Visible to the public Biblio

Filters: Keyword is social engineering attack  [Clear All Filters]
2023-02-13
Yu, Beiyuan, Li, Pan, Liu, Jianwei, Zhou, Ziyu, Han, Yiran, Li, Zongxiao.  2022.  Advanced Analysis of Email Sender Spoofing Attack and Related Security Problems. 2022 IEEE 9th International Conference on Cyber Security and Cloud Computing (CSCloud)/2022 IEEE 8th International Conference on Edge Computing and Scalable Cloud (EdgeCom). :80—85.

A mail spoofing attack is a harmful activity that modifies the source of the mail and trick users into believing that the message originated from a trusted sender whereas the actual sender is the attacker. Based on the previous work, this paper analyzes the transmission process of an email. Our work identifies new attacks suitable for bypassing SPF, DMARC, and Mail User Agent’s protection mechanisms. We can forge much more realistic emails to penetrate the famous mail service provider like Tencent by conducting the attack. By completing a large-scale experiment on these well-known mail service providers, we find some of them are affected by the related vulnerabilities. Some of the bypass methods are different from previous work. Our work found that this potential security problem can only be effectively protected when all email service providers have a standard view of security and can configure appropriate security policies for each email delivery node. In addition, we also propose a mitigate method to defend against these attacks. We hope our work can draw the attention of email service providers and users and effectively reduce the potential risk of phishing email attacks on them.

2020-09-04
Routh, Caleb, DeCrescenzo, Brandon, Roy, Swapnoneel.  2018.  Attacks and vulnerability analysis of e-mail as a password reset point. 2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ). :1—5.
In this work, we perform security analysis of using an e-mail as a self-service password reset point, and exploit some of the vulnerabilities of e-mail servers' forgotten password reset paths. We perform and illustrate three different attacks on a personal Email account, using a variety of tools such as: public knowledge attainable through social media or public records to answer security questions and execute a social engineering attack, hardware available to the public to perform a man in the middle attack, and free software to perform a brute-force attack on the login of the email account. Our results expose some of the inherent vulnerabilities in using emails as password reset points. The findings are extremely relevant to the security of mobile devices since users' trend has leaned towards usage of mobile devices over desktops for Internet access.