Content:
Introduction
Email spoofing in the general sense is the forgery of emails from legitimate senders. In this article, we will analyze email address spoofing, which spoofs the From header of an email, i.e. how the sender's name and address are displayed in the user's email client.
SMTP (Simple Mail Transfer Protocol — the main protocol for transmitting email in TCP/IP networks) does not provide any protection against spoofing, so it is quite easy to fake the sender's address. In fact, all an attacker needs is a tool that allows them to choose on whose behalf the message will be sent. And they can be either an email client, or a special utility or script, of which there are many on the Network.
Email address spoofing is used in both fraudulent schemes and targeted attacks on organizations. The purpose of this technique is to convince the victim that the email came from a trusted sender and encourage them to follow the actions indicated in it: click on a phishing link, transfer money to a specific account, download a malicious file, and so on.To make it more convincing, attackers can copy the design and style of emails from a specific sender, focus on the urgency of the task, and use other social engineering techniques.
In some cases, fake emails are part of a multi-stage attack, and no suspicious actions are required from the victim at the first stage. Examples of such attacks can be found in our article about corporate doxing.
Legitimate Domain Spoofing
The simplest type of email address spoofing is legitimate domain spoofing. It involves substituting the real domain of the organization that the attacker is masquerading as in the From header. In this case, it is extremely difficult for the user to distinguish a fake email from a real one.
To combat spoofing, several email authentication methods have been created that improve and complement each other: SPF, DKIM, and DMARC. The listed mechanisms somehow confirm that the email was actually sent from the specified address.
Display Name Spoofing
The display name is the sender's name, which appears in the From header before the sender's address. If we are talking about corporate mail, then the sender's name is usually used as the real name of the person, the name of the department, and so on.
Example of a display name
Many email clients hide the sender's address for the recipient's convenience and show only the displayed name in the message. This is actively used by attackers, forging the name, but leaving their real address in the From header. This address is often even protected by a DKIM signature and SPF, so authentication mechanisms pass the message as legitimate.
Ghost Spoofing
The most popular and frequent type of display name spoofing is Ghost Spoofing. Its essence lies in the fact that the attacker specifies as a name not only the name of the person or company under which he is masquerading, but also the address of the intended sender, as in the example in the screenshot below.
Ghost Spoofing Example
However, the email actually comes from a completely different address.
Real sender's address in Ghost Spoofing and mail authentication
AD Spoofing
AD (Active Directory) Spoofing is also a type of display name spoofing, but unlike the Ghost technique, Spoofing does not involve specifying a fake address as part of the name. At the same time, the malicious address from which such emails are sent uses the name of the person on whose behalf they are sent.
AD Spoofing Example
This method looks more primitive compared to Ghost Spoofing, but scammers may prefer it for several reasons. First, if the recipient's mail agent still displays the entire contents of the From header, then a double sender address will cause the user more suspicion than an address on a public domain. Secondly, Ghost Spoofing is technically easier to block with spam filters: just send spam emails where the sender's display name contains the email address. As a rule, it is not possible to prohibit all incoming emails from the namesakes of all colleagues and contractors.
Lookalike domain Spoofing
In more complex attacks, attackers use specially registered domains that are similar to the domain of the target organization. This is a bit expensive: finding and buying a specific domain, setting up mail, DKIM and SPF signatures, and DMARC authentication on it is still more difficult than just changing the From header a little. But it is also more difficult to recognize a fake in this case.
Primary Lookalike
Lookalike domains are domains that are similar in spelling to the domains of the forged organization, but differ from them by one or more letters. We talked about them in more detail in the article "Lookalike domains and protection against them"). For example, the email in the screenshot below came from the domain deutschepots.de, which is very easily confused with the domain of the German postal company Deutsche Post (deutschepost.de). If you click on the link in such an email and try to pay for the delivery of the parcel, you can not only lose 3 euros, but also leave your card details to fraudsters.
Example of an email from a lookalike domain
However, with the proper level of care, such an error can be noticed. But there are also cases when simple care is no longer enough.
Unicode Spoofing
Unicode Spoofing is a type of spoofing in which one of the ASCII characters in a domain name is replaced with a similar-spelled character from the Unicode range. To understand this technique, you need to understand how domains that use non-Latin characters (such as Cyrillic or umlauts) are encoded. The Punycode conversion method was created to work with them, according to which Unicode characters are mapped to so-called ACE sequences (ASCII Compatible Encoding), consisting of letters of the Latin alphabet, hyphens, and numbers from 0 to 9. However, many browsers and email clients display the Unicode version of the domain. For example, the domain:
kaspersky.rf
converted to:
xn--80akjebc7ajgd.xn--p1ai
However, in the browser, you will most likely see exactly "kaspersky.Russian Federation". At the same time, since this technology provides for partial encoding (not the entire string is encoded, but a separate character), the domain can contain both ASCII and Unicode characters, and attackers actively use this.
