Email spoofing: how attackers impersonate legitimate senders

[harlan4096]

Introduction

In a nutshell, email spoofing is the creation of fake emails that seem legitimate. This article analyzes the spoofing of email addresses through changing the From header, which provides information about the sender’s name and address.

SMTP (Simple Mail Transfer Protocol, the main email transmission protocol in TCP/IP networks) offers no protection against spoofing, so it is fairly easy to spoof the sender’s address. In fact, all the would-be attacker needs is a tool for choosing in whose name the message will arrive. That can be another mail client or a special utility or script, of which there is no shortage online.

Email spoofing is used in both fraudulent schemes and targeted attacks against organizations. Cybercriminals use this technique to convince victims that a message came from a trusted sender and nudge them into performing a specific action, such as clicking a phishing link, transferring money, downloading a malicious file, etc. For added credibility, attackers can copy the design and style of a particular sender’s emails, stress the urgency of the task, and employ other social engineering techniques.

In some cases, fake emails form part of a multistage attack, the first phase of which requires no suspicious actions on the part of the victim. For examples of such attacks, see our article on corporate doxing.

Legitimate Domain Spoofing

The simplest form of the technique is legitimate domain spoofing. This involves inserting the domain of the organization being spoofed into the From header, making it extremely difficult for the user to distinguish a fake email from a real one.

To combat spoofing, several mail authentication methods have been created that enhance and complement each other: SPF, DKIM and DMARC. By various means, these mechanisms verify that the message was actually sent from the stated address.

• The SPF (Sender Policy Framework) standard allows a mail domain owner to restrict the set of IP addresses that can send messages from this domain, and lets the mail server check that the sender’s IP address is authorized by the domain owner. However, SPF checks not the From header, but the sender’s domain specified in the SMTP envelope, which is used to transmit information about the email’s route between the mail client and the server, and is not shown to the recipient.
  
• DKIM solves the problem of sender authentication by means of a digital signature generated on the basis of a private key stored on the sender’s server. The public key for authenticating the signature is placed on the DNS server responsible for the sender’s domain. If in reality the message was sent from a different domain, the signature will be invalid. However, this technology has a weakness: an attacker can send a fake email without a DKIM signature, and the message will be impossible to authenticate.
  
• DMARC (Domain-based Message Authentication, Reporting and Conformance) is used to check the domain in the From header against a DKIM/SPF-validated domain. With DMARC, a message with a spoofed legitimate domain fails authentication. However, if the policy is strict, DMARC can also block wanted emails (see here for how our solutions augment this technology and minimize false positives).
  

Naturally, with the widespread implementation of the above-described technologies, attackers faced a tough choice: to hope that the company they are impersonating did not configure mail authentication properly (still common, sadly), or to use From-header spoofing methods that bypass authentication.

Display Name Spoofing

The display name is the name of the sender that gets shown in the From header before the email address. In the case of corporate mail, it is usually the real name of the relevant individual or department.
...

Continue Reading