U.S. senators remain vulnerable to email fraud
Trend Micro has found evidence that a Russian hacking group is attempting to break into the U.S. Senate’s email systems, Newsweek reported last week.
Here’s the thing: Hackers don’t even need to hack into the Senate in order to spread confusion and doubt. They can craft emails that look exactly like Senate emails, right down to the “senate.gov” email address in the From field, and send them from their own, Russian servers — no permission required.
That’s because Senators are not protected by email authentication — the set of widely-accepted standards that ensure that only authorized senders can use a domain name in their email messages. The key standard for email authentication is called DMARC, and it’s true that Senate.gov has published a DMARC record. However, a critical configuration issue is evident in its DMARC setup: It has set the DMARC policy to “reject” for senate.gov, but it set the sub policy to “none” for subdomains.
That means that unauthorized emails from the root domain of senate.gov (email@example.com) will be rejected by email servers around the world, as the policy specifies — but unauthorized emails from subdomains of senate.gov (firstname.lastname@example.org) will continue to go through. This unfortunately sets up a false sense of security.
A Common (Yet Serious) Problem
One common reason for this set up is the concern that good email will be blocked. However, by not locking down the subdomain, phish can still be sent from subdomains.
This is particularly worrisome given the way Senators send email from Senate.gov. Most senators use subdomains to send their email messages. If you get a message from Ted Cruz’s press office, it’s going to come from email@example.com. Kamala Harris sends email as firstname.lastname@example.org. And so on.
In other words, despite the existence of a DMARC record, the Senate’s email addresses remain vulnerable to impersonation. It doesn’t have to be this way.
We Commend Senate.gov, But We Need To Fix This
By being among the first .gov domains to use DMARC, the IT team behind Senate.gov are visionaries and should be commended. It is all too easy to criticize implementations — but in this case, it is in the national interest we get this right.
We know from published reports that 1 in 4 messages that appear to come from the federal government are fraudulent. Valimail found in our own analysis that 20 percent of messages are likely fake, based on billions of emails we analyzed for several large domains in October. We know that impersonation is the #1 vector for phishing attacks — and that phishing is the point of entry for 91% of cyberattacks.
Given all that, what are the odds that the Russians are not including email impersonation in their arsenal of attacks on Senate.gov?
Senator Ben Sasse said in a statement that “Russia is just getting started.” The Senate needs to be prepared.
Top photo credit: Phil Roeder/Flickr