NSA Warns of North Korean Hackers Spoofing Emails From Legit Domains



The US is warning that North Korean hackers are exploiting a security feature to spoof emails from official internet domains to make their phishing attacks look convincing. The warning comes from the NSA, FBI, and the State Department, which say the hackers are abusing a flaw with DMARC, an email protection system designed to stop such spoofing. Ideally, a properly configured DMARC policy will tell email servers to automatically block or flag as spam any messages that try to spoof the domain it’s protecting. It’s why DMARC has become a major safeguard across the industry to stop junk and malicious email messaging.   But the NSA and the FBI alert notes that some DMARC policies have been configured with a “p=NONE” setting, “in which no email filtering action is taken on the message, despite the failed DMARC verification.”“This ultimately allows the spearphishing email to be delivered to the victim’s inbox,” the agencies wrote in their 9-page alert. “While the sender of the email and the organization’s email domain appear to be legitimate, the North Korean cyber actor exploited the organization’s weak and overly permissive, rather than specifically defined, DMARC policy.”The federal agencies say a North Korean state-sponsored group dubbed Kimsuky, or APT43, has been exploiting the flaws while impersonating “journalists, academics, or other experts in East Asian affairs with credible links to North Korean policy circles.” The goal has been to collect intelligence and access private documents and research from victim computers. The alert includes five sample emails that the North Korean hackers sent to targets from “late 2023 to early 2024,” which US investigators recovered. In one of the emails, the hackers impersonate an official at a think tank and invite the recipient to be a keynote speaker at an event. 

Recommended by Our Editors

“Notably, a speaker fee is offered to further entice the recipient,” the US agencies say. “Additionally, the North Korean actor edited the ‘Reply-To’ email to route replies back to another seemingly legitimate, but fraudulent, account controlled by the actor.”To address the threat, the alert urges companies and organizations to set their DMARC policy to one of two configurations, “v=DMARC1; p=quarantine;” or “v=DMARC1; p=reject;” which will cause receiving email servers to essentially flag the spoofed emails as spam.

Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

We will be happy to hear your thoughts

Leave a reply

Shoparoon
Logo
Compare items
  • Total (0)
Compare
0
Shopping cart