Internet users in Thailand have been hit by a massive man-in-the-middle attack aimed grabbing email login credentials from fake SMTP servers.
The attack has been verified on Google’s and Yahoo’s email servers and on two of the country’s largest fixed-line ISPs, though preliminary analysis suggest that all SMTP servers are targeted.
The STRIPTLS attack as it has become known works by inserting a man-in-the-middle at the ISPs. This is done via a transparent proxy.
Normally a client connecting to smtp.gmail.com on port 25 would be elevated to use STARTTLS encryption before authentication with username or password is passed and before the actual email message is sent.
However, accessing smtp.gmail.com from within Thailand results in a connection to a fake server that says it does not support STARTTLS encryption. If the email client proceeds any email sent is sent unencrypted through the man-in-the-middle but more importantly so are email login credentials.
The perpetrator would have a huge collection of usernames and passwords to email accounts through this attack as well as the actual messages.
Setting the email client to explicitly use TLS connecting on ports 465 or 587 is still safe and communication remains encrypted. Only clients that are set to use encryption if available connecting on the default SMTP port would fall foul of the attack.
Some mobile apps use SMTP as the underlying protocol when submitting large files or photos. The content of these submissions would also be vulnerable to this mass surveillance.
The STRIPTLS proxy is present on both True Internet and TOT ADSL connections, the two largest ISPs in Thailand. It is not present on Dtac 3G or on AIS 3G.
The source, speaking on condition of anonymity, said the attack has been live for at least couple of weeks if not much longer.
Neither Google or Yahoo responded to emails asking for comment by time of going to press.
Related content
- ID thieves target Thai SIM registration scheme
- LINE vulnerability confirmed by ACIS
- Webwire: Yahoo may cut thousands of jobs; App Store downloads hit 25b
- Webwire: Apple sued over iPad name; Ministers meet over India 2G case
- Webwire: Globe allocates $640m capex through '13; Ukraine to launch satellite