Are PEC (certified electronic mail) completely safe or can anyone send a PEC by falsifying the sender's address? Analysis of a case and advice for protecting yourself

PECs are not that safe!

The writer, as an IT consultant, wants to share an experience that he thinks can raise the attention threshold of all those who receive messages and attachments on a daily basis on their PEC inbox.

In fact, from a survey carried out for a customer (attached below) it emerged that even PECs are not that safe after all! In this particular case the affected PEC service was that of Aruba.

The customer in fact received a PEC from an address that even led back to a Ministry.

Reassured by the "alleged" authority of the sender, he decides to open it. Too bad the PEC was completely fake!

For digital authentication, SHAl algorithms used in the international forensic community and recognized by the European Union Agency for Network and Information Security Enisa (...) The suspicious PEC message includes a falsification of the sender, cunningly executed by exploiting the technical fields of the contact of the sender itself, which are used by the webmail app only when viewing the message.

For this reason, the real address of the sender is automatically hidden from the recipient who in this case has been misled by an existing address of the Ministry of Justice, but falsified as the sender's address.

The operation, although it did not illegally alter the system (for receiving certified mail), is the result of an effective and astute technical skill of the unknown sender, who manipulated the contact fields by making the recipient appear, not the real PEC address of the sender, but that of an office of the Ministry of Justice.

 

Pay attention to the sender's address

 

The recipient (...) was inevitably misled by the address “PROT DAG@GIUSTIZIACERT.IT” used as a falsification of the real addresspostacertificata@telecompost.it. Through this deception (...) he inevitably believed that the PEC had been sent by the Ministry of Justice rather than by the unknown postacertificata@telecompost.it. Leveraging the trust and fear induced by a PEC coming (falsely) from the Ministry, the unknown author posta-certificata@telecompost.it probably wanted to create a context that would force the "recipient of the PEC" to open the message and its attachment with the potential and further danger that such attachment could contain a virus. In the literature this technique is known as social engineering.

(….) Thanks to the falsification, it is almost certain (or highly probable) that the sender wanted to attribute originality and officiality to the content of the falsified certified email, consequently inducing the (…) to undertake legal initiatives or other unnecessary and perhaps counterproductive actions, since they are based on a forgery.

 

What to do to protect yourself

 

Professionals and businesses, subjects obliged to be in possession of the PEC, are obviously the most at risk because they are forced to check and open the PEC box every day to read communications and download attachments.

Here is some advice to avoid falling into fraudulent behavior that could cause serious damage to data and electronic devices:

  • constantly update the operating systems of the devices used;
  • avoid memorizing the passwords to access the pec mailbox on the devices;
  • set strong passwords and change them frequently;
  • verify the sender's pec address;
  • do not download suspicious files with executable extensions such as .exe. or Office, type doc, .xls…
  • be wary of emails that come from institutional sites, as well as those that ask you to update personal data.

 

Download pec appraisal pdf

error: Content is protected !!