More than three quarters of the Myanmar government’s websites, including those of the Central Bank and the State Counsellor’s Office, have a vulnerability that could lead to email spoofing attacks, a digital security group has said.
Of 215 sites belonging to government departments, 167 – or 77% – are lacking a Sender Policy Framework, an authentication method that detects attempts at forging sender addresses in emails, the Myanmar ICT for Development Organization (MIDO) said.
The President’s Office as well as state and regional parliaments are also among those with the vulnerability, MIDO said.
During last month’s general election, a group spreading disinformation sent emails purporting to be from the President’s Office and the Union Election Commission to media outlets, NGOs and others.
Days ahead of the November 8 poll, MMLeak posted videos on Facebook claiming that international NGOs were conspiring with the government to destroy Myanmar.
The video also claimed to have uncovered incriminating connections between government officials and NGOs.
After the platform removed the videos, MMLeak began distributing them via emails made to look like they were from the President’s Office, regional and state hluttaws and the Myanmar Press Council.
The emails were sent to journalists, NGOs and people connected to the media, MIDO said, although the group did not know how many people recieved them.
On polling day, MMLeak sent one of the videos to media outlets from an account in the guise of the Union Election Commission.
The video was also sent from a forged Myanmar Press Council address to media outlets including Mawkun Magazine and the Democratic Voice of Burma.
Myo Min Aung, program manager at MIDO, said grassroots organisations were more likely to trust emails purporting to be from government departments and the emails were aimed at causing confusion about government policy.
Ye Naing Moe, director of the government’s National Cyber Security Centre, told Myanmar Now that the spoofed emails were being investigated.
The Centre is supporting all government websites in preventing phishing emails, he added.