NSA, FBI warn of email spoofing threat

Spoofed email – email that appears to come from a legitimate source but is not – is becoming an increasingly worrisome threat. It’s so serious that the NSA and FBI have joined forces in releasing the following warning about spoofed email from senders in North Korea:

“The National Security Agency (NSA) joins the Federal Bureau of Investigation (FBI) and the U.S. Department of State in releasing the Cybersecurity Advisory (CSA) ‘North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing to protect against Democratic People’s Republic of Korea (DPRK, aka North Korea) techniques that allow emails to appear to be from legitimate journalists, academics, or other experts in East Asian affairs.”

To fully grasp what is happening, read this explanation from Al Iverson, industry research and community engagement lead for Valimail, which provides email authentication and anti-impersonation software:

“North Korea found a way to exploit something that security and deliverability experts have been worried about over these past few months; there’s a whole bunch of domain owners out there who are not necessarily security savvy, and perhaps focused more on email marketing efforts. Those domain owners (and there are more than a million of them out there) were quick to implement a bare minimum DMARC policy to comply with new mailbox provider sender requirements. What they didn’t realize is that this can leave the domain unprotected against phishing and spoofing.

People must protect their domain by fully implementing DMARC properly to ensure that bad guys find no phishing or spoofing success when they work their way down the list of domains … to yours.

The NSA, the FBI and the U.S. Department of State have identified this as an issue already, and Valimail is fully aligned with the advisory… they issued at the end of the week.”

DMARC stands for “Domain-based Message Authentication, Reporting and Conformance.” It’s an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use. In other words, it tries to prevent email spoofing. It controls what happens when a message fails authentication tests. When this happens, the receiving server is unable to verify that the message’s sender is who they claim to be.

Iverson also pointed out the following:

• North Korean cyber actors are actively searching for and exploiting domains with weak DMARC policies.
• Even the largest companies in the hospitality, retail, education, financial sectors, and more, which we often assume to be secure, are at risk due to weak DMARC policies.
• Bad actors can just take the list of most popular companies and work their way down to see who is spoofable.
• An improperly configured DMARC policy is just as bad (just as insecure) as not having DMARC in place at all.
• Are you protected? Don’t assume that you’re not a worthy target; just because you haven’t been attacked today, doesn’t mean you won’t be spoofed or phished tomorrow.
• Valimail data shows more than 1.3 million domains currently publish a “p=none” DMARC policy!

You can find out more about DMARC here.