Introduction

In a nutshell, email spoofing is the creation of fake emails that seem legitimate. Such articles analyzes the spoofing of email addresses through modifying the From header, which provides information about the sender’s name and address.

SMTP( Simple Mail Transfer Protocol, the main email transmission protocol in TCP/ IP networks) offers no protection against spoofing, so it is fairly easy to spoof the sender’s address. In fact, all the would-be attacker needs is a tool for choosing in whose epithet the message will arrive. That can be another mail client or a special utility or script, of which “were not receiving” shortage online.

Email spoofing is used in both fraudulent schemes and targeted attacks against organizations. Cybercriminals use this technique to persuade victims that a message came from a trusted sender and nudge them into performing a specific action, such as clicking a phishing connection, transfer them, downloading a malicious file, etc. For added credibility, attackers can facsimile the design and style of a particular sender’s emails, stress the urgency of the chore, and apply other social engineering techniques.

In some cases, fake emails form part of a multistage attack, the first phase of which requires no suspicious acts on the part of the victim. For examples of such attacks, understand our article on corporate doxing.

Legitimate Domain Spoofing

The simplest form of the method used is legitimate domain spoofing. This involves inserting the domain of the organization being spoofed into the From header, stimulating it extremely difficult for the user to distinguish a sham email from a real one.

To combat spoofing, several mail authentication methods have been created that enhance and complement each other: SPF, DKIM and DMARC. By various intends, these mechanisms verify that the message was actually sent from the stated address.

The SPF( Sender Policy Framework) standard lets a mail realm owned to limit the determined of IP addresses that can send messages from this domain, and lets the mail server check that the sender’s IP address is authorized by the domain owner. Nonetheless, SPF checks not the From header, but the sender’s domain specified in the SMTP envelope, which is used to transmit information about the email’s route between the mail client and the server, and is not shown to the recipient. DKIM solves the problem of sender authentication by means of a digital signature made on the basis of a private key stored on the sender’s server. The public key for authenticating the signature is placed on the DNS server responsible for the sender’s domain. If in reality the message was mailed from a different realm, the signature will be invalid. However, this technology has a weakness: an attacker can send a fake email without a DKIM signature, and the message will be impossible to authenticate. DMARC( Domain-based Message Authentication, Reporting and Conformance) is used to check the domain in the From header against a DKIM/ SPF-validated realm. With DMARC, a message with a spoofed legitimate domain fails authentication. Nonetheless, if the policy is strict, DMARC can also block craved emails( determine here for how our solutions augment this technology and minimize false positives ).

Naturally, with the widespread implementation of the above-described engineerings, attackers faced a tough selection: to hope that the company they are impersonating did not configure mail authentication properly( still common, sadly ), or to use From-header spoofing techniques that bypass authentication.

Display Name Spoofing

The display name is the name of the sender that gets shown in the From header before the email address. In the case of corporate mail, it is usually the real name of the relevant individual or department.

Example of a showing name

To make the email less cluttered for funding recipients, many mail clients conceal the sender’s address and show merely the presentation name. This allows cybercriminals to substitute the name, but leave their real address in the From header. And this address is often protected by a DKIM signature and SPF, so the authentication mechanisms watch the message as legitimate.

Phantom Spoofing

The most common form of the above method is known as ghost spoofing. Here, the attacker specifies as the epithet is not simply the name of the person or company being spoofed, but also the address of the guessed sender, as in the instance in the screenshot below.

Example of phantom spoofing

In actual fact, the message comes from a completely different address.

Real sender address in ghost spoofing, and mail authentication.

Ad Spoofing

AD( Active Directory) spoofing is another form of showing epithet spoofing, but unlike the phantom version, it does not involve to identify the spoofed address as part of the name. What’s more, the address from which the cybercriminals mail messages features the name of the person being imitated.

