Security Experts:

MitM Attack Targets Outlook Users in China

Chinese authorities are accused of launching a man-in-the-middle (MitM) attack against customers of Microsoft’s email service Outlook.

GreatFire, a non-profit organization that monitors online censorship in China, reported that the attack, which started on January 17, lasted for roughly a day. The attack targeted the Internet Message Access Protocol (IMAP) and the Simple Mail Transfer Protocol (SMTP) for Outlook, but outlook.com and login.live.com were not affected.

During the MitM attack, Chinese users trying to access Outlook via an email client were presented with a security alert. However, as GreatFire points out, it’s easier for users to ignore email client warnings than ones displayed in Web browsers. They simply have to click the “Continue” button and the warning disappears. Considering that email clients usually run in the background, it’s not difficult to imagine that many users clicked “Continue” without giving it too much thought.

Those who clicked the “Continue” button allowed the attackers to intercept their passwords, contacts and emails.

This isn’t the first MitM attack allegedly launched by the Chinese government against the country’s Internet users. In the past, Google, Yahoo and even GitHub users were targeted in similar attacks. In October, Chinese authorities were accused of launching attacks against iCloud users. Outlook was also attacked briefly during the iCloud incident.

Officials denied the accusations brought against the government in October and, as always, highlighted that China opposes all forms of hacking.

GreatFire believes that, just like the previous attacks, the operation targeting Outlook was orchestrated or at least approved by Lu Wei, China’s minister of the Cyberspace Administration.

“If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor,” GreatFire said in a blog post.

The organization says it hasn’t seen the country’s massive censorship and surveillance system, known as the Great Firewall of China, being used in large scale operations following the iCloud attack, until now at least.

“The authorities are most likely continuing to test their MITM technology. The authorities may also be gauging user response. By keeping track of how many users ignore the certificate warnings, the authorities will be able to determine the effectiveness of this type of attack,” GreatFire noted.

GreatFire has warned major software vendors not to trust certificates issued by the China Internet Network Information Center (CNNIC) because the certificate authority is governed by the Cyberspace Administration.

YouTube, Twitter, Facebook, Google, and many other popular Internet services and websites are currently blocked in China.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.