Forty-two percent of the top 500 Web sites in the world have not implemented DMARC, according to Swedish security analyst firm Detectify -- leaving many consumers at risk for email-based spoofing attacks.
Detectify analyzed the email authentication measures of the top 500 global Web sites, as specified by the Amazon-owned Alexa rankings, and discovered that a majority of the Web sites could be spoofed.
Indeed, 276 of the top 500 Web sites were vulnerable to spoofing because they had either misconfigured their email servers or had no authentication measures in place. In addition, 42% of the domains analyzed had not implemented DMARC (Domain-based Message Authentication, Reporting & Conformance).
Email spoofing is a common tactic of cybercriminals who manipulate consumers into opening and responding to email solicitations that at first appear to come from a legitimate source.
Hackers forge email headers and content to appear to come from a legitimate company, co-worker, family or friend -- thus tricking email users into potentially downloading malware, clicking on malicious files or sending confidential information.
It’s critical for companies to incorporate authentication measures, such as SPF or DMARC, on to their email servers to protect users and employees from spoofing attacks. The problem, however, is that these authentication measures are confusing and can be set up incorrectly.
“We found that less than half of those domains have configured email authentication correctly to prevent spoofed emails being sent from their domains, which means that users are at risk of receiving false emails appearing to come from domains that they trust,” says Detectify in a blog post. “To prevent spoofed emails, all systems must be manually configured correctly to the highest standard of authentication. Unfortunately, the process is complicated, and often servers are misconfigured.”
Detectify chose not to release the names of the companies who were at risk for spoofing attacks, but did state that they had reached out to every company to notify them about the security risk.
ValiMail, an email security startup, offers a free and easy-to use domain review service for companies to double-check their DMARC and SPF protocols. Email Marketing Daily tested the top 15 Alexa Web sites on ValiMail Thursday morning and, according to ValiMail, search engine Baidu.com, online encyclopedia Wikipedia.org, Internet service portal Qq.com, shopping site taobao.com, and Microsoft’s live.com, msn.com, and bing.com were vulnerable to spoofing based on a lack of DMARC or SPF measures.