Why coronavirus scammers can send fake emails from the WHO

Hello? First things first.

Check your e-mail.

I got one.

Fake Dylan at W.



This is the WHO’s real domain, right? W.



dot I.



So Fake Dylan is a internet security researcherthat I worked with to send all of our emails a bunch of fake messages.

And he was able to send these messages fromthe real W.




I'm going to say I'm coming to you from mynew job in the World Health Organization.

I spent all my money moving to Geneva, Switzerland.

Please, send me some bitcoin to tide me over? It might say “this is a joke” in our examplehere, but the more serious ones would be like, “there's an urgent new coronavirus warningfrom the W.



” As the number of coronavirus cases increases, so too do Internet scams and hoaxes.

Real-looking emails supposedly from the WorldHealth Organization and CDC asking for money.

These agencies do not ask for direct donationsby e-mail.

If you click on a link or download an attachmentfrom those e-mails, you could be giving hackers your personal information.

So what we're looking at here is domain spoofingand we're seeing it a lot with respect to the coronavirus in particular.

So this really has been totally unprecedented.

The teams have never seen anything like thisin terms of a single lure, uniting all different types of actors behind a single real pretextfor people to do all kinds of things, whether it's actually just steal their password, whatwe call credential phishing, whether it's install malware.

So this is just one example sent from whatlooks like the W.



e-mail address, just like the one that came to you.

Clearly it's trying to get you to downloada specific file that they have sent.

And researchers at IBM found that that filecontains malware that captures screenshots and logs your keystrokes and steals usernamesand passwords.

Huh, “beware of criminals pretending tobe W.



” The W.



has actually published guidanceon this and they are aware that this is happening.

But its top advice, its number one advice, is: “Verify the sender by checking their email address.

” We know that that’s pretty easy to fakeat this point.


I'm surprised they don't point that out becausepeople might think that if it has a W.



dot I.


T address, that means it's legitimate.

But really, it's a necessary but not sufficientcondition.



What I found super interesting was that wetried spoofing a bunch of domains, and only some of them went through to the inbox.

The CDC and Vox emails didn’t, but WHO andWhitehouse.

gov emails did.

And I should say, it was only the Yahoo emailsthat we set up.

The Gmail and Outlook emails both put themin spam.

So I've been looking into this and it seemslike the greater context around this is that when email was created back in the eighties, no one bothered to make any way to verify that the sender is who they say they are.

Really it is the foundational technologiesof the Internet being built with no security in mind and no central database of who iswho that gives rise to this problem.

And since then, there've been lots of attemptsto sort of build this sort of verification system.

The problem is just that the participationis not as high as it should be.

So of make sense of this, it might help tothink about another type of verification problem, which is that society doesn't want teenagersto get into bars to buy alcohol.

To prevent that from happening, we need twothings: We need a way to verify ages, which is our ID system, and we need businesses tothen check for IDs.

Now, imagine if that ID system was voluntary.

So you have a bunch of adults who might notbother to go get an ID.

Then when they come to the bar, the businessbasically has a decision to make.

Either they require IDs knowing full wellthat plenty of legitimate adults don't have one.

Or, to avoid pissing people off, they justlet them in and maybe they end up letting in some kids too.

And probably every bar is going to make aslightly different decision.

That's kind of where we're at.

With email authentication right now.

We have an I.



It's called DMARC, but it's voluntary.

So if an e-mail comes in with my email address, joss@vox.

com, the email service, whether that's Yahoo! or Outlook or G-mail, is going to checkif that domain, Vox.

com, has a DMARC record.

And we do! Thankfully, Vox took the time to set up aDMARC record, which basically does three things: First, it says that the email has to comefrom a certain set of IP addresses that Vox trusts.

Second, it says that the email has to carrya unique signature that only Vox can create.

And third, it says that if the email failseither of those two tests, then the email service receiving the email should rejectit, should just throw it away so that it never reaches anybody's inbox.

Because of that, my Vox e-mail address, yourVox e-mail address, we can't be easily impersonated.

OK, so say an e-mail comes in from a domainthat doesn't have a DMARC record or has set their DMARC policy to something other than“reject, ” that e-mail is going to have a higher chance of getting through.

Now, the e-mail providers all have spam filters.

They have these algorithms that are lookingthrough these emails to check and see if anything's fishy.

But obviously that didn't stop Dylan's fakee-mail from getting into my Yahoo! inbox.

I would guess that the W.



does not havea strong DMARC policy set up, if they have one at all.

OK, there's actually a way that we can doublecheck this.

Oh, nice.

It has this nice little green box that comesup.

But this is the actual DMARC record.

V equals DMARC1, P equals reject.

So this is telling us that our policy is, “reject this e-mail.

” And this is true, I think, of… yeah, theCDC as well.

What about the White House? Yeah.

Let me try the White House… Huh.


So the White House has published a DMARC record, but if you look at it, P equals none, meaning that they are not telling email providersto reject e-mails that come from other IP addresses or that generally are not from theirapproved domain senders.

The weird thing about that… So this is their guidance on what all federalagencies are supposed to do.

“All agencies are required to, within oneyear after issuance of this directive, set a DMARC policy of reject for all second leveldomains and mail-sending hosts.

” Wow.

So the White House is violating its own policy.

At the very least, they’re acknowledgingthat a DMARC policy of reject is the strongest protection.

And it is very clear that they are not usingthat protection.

So now let's try the W.



“Not protected against impersonation attacks!” They have not published a DMARC record atall.

And I can understand.

Like the W.



has a lot on their hands rightnow.

They're basically leading the global effortagainst this giant pandemic.

But damn, it really seems like they shouldhave done this.


And to be fair, it’s not like the WHO isalone in this.

There’s a report by ValiMail, that showsthat less than 15 percent of domains with DMARC have actually set their policy to rejectspoofed emails or send them to spam.

There's kind of an incentive issue at play, which is that you publish the record to protect other people from being phished.

And the tradeoff there is that if you don'tconfigure it properly, and it does take some work to set up correctly, you risk some ofyour e-mails not being delivered.

I think that the W.



is in a tough spotright now because it is incredibly important in this moment that their e-mails get through.

And also there's an increase in the risk thatit's coming from a fake domain and that, you know, maybe they have some more responsibilitythan they might have before in terms of protecting people from fake e-mails.

Hey, do it for us, because we're all, youknow, vulnerable out here on the internet looking for information.


It is the sort of thing that every good citizenof the internet should do.

But, you know, like eating your vegetablesand working out every day, it's not something that every organization does.


Leave a Comment