Email spoofing is a process whereby cybercriminals can concoct messages that appear to come from a trusted domain – and when that email address spoofs one of the biggest websites in the world, thereby lending a good deal more credence to the message, that's a major issue.
Unfortunately, the sad truth appears to be that many of the top trafficked sites don't have proper defences against email spoofing, at least according to new research from security firm Detectify (as spotted by PC World).
There are, of course, security measures to prevent fraudsters from spoofing major domains, and these include the likes of SPF (Sender Policy Framework). However, as Detectify observes, SPF is often improperly configured by organisations, leaving them vulnerable to being compromised and impersonated.
In fact, Detectify checked the top 500 most-trafficked websites (as ranked by Alexa), and found that over half of these domains – 276 of them to be precise – were vulnerable to spoofing because they had no SPF (or DMARC, another solution that blocks forged emails) authentication configured, or it was misconfigured in some way.
Unfortunately, configuring email authentication isn't a particularly easy task – although you'd really expect major web players to have the resources to tackle the process.
Soft settings
In some cases though, the truth is that companies will set up SPF with 'soft' settings that just flag forged emails as spam or suspicious – and with some email providers like Gmail, even these warnings can be dropped – because they're afraid that if they use the more stringent setting that outright rejects dodgy emails, they might have some of their own genuine messages binned by the system.
For us denizens of the net, the thing to bear in mind here is that a good deal of the top websites can apparently be spoofed – so if you receive an email purporting to be from a major organisation, don't take that as read.
Be very wary of any out-of-the-blue correspondence and keep your eyes peeled for any suspicious content, dodgy-looking links, attachments, and all the usual tricks the bad guys might employ to snare you in some sort of scam or malware infection.
As for businesses out there running websites and wishing to defend against spoofing attacks, Detectify recommends using SPF, configured correctly of course, in conjunction with DMARC configured to reject or quarantine all failed emails – the company provides a guide on how to set this up here.
