Blog entry by Les Bell

Les Bell
by Les Bell - Monday, September 11, 2023, 9:53 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Dymocks Latest Ransomware Victim

Australian bookstore chain Dymocks is the latest victim of ransomware attack. In an email titled "Important Update About Your Dymocks Information", sent to customers on Friday afternoon (8 September), the firm disclosed that on 6 September it had become aware of discussions regarding its customer records being made available on the dark web.

At the time the email was sent, the company was unaware of the precise nature of the attack or which customers were affected, but the information they hold includes:

  • date of birth
  • postal address
  • email address
  • mobile number
  • gender
  • membership details such as gold expiry date, account status, member created date and card ranking

Dymocks does not store credit card or other financial data, but what they do hold could form the basis of some scams and identity fraud. Dymocks' email procides the usual guidance such as changing passwords, monitoring bank statements, and being alert to scams.

However, Have I Been Pwned states that the breach actually occurred in June, and the data set comprises 1.2 million records with 836,120 unique email addresses.

Dymocks Pty Ltd, Important Update About Your Dymocks Information, email, 8 September 2023.

Scammers Can Abuse Email Forwarding

In a paper presented at the 8th European Symposium on Privacy and Security in July - winning the best paper award - researchers from UC San Diego, Stanford and University of Twente revealed that flaws in how major email services process the forwarding of email can make it easier for email scam and phishing operators to impersonate legitimate email addresses at high-profile domains.

The basic problem is that spam filtering techniques mostly work on the assumption that each Internet domain operates its own email infrastructure so that, for example, a reverse DNS lookup for a connecting IP address (using the PTR resource record) will return a hostname that matches a host in the same domain. More advanced protections such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) implicitly incorporate this assumption.

However, most  enterprises today have outsourced their email infrastructure to a few, very large, service providers - most notably Microsoft (outlook.com) and Google (gmail.com) - and while these companies validate that their users only send email on behalf of the domains they operate, this validation can be bypassed by email forwarding

Forwarding is both ubiquitous and necessary in the email ecosystem, due to the wide use of email filtering services, mailing lists and autoforwarding employed by individual users and small and medium enterprises, who often use a web hosting account to forward inbound email to their Outlook or Gmail account.

The researchers identified four different approaches in the way mail services rewrite the sender and recipient fields in the SMTP envelope and email headers while forwarding and email to its recipient. Using the domain of the US Department of State (state.gov) as an example, they showed how an attacker can create a spoofed email with a fake identity which appears to come from the Department, and then forward it through their personal Outlook account. To the recipient, this will appear legitimate, since it comes from an Outlook email server - and the Department of State uses Outlook as its email provider.

This works because, almost uniquely, Outlook uses a custom forwarding implementation which the researchers term "MAIL FROM Equals FROM" (MFEF). This not only rewrites the RCPT TO header to be the final recipient (to whom the email is being forwarded) but also sets the MAIL FROM header to be the same as the FROM header. While this will break SPF, the fact is that this and similar problems have hindered the adoption of SPF and DMARC, forcing email providers to use customised defenses.

Variants of this flaw affect five other email providers including iCloud, while smaller issues impact users of Gmail and Zohomail, a popular Indian email provider. The researchers disclosed the vulnerabilities to the various providers, some of whom fixed the issues or at least are working on them.

Liu, Enze, et. al, Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy, Proc. 8th IEEE Symposium on Privacy and Security, 3 - 7 July 2023, Delft. Available online at https://arxiv.org/abs/2302.07287.

Patringenaru, Ioana, Scammers Can Abuse Security Flaws in Email Forwarding to Impersonate High-profile Domains, UC San Diego Today, 5 September 2023. Available online at https://today.ucsd.edu/story/forwarding_based_spoofing.

China Ramps Up Cyber-Espionage, Disinformation Campaigns

A new report from Microsoft Threat Intelligence warns that China has ramped up both  its cyber-espionage efforts against the US defence and critical infrastructure sectors, and its online influence operations to destabilise the US political environment.

The operations by China-affiliate threat actors have focused on three areas in particular:

  • The South China Sea and Taiwan, reflecting conflicts over territorial claims, rising tensions across the Taiwan Strait, and increased US military presence in the region
  • The US defence industrial base, particularly enterprises with any connection to the satellite and telecommunications facilities associated with the US Marine Corps base in Guam
  • US critical infrastructure across multiple sectors including transportation, utilities, medical (e.g. hospitals) and telecommunications, particularly with the potential to disrupt US-Asia communications

China has also become significantly more effective in engaging social media users with influence operations, switching from a strategy of deluging social networks via bots to engaging directly with authentic users, targeting specific candidates in content about US elections and posing as US voters. Microsoft estimates that this initiative has successfully engaged target audiences in at least 40 languages and grown its audience to over 103 million.

The operators behind some of these social media accounts have begun using generative AI to create visual content which is more eye-catching than the memes used in previous campaigns. Authentic users often repost these, despite their obvious clues of AI generation, such as more than five fingers on the torch-holding hand of the Statue of Liberty. Other accounts pose as independent social media influencers, despite being employed by Chinese state media in what the Chinese Communist Party terms "multilingual internet celebrity studios".

In online news media, Chinese state media has been artfully positioning itself as the authoritative voice in international discourse on China, using a variety of means to exert influence in media outlets worldwide, such as localized news websites which push Chinese Communist Party propaganda to the Chinese diaspora in over 35 countries.

The report also covers increasingly sophisticated operations by North Korea, as the regime has set high-priority requirements for its cyber-espionage operations, particularly for maritime technologies, as well as increasing cryptocurrency theft and supply chain attacks.

Microsoft Threat Intelligence, Digital threats from East Asia increase in breadth and effectiveness, report, 7 September 2023. Available online at https://www.microsoft.com/en-us/security/business/security-insider/reports/nation-state-reports/digital-threats-from-east-asia-increase-in-breadth-and-effectiveness/ (full report PDF at https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW).


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: