Last news in Fakti

Anyone can compromise the email communications of at least 40% of SC candidates. This is why

The parties with the best chance of entering the new parliament are largely unable to prevent unauthorized use of their email domain to send fake messages

Oct 24, 2024 08:02 125

Anyone can compromise the email communications of at least 40% of SC candidates. This is why  - 1

The article is written for informational purposes only . Sending phishing and misleading email messages is a crime. The tests described in the article were carried out in an isolated environment, without the risk of messages reaching real recipients.

Anyone with a laptop and an internet connection can send an email message on behalf of at least 40% of the political parties and coalitions with the greatest chance of entering parliament, Questona.com writes.

This person does not need to hack email accounts or have physical access to the party's computers.

It is enough to open a site on the Internet, write the desired message and send it from the email address of whoever you want: for example, press-center@vazrazhdane or [email protected].

Sending fake e-mails (email spoofing) is possible because a significant part of Bulgarian parties do not protect their domains with the DMARC validation protocol.

Organizations use DMARC as a preventative measure against someone sending spoofed emails on their behalf.

Although it is available and considered a standard technology, almost half of the ten parties and collations with the most electoral support do not currently use DMARC. This makes them a potential victim of manipulation, panic-mongering and other problems that could further complicate the political situation in the country.

Is email easy to forge?

For the purpose of this article, I tested the websites of the ten parties and coalitions that garnered the most electoral support in a poll conducted by “Market Links” immediately before the parliamentary elections in October 2024

Each of the domains was tested to see if they use DMARC and how it is configured.

I sent fake emails to several different email clients to see if they would mark the messages as spam.

For the fake emails, I used the Emkei site, which is kind of like a swiss army knife for spam. With it, a malicious person can send fake emails even if they don't have any technical knowledge. All he needs is a laptop and an internet connection.

I simulated sending a fake email on behalf of a Bulgarian party to media representatives.

Why exactly media? Because we know that something similar has already happened.

In 2015, the Bulgarian media received a fake email on behalf of the “Movement Bulgaria of Citizens&ldquo ;. The message (probably sent by Emkei) stated that the movement was leaving the ruling coalition. It was spread by most of the Bulgarian media without any fact-checking and caused a brief uproar.

The same tactics can be used to instill panic, undermine someone's reputation, incite hatred, and more.

What the results show

After we know what the consequences might be, let's see how the Bulgarian parties deal with fake emails.

1. Four of the top 10 parties do not use DMARC

These are BSP, “Vazrazhdane“, GERB (SDS domain also does not use) and “Blue Bulgaria. They represent 40% of the representative sample and about 47% of the voters (based on the estimated data from the sociological research).

A malicious person could send an email on behalf of any of these parties. If the recipient uses Roundcube or ABV, there is a good chance that the letter will land in their mailbox without raising any suspicion.

2. Five of the top 10 parties use DMARC, but with too few restrictions

These are APS, Velichie, ITN, MECH and “We continue to change“ (also applies to their coalition partners “Yes, Bulgaria”).

Domains of these parties have DMARC active, but it is not set as restrictive as possible; which more or less makes its use pointless.

If someone tries to send a fake email on behalf of these parties, the message will at best end up in a “Spam“ folder. In our experiment, the letter was detected as spam by ABC and Outlook, but it ended up in the Roundcube mailbox without any problems.

3. Only one party in the top 10 uses DMARC

(almost) effectively

This is “DPS-New Beginning“, which has set its DMARC policy to “quarantine“, so suspicious mails go to the “Spam“ folder. Accordingly, all email clients I used for testing detected attempts to misuse the party's domain.

Even in this case, however, the recipient may be misled. Many users forward their work mail to their personal email, which is in Gmail for example. Gmail has pretty good spam filters. But when spam first goes through work mail, it's possible for it to end up in your Gmail inbox without being flagged as suspicious.

DMARC is not a panacea

It is important to note that this technology does not end spam. DMARC works in conjunction with other authentication mechanisms such as SPF and DKIM to verify the authenticity of the email address from which the message originated.

In a well thought out spoofing attack, DMARC can be ineffective. However, it is a cheap and easy-to-implement technology, which, however, is not effectively used by Bulgarian parties and state institutions.

And this applies not only to Bulgaria. According to a study by Red Sift, about 75% of sites related to the US Senate elections do not have an effective DMARC policy. This 75% includes domains without DMARC, even domains that have DMARC but do not filter spam.

If we apply the same methodology to the Bulgarian results, the 40 percent mentioned in the title of this article becomes 90%.

There are many other measures to combat spam: spam filters, employee training, etc. However, they depend on the users themselves who receive e-mail. DMARC is something any domain owner can use to reduce the risk of being impersonated in online communication.