Name: Why coronavirus scammers can send fake emails from the WHO
Uploaded: 2020-08-31T18:05:12.000Z
Duration: 8 min 31 s

So Fake Dylan is a internet security researcher that I worked with to send all of our emails

所以，假迪倫是一個互聯網安全研究人員，我的工作，以發送我們所有的電子郵件。

And he was able to send these messages from the real W.H.O. domain.

而他能夠從真正的W.H.O.域發送這些資訊。

I'm going to say I'm coming to you from my new job in the World Health Organization.

我要說的是，我是從世界衛生組織的新工作中來找你的。

I spent all my money moving to Geneva, Switzerland.

我把所有的錢都花在了瑞士的日內瓦。

Please, send me some bitcoin to tide me over?

求你了，給我寄點比特幣，讓我渡過難關？

It might say “this is a joke” in our example here, but the more serious ones would be like,

在我們這裡的例子中，可能會說 "這是一個笑話"，但比較嚴肅的會是這樣的。

“there's an urgent new coronavirus warning from the W.H.O.”

"W. H. O. 有一個緊急的新冠狀病毒警告"

As the number of coronavirus cases increases, so too do Internet scams and hoaxes.

隨著冠狀病毒病例的增多，網絡詐騙和騙局也越來越多。

Real-looking emails supposedly from the World Health Organization and CDC asking for money.

看似真實的郵件，據說是世界衛生組織和疾控中心要錢的。

These agencies do not ask for direct donations by e-mail.

這些機構不要求通過電子郵件直接捐款。

If you click on a link or download an attachment from those e-mails, you could be giving hackers

如果你點擊這些郵件中的鏈接或下載附件，你可能會向黑客提供以下資訊

So what we're looking at here is domain spoofing and we're seeing it a lot with respect to

所以，我們在這裡看到的是域名欺騙，我們看到了很多關於。

So this really has been totally unprecedented.

所以，這真的已經完全是前所未有的了。

The teams have never seen anything like this in terms of a single lure, uniting all different

隊伍從來沒有見過這樣的事情，在一個單一的誘餌，團結所有不同的。

types of actors behind a single real pretext for people to do all kinds of things, whether

類型的行為者，在一個單一的真實藉口背後，讓人們做各種事情，無論是。

it's actually just steal their password, what we call credential phishing, whether it's

它實際上只是竊取他們的密碼， 我們稱之為憑證釣魚，無論是

So this is just one example sent from what looks like the W.H.O. e-mail address, just

所以這只是一個例子，從W.H.O.的電子郵件地址發出的，只是...

Clearly it's trying to get you to download a specific file that they have sent.

很明顯，它是想讓你下載他們發送的特定文件。

And researchers at IBM found that that file contains malware that captures screenshots

而IBM的研究人員發現，該文件中含有捕捉截圖的惡意軟件

and logs your keystrokes and steals usernames and passwords.

並記錄你的擊鍵和竊取用戶名和密碼。

Huh, “beware of criminals pretending to be W.H.O.”

哼，"小心那些冒充W. H. O. 的罪犯"

The W.H.O. has actually published guidance on this and they are aware that this is happening.

事實上，W.H.O.已經公佈了這方面的指導意見，他們知道這種情況正在發生。

But its top advice, its number one advice, is: “Verify the sender by checking their

但它的首要建議，它的首要建議是："通過檢查發件人

We know that that's pretty easy to fake at this point.

我們知道，這一點上很容易造假。

I'm surprised they don't point that out because people might think that if it has a W.H.O.

我很驚訝他們沒有指出這一點，因為人們可能會認為，如果它有一個W. H. O.

dot I.N.T address, that means it's legitimate.

點I. N. T地址，這意味著它是合法的。

But really, it's a necessary but not sufficient condition.

但其實，這是一個必要但不充分的條件。

What I found super interesting was that we tried spoofing a bunch of domains, and only

我發現超級有趣的是，我們嘗試欺騙了一堆域名，而只有

The CDC and Vox emails didn't, but WHO and Whitehouse.gov emails did.

CDC和Vox的郵件沒有，但WHO和Whitehouse.gov的郵件有。

And I should say, it was only the Yahoo emails that we set up.

而且應該說，我們設置的只是雅虎郵箱。

The Gmail and Outlook emails both put them in spam.

Gmail和Outlook的郵件都把它們放到了垃圾郵件中。

So I've been looking into this and it seems like the greater context around this is that

所以我一直在研究這個問題，似乎圍繞這個問題的更大背景是

when email was created back in the eighties, no one bothered to make any way to verify

當電子郵件在80年代被創建時，沒有人費心去做任何驗證的方法。

that the sender is who they say they are.

