UC San Diego researcher finds new vulnerabilities for email providers

Let’s say you’re checking your email and you see an email with the return address [email protected]. You may wonder what Secretary of State Antony Blinken wants with you.

The email might be from him, but cybersecurity experts at UC San Diego (UCSD) recently created an email impersonating him — called a spoof — using methods that are available to online users.

Hackers are always looking for ways to deceive people online, to get them to open malware or reveal their passwords. And they’re more likely to do so if they think the email comes from someone of trust or authority.

“Spoofing is you trying to stand as someone else. I’m from UCSD, but I’m trying to send an email from state.gov,” said cybersecurity expert Alex Liu, referring to the name of the U.S. State Department’s Internet domain.

Liu is the lead author of a research paper that shows how spoofed emails can be created with an automatic forwarding command.

It relies on how most companies and agencies don’t manage their own email servers. They use things like Gmail or Outlook. The State Department uses Outlook.

“Having access to Outlook service is much easier than having access to state.gov. Because state.gov is not going to give a random guy like me access. But Outlook on the other hand is open to registration. You can register for an Outlook account. I can register for an Outlook account,” Liu said.

And so can scammers who want to forge an online identity. In a typical scenario, Liu said a hacker with, say, an Outlook account would create a spoofed email, send it to themselves and automatically forward it to potential victims.

The UCSD research identified several email server companies and end users that are vulnerable, including several U.S. cabinet email domains like state.gov. Financial services company Mastercard is on the list, along with media companies like the Washington Post and the Associated Press.

Liu says spoofs can fool the target’s email system because the fake email is coming from the same server that works for — in this example — the State Department.

“This email is claiming to be from state.gov, and it’s sent by an Outlook server and state.gov does allow Outlook to send on its behalf,” he said. “So (email providers) would consider the email trustworthy in this case.”

There’s not much an individual can do here aside from being suspicious when something looks wrong. Protection lies with those third-party email companies.

He said some are doing a good job stopping fake emails and some, like Outlook and iCloud, have some work to do. KPBS sought out comments from Microsoft and Apple, but were not addressed in time for this story.