Email services and their security issues

Posted by: Orhan Sari Category: Information Security, Malware, Phishing Simulation, Threat Intelligence Tags: , , Post Date: November 2, 2017

Email services and their security issues

Without a doubt, emails have become one of the most important tools on the internet today, where they are being used in the formal/informal daily communications. The practicality of email also raised concerns about email security, because we see it in every part of our life. Email, which stands for ‘Electronic Mail’, is a way of transmission (send or receive) information (in all its forms; text, picture, video, etc.) through the internet using the proper electronic device (like mobile, computers .. etc.). It has been started to be used in the 1960’s and 1970’s in The United States, even before the internet had been invented.

Below are some factors why emails are indispensable in our recent daily life:

  1. Easy, free and fast: In order to send an email, you just need a digital device, like mobile or computer, and a valid account over one of email service providers, like Hotmail or Gmail.
  2. The efficient way of documentation and archiving: Email service is one of the best methods for organizing and documenting text-based conversations. It also can be used as a huge database which one can anytime refer back to.
  3. Manager assistant: Email service is an irreplaceable tool in any company or organization. It helps the administrators to manage and schedule the tasks so the work can be more organized.
  4. Efficient marketing toolEmails services considered as the most efficient way of marketing. They even outperform the paid search, social media and TV marketing. Hence,  email security is important in the sense that carries all our important and useful data.
  5. There are two main types of email services:
    1. Web-based email service: In this type of service, your emails are stored in another device on web, and all you need is just to have an account -mostly free- on one of the providers and a connection to the internet. Having your emails stored on the web means that you can access them from wherever you wish by just getting connected to the internet. Web-based mail service uses multiple tier architecture, and most importantly, you don’t have to deal with any configurations.
    2. Client-based email service: The main difference here is that in this service is that your emails are stored in a server rather than being hanged on the web, so that you can reread them without internet access. However, you have to have an application connected to the service and manage the configurations and you can only access your email from your device, unlike web-based email service. Moreover, client-based email service uses 2 tier architecture, thus, security issues is fewer comparing with the web-based mail service.
    • POP3: POP3 stands for ‘Post Office Protocol 3’. In POP3, emails are stored on a server and are downloaded continuously to your own computer so you don’t have to have an internet connection for reading your emails. Then, they are deleted automatically for the server and kept only on your device.
    • IMAP: IMAP stands for ‘Internet Message Access Protocol’. We can say that it is a combination of POP3 and web-based email service, where your emails are saved on service and can be accessed via a proper application which keep a synchronized copy of them on the computer.
    • MAPI: MAPI stands for, ‘Messaging Application Programming Interface’. It is an email service that is managed by Microsoft Exchange Server. It offer the service of managing your mails including calendar and contact information and can be fully accessed from multiple devices.

    Email Security Threats:

    As email services make it easy and free for the user to facility his tasks, they also have some dark shades. It is impossible to have a 100% pure, clear and harm-free services. Email services, like any other internet-based services, might simply be hacked and cause damages to the users and their information and privacy. In this essay, we are going to go over some main email security threats that can affect users through email services:

    . Malware: Or ‘Malicious Software’, is a malicious program or file that can affect the functionality of your device or cause damage to your data out of your permission. This is dangerous to email security-because, malware may include viruses, trojan horses, worms and spyware. The programmers of this harmful software usually use the email to ensure their delivery to the targeted user. The danger of such harmful software lies in its ability if exploited successfully, to take control of the device or even the whole network by applying privilege escalating to the system.

    An example of the danger of malware on email services is what happened last month in Virginia State Police, USA when a malware attack has caused the agency to shut down its email service for 2 days and disabled the ability to update the ‘Virginia Sex Offender and Crimes Against Children Registry’ website.

    2. Phishing & Spam: Spam is a term used to describe the unwanted, annoying and electronic junk mail. Spam emails are random and sent to multiple users at the same time. Spams can annoyingly reduce the productivity of the person or company and can be sent directly from the spammers, those who send spam emails, or other email accounts that fall in their tricks. The danger of spams is not limited to their disturbance but can also form a serious danger for email security especially if they are phishing emails.

    Phishing emails are a type of spams that try to collect personal information from the victim by convincing him/her by the legitimation of the email.  For example, spammer can design a typical version of your bank account internet page requesting you to log in using your personal information. Once you do so, your personal information including your ID number and password fall in the hand of the phisher, and this can end up zeroing your financial account. Other similar methods can be used in order to grant access to your personal accounts by some people who are not supposed to do so. Moreover, they can use your email account to lunch new more spams to other accounts.

    The screenshots below are an example of a real phishing attempt done by someone who is pretending to be from PayPal:

    3. Social Engineering:It is important to say that all hacking and security issues depend on the user. It is hard for someone to enter your home unless you willingly open your door to him, or unwillingly forget your window opened. The same idea applies here in email security issues, and here comes out the term Social Engineering. Social Engineering is simply the art of manipulating the people and smartly take advantage of their vulnerabilities. Phishing scams can also be considered as a social engineering tactic. It is so easy to deceptively lure someone down in order to get his/her password rather trying to guess or hack it technically unless it is really very weak or easy one.

    In order to explain the social engineering aspect clearly, let’s assume you have succeeded in hacking a Facebook account of X victim. Yet, Facebook asked you to provide your birth date for identity confirmation. In such a case, we have two approaches. The first one is to ask the X victim directly, which more likely will not work. However, the second approach, which is based on social engineering, would be designing a new website that requires a birth date for the ‘sign up’ process and then making this X victim sign up. By this way, you have reached your goal without even letting the victim noticed that he had been hacked.

    How to protect ourselves:

    As mentioned above, no one can enter your home unless you open the door for him or leave it unsecured. So, here we’ll write a list of tips that can help to protect your email service and prevent unwilling action to be done to it:

    • Secure your device and email account. Don’t leave your account opened, be sure you log out after finishing your work and secure your device with a strong password.
    • Use multiple emails. It is better if you have at least 2 emails, one is private for your pure personal use, and one is public that you can use for registering for the public online forms. Using multiple emails and specifying private and public different emails help you with protecting your privacy.
    • Never download any attachment from unknown sources and never open any unknown links. It is even better if you don’t open the untrusted email at all
    • Use a strong password for unique account. Don’t use the same password for multiple accounts. Use a unique password for a unique account. And be sure to have a strong password. Passwords can be a complete sentence with normal spaces, which make it is considered stronger and easy to remember as well.
    • Don’t share your personal information with an unknown or untrusted party. And beware that no one has any right to know your password. Passwords can’t be shared with the third party.
    • Use an up-to-date sufficient anti-virus and spam filter.

    In addition, you can use Email Threat Simulator to see your email is vulnerable, and test your email security. Register and use for free threat simulator on www.keepnetlabs.com.

Share this post