Phishing email attacks are nothing new. You get a bunch of random emails that look like they were sent from known friends and businesses. Yet, when you hover over the actual email address you see that it is fake with some weird string of numbers and letters, so you know it is a phishing scam.
Many email clients also have features where they look for these types of emails and move them to a “spam” or “junk mail” folder. Some clients even allow you to mark the emails as phishing scams. However, even with these advances, there is a new vulnerability that is making it easier for those individuals and groups that practice in “black hat” phishing scams called “MailSploit.”
The vulnerability was discovered recently by a security research technician in Germany named Sabri Haddouche. The vulnerability has to do with how email clients interpret the data in the “from” data field in emails.
Currently, there is an old standard still in practice by numerous email clients from 1992 that is called RFC-1342. This standard requires all header data in emails to be converted into ASCII character data. If the email client encounters non-ASCII formats, it converts it into the appropriate ASCII character.
Where the vulnerability stems from is after the email clients convert non-ASCII data into ASCII character formats, the clients never go back to re-scan the header data for malware or viruses. In addition, there is a secondary vulnerability that can be hidden within the header data content.
The RFC-1342 standard also cannot address issues with multiple email addresses in the header data or null-byte data types. In other words, if the email client encountered two or more email addresses in the header data, the only one read and verified for ACSII format is the first email address.
As a result, hackers and others that use “black hat” tactics could essentially hide malware, viruses, and other payloads using one or both of these vulnerabilities. For email recipients, it would appear like the email came from someone they trusted and knew.
Upon opening the email, there could be a “trigger” that installs a malicious program or virus onto the device. In some cases, there could be clickable links embedded in the email and once clicked, download and install malicious programs onto the device.
There are thirty-plus email clients affected by the vulnerability. However, Gmail is not one of them. Those email clients affected include:
- Mozilla Thunderbird
- AOL Mail
- Yahoo! Mail
- Mail for Windows 10
- Apple Mail of iOS/macOS
Out of the affected email clients, so far eight companies have released patches to fix the vulnerability and a dozen others are in process of developing a patch to fix the problem.
In the event you accidentally open a phishing email that causes your device to crash or causes your storage device to fail, please feel free to contact the data recovery experts at Taking It Mobile at 888.877.5002 (1-888-Call-TIM) today!