Russians, other foreigners, spoofing unprotected .gov email addresses, report says
Thousands of web domains belonging to hundreds of federal departments and agencies are being spoofed by email hackers, including many from Russia and other adversary nations, according to new figures reported this week.
The cyberspies and online fraudsters are trying to trick message recipients into clicking on malicious links or downloading malware designed to steal passwords and other personal information, according to an analysis by cybersecurity outfit Proofpoint, which specializes in providing online security for large organizations.
The company looked at nearly 70 million emails sent during October from 5,000 unique .gov parent domains protected by Proofpoint, the company’s VP of Email Fraud strategy Robert Holmes told CyberScoop. More than 3,000 of those domains had been spoofed by hackers sending phishing emails that purported to come from a trusted communicant.
“We saw over 8.5 million fraudulent messages,” Holmes wrote in a blog post Monday, “Almost 10 percent of which were not even sent from a US-based [internet or IP] address.”
The spoofed .gov emails in October originated from IP addresses in 187 different countries, including Russia. But there were waves of particular strength from some countries — probably indicative of particular cybercrime or cyber-espionage campaigns.
“In August of this year, one particular agency saw 80 percent of malicious emails spoofing their identity sent from Russian IPs,” the post states. Proofpoint declined to identify the agency, citing customer confidentiality.
Russia accounts for more than a quarter of all such malicious email since January 2016, the Proofpoint analysis adds.
“There’s no legitimate reason for a foreign IP address to be sending an email saying it’s from a federal agency” or a user with a .gov email address, Holmes told CyberScoop. But without the right security measures, there’s noting to stop it happening.
“I can put anything I want to in that ‘from’ field,” he said, adding that the analysis highlights the “urgent need” for a recent Department of Homeland Security governmentwide mandate. The Binding Operational Directive, as it’s known, means that all federal agencies will have within 90 days to deploy an email protocol called DMARC — Domain-based Message Authentication, Reporting and Conformance.
DMARC is a technical standard and a set of best practices that prevent hackers from impersonating or spoofing an email address. The standards must be implemented by both sender and receiver. When email comes from domains with a DMARC policy and hits inboxes protected with the standard, messages with spoofed addresses are diverted to a spam folder or just not delivered at all. More than three-quarters of all the email inboxes on the planet are protected, according to one analysis.
The Proofpoint analysis found that 8.5 million of the 70 million emails bearing a .gov address in the “from” field are malicious — 1 in 8 — Holmes told CyberScoop. “They either have a malicious payload or they’re sent by an IP address that’s associated with malicious activity,” he said.
