Dot-gov email is more prone to forgery than social media and e-commerce messages

Americans are more likely to get hacked by opening email from dot-gov websites than from reading online retailer and social media email, according to a new study.

The problem is many federal agencies are not using digital codes that certify government emails are really from the government, researchers say. The lack of email authentication allows cybercriminals to spoof, or forge, dot-gov email addresses and send fraudulent messages. Criminals after money or government secrets have posed as federal entities -- for example, the Federal Deposit Insurance Corporation -- to trick citizens and contractors into divulging bank passwords and confidential strategies.

Of 50 highly trafficked or previously targeted federal sites, 42 percent are not authenticating outgoing email, according to a report released Wednesday by the Online Trust Alliance, an organization that works to improve consumer confidence in Web privacy and security.

“The cybercriminals are getting more relevant, they are getting more precise,” said Craig Spiezle, the alliance’s executive director and president. “The whole reason why it’s so important is that is the attack vector of choice.”

Among social media networks, 96 percent of the sites studied digitally signed consumer emails. Within the category of e-commerce, 97 percent of the biggest e-retailers authenticated messages. The stronger email protections in the commercial world may be attributable to the higher volume of messages those sites distribute, the report suggests.

In the dot-gov domain, federal impersonators have sent messages containing “official” attachments and links to apparent government sites that contain malicious software, Spiezle said. Cybersecurity analysts earlier this year discovered infected emails purporting to be from military and other government organizations that were sent to U.S. defense contractors. The malware, which was traced to network addresses in China, can pilfer documents and perform other exploits.

To their credit, email authentication by agencies has soared 20 percent since 2011, when 62 percent of the sites reviewed failed to digitally endorse email, according to the alliance’s research. “That’s a huge increase. That’s significant,” Spiezle said. “The bad news is it’s not up to a level that we would like to see.” The intensity of spoofing strikes against the dot-gov domain is soaring too, the report states.

Spiezle ticked off a list of the types of deceptions attempted by phony Internal Revenue Service collectors and other government impersonators: “Your tax refund has been delayed, open this email. It’s the FDIC, the White House -- the sites that have relevancy to consumers,” he said. In addition to empathizing with Americans’ financial woes, the cybercrooks are perfecting their timing, according to Spiezle. They will notify a business at the end of the quarter that a tax payment was not received. Or they will envelop a scam in the shape of an emailed foreclosure notice. Hackers are “preying on consumers’ fears to get them to open those emails,” he said.

The alliance performed its analysis between April 10 and May 22. The report simultaneously examined about 1,200 private sector websites, including those belonging to big banks, major corporations, popular social networks and online retailers.

While the study focused on emails generated by public-facing websites, Spiezle also has seen a rise in rogue e-mails purportedly from individual government employees that are sent to colleagues. He described one hypothetical scenario: a cyberspy figures out that a Craig Spiezle works at the Justice Department; she checks Spiezle’s Facebook profile to find the names of co-workers; and she forges one of their email addresses to send him a message.

“It’s as benign as you saying, Craig, I heard you had a great presentation last week, can you send me the presentation?” Spiezle said, in illustrating how confidential plans can be compromised. “They’re trying, through social engineering, to get agencies to divulge sensitive information . . . It all comes down to the forged and spoofed emails that appear to come from a legitimate source.”

For national security reasons, Spiezle said he could not disclose the prevalence or frequency of this government workplace trend.

On the upside, the federal government is ahead of industry in converting websites to Domain Name System Security Extension (DNSSEC), a mesh of additional Web domain signatures, that thwart “man-in-the-middle” attacks where hackers redirect visitors to copycat malicious sites. In 2008, the Bush administration required all agencies to apply the system throughout the dot-gov domain by December 2009.

“The good news is 70 percent of the government agencies that we are tracking have adhered to DNSSEC,” Spiezle said. “In the other sectors, DNSSEC, for all intents and purposes, is nonexistent . . . Federal agencies are recognizing the importance of DNSSEC and clearly, as a result of the directive, government agencies have moved forward in that area.”

The goal of releasing Tuesday’s metrics was to highlight healthy security practices and help organizations employ them, he said.

The association in 2011 briefed the federal Chief Information Officers Council on how to accelerate implementation of various privacy protections, including email authentication. When asked if surprised by the findings, Office of Management and Budget officials said federal employees are strongly encouraged to digitally sign emails with special smartcard credentials they are required to carry.

In addition, OMB officials said, the Homeland Security Department has developed online training materials and formed an inspection team to drive use of both email authentication and DNSSEC. DHS and the CIO Council in April issued a guidebook for managers on the two technologies.

Spiezle said Homeland Security was instrumental in compiling the alliance’s list of the 50 most at-risk dot-gov sites. Department officials declined to comment on the study’s findings.

(Image via Markus Gann/Shutterstock.com)