On March 18, an email went out from the World Health Organization soliciting donations for its Covid-19 Solidarity Response Fund, to support WHO’s work tracking and treating the novel coronavirus. The sender address was “email@example.com,” and who.int is the real domain name of the organization.
But the email is a scam. It was not sent from the WHO, but from an impersonator looking to profit off our tendency toward generosity during a global crisis. Fortunately, the attacker revealed themselves by asking for donations in bitcoin.
This is just one of many fake emails that have spoofed the WHO’s domain name during the coronavirus pandemic. Some are addressed from Tedros Adhanom Ghebreyesus, the director-general of the WHO, and carry attachments that can install malware on the victim’s device. Others announce a coronavirus cure that you can read all about in the attachment. They each appear to be sent from a who.int email address.
If it seems like it shouldn’t be this easy to impersonate a leading global health institution, you’re right. As we outline in the video at the top of this post, there is a way for organizations and companies to prevent spoofing of their domain, but the WHO hasn’t done it. (See update at the bottom of this post.)
“One of the things that a lot of NGOs and nonprofits don’t necessarily understand is that email is a very open protocol by design,” said Ryan Kalember, who leads cybersecurity strategy at Proofpoint.
That “open protocol” means that the email transmission system itself doesn’t verify the identity of senders. Instead, senders and receivers have had to organize voluntary authentication methods: Domain owners can adopt an ID system, and email providers can check for for those IDs. But participation has not been universal on both sides.
“There are just so many organizations that don’t authenticate their mail. So if you are interested in tricking someone, that becomes an incredibly useful vector to do so,” said Kalember.
There are three main pieces of jargon to learn when it comes to email authentication systems. There’s SPF (Sender Policy Framework), through which a domain owner can specify that legitimate emails always come from a certain set of IP addresses. There’s DKIM (Domain Keys Identified Mail), which relies on a unique signature to verify senders.
And then there’s DMARC, which builds on SPF and DKIM by specifying how the receiving email service should treat messages that fail those tests (do nothing, send to spam, or reject the message altogether). It also provides a feedback system so that domain-owners can learn about messages passing or failing checks from their domain.
Setting a strong DMARC policy is the…