Internet users in Thailand have been hit by a massive man-in-the-middle attack aimed grabbing email login credentials from fake SMTP servers.
The attack has been verified on Google’s and Yahoo’s email servers and on two of the country’s largest fixed-line ISPs, though preliminary analysis suggest that all SMTP servers are targeted.
The STRIPTLS attack as it has become known works by inserting a man-in-the-middle at the ISPs. This is done via a transparent proxy.
Normally a client connecting to smtp.gmail.com on port 25 would be elevated to use STARTTLS encryption before authentication with username or password is passed and before the actual email message is sent.
However, accessing smtp.gmail.com from within Thailand results in a connection to a fake server that says it does not support STARTTLS encryption. If the email client proceeds any email sent is sent unencrypted through the man-in-the-middle but more importantly so are email login credentials.
The perpetrator would have a huge collection of usernames and passwords to email accounts through this attack as well as the actual messages.
Setting the email client to explicitly use TLS connecting on ports 465 or 587 is still safe and communication remains encrypted. Only clients that are set to use encryption if available connecting on the default SMTP port would fall foul of the attack.