Compared to the rest of today’s leading communications technologies, email is ancient. It even predates the Internet itself. Email emerged in the mid 1960s as a way to send an electronic note to other users on the same network by leaving it in a particular directory. However, it didn’t really take off commercially until the 1970s, by which time the Advanced Research Projects Agency Network – the first to implement TCP/IP – was ascendant and pointing the way toward the World Wide Web.
In its current form- as list of messages viewed from a mail client or Web browser – email is ubiquitous. More than 100 billion emails are sent every day. But email remains a prime channel for identity theft, phishing and baiting recipients into new advanced persistent threats:
- In 2013, spam accounted for almost 70 percent of email worldwide. A lot of it contained get-rich-quick schemes and solicitations for bank account info, but a sizable chunk was also filled with attempts at harvesting social media data. A 2012 Trend Micro TrendLabs e-guide, “How Social Engineering Works,” provided context for this growing interest of spammers in social networks, where tremendous amounts of sensitive info are now concentrated.
- Spam distribution hasn’t abated much in 2014. According to Trend Micro’s Global Spam Map, roughly 166 billion messages were sent to the company’s Email Reputation servers during late June 2014. Volume so far this year has been steady, with only that early summer surge standing out from the softer peaks and valleys.
- Malicious email attachments with common file format extensions like .PDF, .DOC and .XLS are still widespread. These files are often key components in spear-phishing attacks designed to infiltrate corporate network security and set up surveillance mechanisms.
Spam is obviously a problem for enterprises, since they receive orders of magnitude more email than individuals while also managing larger amounts of data. Still, it’s easy to write off spam as a mere nuisance rather than a legitimate cybersecurity risk.
After all, Gmail – the face of consumer email, with 425 million accounts – is known for its top-notch spam filtering. Moreover, email now feels like a less spammy medium than Twitter, for example, leading The Atlantic’s Alexis Madrigal to call email “the best thing on the Internet.” Like RSS, it is an open, interoperable protocol that continues to outlive proprietary alternatives.
Plus, many emails don’t seem dangerous since they are effectively just formal notifications that something is happening on Facebook or LinkedIn. Two recent incidents involving major email services and social networks, though, show that email’s popularity and openness still make it a high-profile target for manipulation.
LinkedIn shows risks of mapping email addresses to real names
Email addresses are usually logical. Their creators/owners insert parts of their real names, possibly alongside numbers corresponding to a birthday or important date. This technique makes them easy to remember, but also simple for others to guess.
LinkedIn, one of the world’s largest and most profitable social networks, has become famous for connecting white-collar workers with each other. Along the way, it has grown its user base by offering to scan email contact lists for matches in LinkedIn’s existing membership. A group of security researchers recently took advantage of this feature, putting its matching algorithms to work in seeing if hypothetical email addresses (i.e., name-like characteristics + a typical SMTP ending like @yahoo.com) had actually been used to register LinkedIn accounts.
“We created several hundred possible addresses for [Dallas Mavericks owner Mark ]Cuban in a few seconds, using a Microsoft Excel macro,” stated Brian Seely, founder of Rhino Security and one of the researchers, according to Brian Krebs. “It’s just a brute-force guessing game, but 90 percent of people are going to use an email address that includes components of their real name.”
Given that email addresses resemble real names and allow direct access to the recipient, this LinkedIn exploit would allow a dedicated hacker to spam anyone on the network, even high-profile individuals who would never agree to “connect” in the first place (LinkedIn connections allow for email/messaging access).
The incident speaks to some of the vulnerabilities inherent in email itself, notably openness, standard formatting, no need for both parties to be part of the same service. It also highlights how email remains central even in a world of myriad proprietary communications apps. Just think of how many sites still allow for email registration for users who don’t or can’t use Facebook, Google+ etc. to login.
Gmail leak illustrates risk of website sign-in and security
Speaking of Google, around 5 million Gmail addresses and plaintext passwords were recently leaked to a Russian Bitcoin forum, although the incident doesn’t appear to have been caused by a direct breach of Google’s systems. Rather, attackers may have taken advantage of similarity between website logins, reuse of credentials and lack of two-factor authentication.
Google offers SMS verification for login from unfamiliar or first-time devices. Similarly, its Google Authenticator service can be used to generate unique text or voice codes. But many users don’t go that far, whether because they don’t understand the process or because the Web companies handling their data don’t require it.
Apple, for example, only recently extended two-factor authentication to iCloud backups following an August targeted attack against several iCloud accounts. By default, Google doesn’t require anything other than the standard username/password combo when logging into email.
Password recycling and laziness are still widespread, with straightforward ones like “football” and “password” still among the most popular across all accounts. With email, the risks of facile, reused credentials is acute, since a compromised email account is both a repository for sensitive data (e.g., addresses, phone/Social Security numbers and password recovery info) and a potential node for a spam botnet.
Email may be long in tooth and imperfect, but it’s not going away. As such, it’s worth investing in cybersecurity solutions that ensure comprehensive protection from spam as well as malicious attachments that precipitate larger breaches.