Really it is the foundational technologies of the Internet being built with no security

真的是在沒有任何安全保障的情況下，構建了互聯網的基礎技術

in mind and no central database of who is who that gives rise to this problem.

銘記在心，而沒有中央數據庫，誰是誰，這就產生了這個問題。

And since then, there've been lots of attempts to sort of build this sort of verification

從那時起，已經有很多嘗試來建立這種驗證的排序

The problem is just that the participation is not as high as it should be.

So of make sense of this, it might help to think about another type of verification problem,

是以，為了理解這個問題，我們可以考慮另一種類型的驗證問題。

which is that society doesn't want teenagers to get into bars to buy alcohol.

這就是社會不希望青少年進入酒吧買酒。

To prevent that from happening, we need two things: We need a way to verify ages, which

為了防止這種情況發生，我們需要兩件事。我們需要一種方法來驗證年齡，這

is our ID system, and we need businesses to then check for IDs.

是我們的身份證系統，我們需要企業然後查驗身份證。

Now, imagine if that ID system was voluntary.

現在，想象一下，如果這個身份證系統是自願的。

So you have a bunch of adults who might not bother to go get an ID.

所以，你有一群成年人可能不屑於去辦身份證。

Then when they come to the bar, the business basically has a decision to make.

那麼當他們來到酒吧的時候，企業基本上就會有一個決定。

Either they require IDs knowing full well that plenty of legitimate adults don't have

要不就是明知很多合法的成年人沒有身份證，還要求他們出示身份證

Or, to avoid pissing people off, they just let them in and maybe they end up letting

或者，為了避免惹惱別人，他們只是讓他們進來，也許他們最終會讓。

And probably every bar is going to make a slightly different decision.

而可能每個酒吧都會做出稍微不同的決定。

So if an e-mail comes in with my email address, joss@vox.com, the email service, whether that's

是以，如果一封帶有我的電子郵件地址的電子郵件進來，joss@vox.com，電子郵件服務，不管是

Yahoo! or Outlook or G-mail, is going to check if that domain, Vox.com, has a DMARC record.

雅虎或Outlook或G-mail，要檢查該域名Vox.com是否有DMARC記錄。

Thankfully, Vox took the time to set up a DMARC record, which basically does three things:

值得慶幸的是，Vox花時間建立了一個DMARC記錄，它基本上做了三件事。

First, it says that the email has to come from a certain set of IP addresses that Vox

首先，它說，電子郵件必須來自特定的IP地址集，Vox

Second, it says that the email has to carry a unique signature that only Vox can create.

其次，它說郵件必須帶有唯一的簽名，只有Vox才能創建。

And third, it says that if the email fails either of those two tests, then the email

第三，它說，如果郵件沒有通過這兩個測試中的任何一個，那麼該郵件

service receiving the email should reject it, should just throw it away so that it never

接收郵件的服務應該拒絕它，應該把它扔掉，這樣它永遠不會

Because of that, my Vox e-mail address, your Vox e-mail address, we can't be easily impersonated.

正因為如此，我的Vox郵箱地址，你的Vox郵箱地址，我們不能輕易被人冒充。

OK, so say an e-mail comes in from a domain that doesn't have a DMARC record or has set

好的，比如說，一封郵件從一個沒有DMARC記錄的域名發來，或者是設置了

their DMARC policy to something other than “reject,” that e-mail is going to have

拒絕 "以外的其他政策，該郵件將有。

Now, the e-mail providers all have spam filters.

現在，電子郵件提供商都有垃圾郵件過濾器。

They have these algorithms that are looking through these emails to check and see if anything's

他們有這些算法，正在尋找通過這些電子郵件檢查，看看是否有什麼是。

But obviously that didn't stop Dylan's fake e-mail from getting into my Yahoo! inbox.

但顯然，這並不能阻止迪倫的假郵件進入我的雅虎郵箱。

I would guess that the W.H.O. does not have a strong DMARC policy set up, if they have

我猜測W.H.O.並沒有制定強有力的DMARC政策，如果他們有的話。

OK, there's actually a way that we can double check this.

好了，其實有一個辦法，我們可以仔細檢查一下。

It has this nice little green box that comes up.

它有這個漂亮的綠色小盒子，上來。

So this is telling us that our policy is, “reject this e-mail.”

所以，這是在告訴我們，我們的政策是，"拒絕這封郵件"。

And this is true, I think, of… yeah, the CDC as well.

這是真的，我想，... 是的，疾控中心也是如此。

字幕列表影片播放

Why coronavirus scammers can send fake emails from the WHO

vulnerable

sort

bunch

pretend