that society doesn't want teenagers to get into bars to buy alcohol.

To prevent that from happening, we need two things: We need a way to verify ages, which

is our ID system, and we need businesses to then check for IDs.

Now, imagine if that ID system was voluntary.

So you have a bunch of adults who might not bother to go get an ID.

Then when they come to the bar, the business basically has a decision to make.

Either they require IDs knowing full well that plenty of legitimate adults don't have

Or, to avoid pissing people off, they just let them in and maybe they end up letting

And probably every bar is going to make a slightly different decision.

So if an e-mail comes in with my email address, joss@vox.com, the email service, whether that's

Yahoo! or Outlook or G-mail, is going to check if that domain, Vox.com, has a DMARC record.

Thankfully, Vox took the time to set up a DMARC record, which basically does three things:

First, it says that the email has to come from a certain set of IP addresses that Vox

Second, it says that the email has to carry a unique signature that only Vox can create.

And third, it says that if the email fails either of those two tests, then the email

service receiving the email should reject it, should just throw it away so that it never

Because of that, my Vox e-mail address, your Vox e-mail address, we can't be easily impersonated.

OK, so say an e-mail comes in from a domain that doesn't have a DMARC record or has set

their DMARC policy to something other than “reject,” that e-mail is going to have

Now, the e-mail providers all have spam filters.

They have these algorithms that are looking through these emails to check and see if anything's

But obviously that didn't stop Dylan's fake e-mail from getting into my Yahoo! inbox.

I would guess that the W.H.O. does not have a strong DMARC policy set up, if they have

OK, there's actually a way that we can double check this.

It has this nice little green box that comes up.

So this is telling us that our policy is, “reject this e-mail.”

And this is true, I think, of… yeah, the CDC as well.

Subtitles ListPlay Video

Why coronavirus scammers can send fake emails from the WHO

vulnerable

sort

bunch

pretend