Example of AD spoofing

This method seems more primitive than ghost spoofing, but some scammers prefer it for several reasons. First, if the recipient’s mail agent does showing the contents of the From header in its entirety, the double sender address will stimulate the user more suspicious than the address on the public domain. Second, ghost spoofing is technically easier to block with spam filters: it is enough to consign to the spam folder emails where the displayed sender epithet contains the email address. It is not generally feasible to block all incoming emails sent from addresses with the same names as colleagues and contractors.

Lookalike Domain Spoofing

More sophisticated attacks use specially registered realms, similar to the domain of the target organization. This requires a bit more effort, since finding and buying a specific domain, then setting up mail, DKIM/ SPF signatures and DMARC authentication on it, is rather more difficult than simply modifying the From header somewhat. But it also complicates the task of recognizing a fake.

Primary Lookalike

A lookalike domain is a domain name that seems similar to that of the organization being spoofed, but with got a couple of adjustments. We discussed such realms in detail in our article Lookalike domains and how to outfox them. For example, the email in the screenshot below came from the domain deutschepots.de, which can easily be confused with the domain of the German mail company Deutsche Post( deutschepost.de ). If you follow the link in such an email and try to pay for delivery of a parcel, you will not only lose 3 euros, but likewise hand your card details to the fraudsters.

Example of a message from a lookalike domain

However, with the right degree of vigilance, it is possible to spot misspelled realms. But in other cases, simple attentiveness is no longer sufficient.

Unicode Spoofing

Unicode spoofing is a type of spoofing in which an ASCII character in the domain name is replaced with a physically similar character from the Unicode set. Understanding this technique involves knowledge of how domains that use non-Latin characters( for example, Cyrillic or umlauts) are encoded. To use them, Punycode was created — a technique that converts Unicode characters to an ASCII Compatible Encoding( ACE) representation, shall be composed of letters of the Latin alphabet, hyphens and numbers from 0 to 9. At the same time, many browsers and mail clients display the Unicode version of the domain. For example, this Russian realm 😛 TAGENDkasperskii.rf

is converted to 😛 TAGENDxn--8 0akjebc7ajgd. xn--p1ai

However, in the browser you will most likely see that same kasperskii.rf. Since this technology provides for partial encoding( individual characters are encoded , not the whole string ), the domain can contain both ASCII and Unicode characters, which cybercriminals actively utilize.

Example of an email with Unicode spoofing

In the screenshot above, we insure a message supposedly mailed from the domain apple.com. It appears legitimate, and the email passed mail authentication. The email design is unusual, but since the average user rarely receives messages about blocking, here i am little by way of comparison. If an unsuspecting customer clicks the link, they are taken to a fake website that asks for their account details.

A look at the message headers( which can be done in most mail patrons for PC and web versions of mail services) proves a completely different picture 😛 TAGEND

Punycode realm record

The fact is that the apple.com domain we visualized above would look very different in Punycode, since the first three characters are in fact the Cyrillic letters “a” and “r”. But the mail client that opened the email converted that Punycode representation into Unicode for the convenience of the user, and the message displayed “apple.com”.

It should be noted that some mail patrons warn the user about non-standard characters used in the domain name, or even display Punycode in the From header. However, this protection mechanisms are not universal, which plays into the hands of fraudsters.

Judgment

There are various ways to convince the recipient of an email that it came from a trusted sender. Some of them seem primitive, yet they enable cybercriminals to successfully bypass mail authentication. At the same time, the technique of spoofing is used to carry out a variety of assaults, from standard phishing to advanced BEC. They, in turn, is likely to be just one step in a more sophisticated targeted attack. Accordingly, the damage from spoofing, even if restricted to a single attempt, can range from identity steal to business downtime, loss of reputation and multi-million dollar losses.

There is also a variety of anti-spoofing protection methods, from simple( but not very reliable) vigilance to special ingredients in business answers. Kaspersky answers for mail servers operating on Microsoft Exchange, and Linux and in virtual environments contain such a module, plus we offer a standalone product for Microsoft Office 365.

Read more: securelist.com