Example of a message with Unicode spoofing
In the screenshot above, we can see a message that is supposedly sent from the domain apple.com. The spelling matches perfectly, and the email passed mail authentication. The design of the email is surprising, but the average user rarely receives messages about blocking, so there is not much to compare it with. If an unsuspecting user clicks on the link, they end up on a fake site and leave their account details there.
If you look in the headers of this message (this can be done in most email clients for PC and Mac), you will see a completely different picture.:
Punycode-domain record
The point here is that the domain аррle.com just falls under the rule of encoding Unicode characters in ASCII — the first three characters are Cyrillic "a "and"p". But the mail agent that opened the message converted the Punycode combination to Unicode for the user's convenience, and the message displayed "аррle.com".
Note that some mail clients warn the user that non-standard characters are used in the domain name, or even display Punycode in the From header. However, such protection mechanisms are not provided everywhere, and this plays into the hands of scammers.
Conclusion
There are different ways to convince the recipient of an email that it came from a trusted sender. Some of them look primitive, but they allow attackers to successfully bypass email authentication. At the same time, spoofing as a technique is used to implement a variety of types of attacks, starting with ordinary phishing and ending with advanced BEC attacks. And they, in turn, can be one of the stages of more complex targeted attacks. Accordingly, the damage caused by spoofing even within the framework of a single attack can range from identity theft to suspension of work, loss of reputation and multimillion-dollar losses.
There are also a variety of ways to protect against spoofing, from simple but not very reliable attentiveness to special components in business solutions. Kaspersky Lab has included the required module in solutions for mail servers running on Microsoft Exchange, Linux, and virtual environments, as well as a separate product for Microsoft Office 365.
media.kasperskycontenthub.com
- Introduction
- Legitimate Domain Spoofing
- Display Name Spoofing
- Ghost Spoofing
- AD Spoofing
- Lookalike domain Spoofing
- Primary Lookalike
- Unicode Spoofing
- Conclusion
Introduction
Email spoofing in the general sense is the forgery of emails from legitimate senders. In this article, we will analyze email address spoofing, which spoofs the From header of an email, i.e. how the sender's name and address are displayed in the user's email client.
SMTP (Simple Mail Transfer Protocol — the main protocol for transmitting email in TCP/IP networks) does not provide any protection against spoofing, so it is quite easy to fake the sender's address. In fact, all an attacker needs is a tool that allows them to choose on whose behalf the message will be sent. And they can be either an email client, or a special utility or script, of which there are many on the Network.
Email address spoofing is used in both fraudulent schemes and targeted attacks on organizations. The purpose of this technique is to convince the victim that the email came from a trusted sender and encourage them to follow the actions indicated in it: click on a phishing link, transfer money to a specific account, download a malicious file, and so on.To make it more convincing, attackers can copy the design and style of emails from a specific sender, focus on the urgency of the task, and use other social engineering techniques.
In some cases, fake emails are part of a multi-stage attack, and no suspicious actions are required from the victim at the first stage. Examples of such attacks can be found in our article about corporate doxing.
Legitimate Domain Spoofing
The simplest type of email address spoofing is legitimate domain spoofing. It involves substituting the real domain of the organization that the attacker is masquerading as in the From header. In this case, it is extremely difficult for the user to distinguish a fake email from a real one.
To combat spoofing, several email authentication methods have been created that improve and complement each other: SPF, DKIM, and DMARC. The listed mechanisms somehow confirm that the email was actually sent from the specified address.
- The SPF (Sender Policy Framework) standard allows the owner of a mail domain to restrict the set of IP addresses that can send messages from this domain, and the mail server can verify that the sender's IP address is authorized by the domain owner. However, SPF checks not the From header, but the sender's domain specified in the SMTP envelope, which is used to transmit information about the email route between the mail client and the server and is not shown to the recipient.
- DKIM solves the problem of sender authentication by using a digital signature that is generated based on a private key stored on the sender's server. The public key for verifying the signature is placed on the DNS server responsible for the sender's domain. If the email was actually sent from a different domain, the signature will be invalid. However, this technology also has a weak point: an attacker can send a fake email without a DKIM signature, and it will be impossible to verify it.
- DMARC (Domain-basedMessageAuthentication, ReportingandConformance) allows you to check the domain in the From header for compliance with the domain confirmed using DKIM and / or SPF. Thus, when using DMARC, a message with spoofing of a legitimate domain will not pass verification. However, if you choose a strict policy, DMARC can also block useful emails.In one of our articles, we talked about how our solutions improve this technology and minimize false positives.
Display Name Spoofing
The display name is the sender's name, which appears in the From header before the sender's address. If we are talking about corporate mail, then the sender's name is usually used as the real name of the person, the name of the department, and so on.
Example of a display name
Many email clients hide the sender's address for the recipient's convenience and show only the displayed name in the message. This is actively used by attackers, forging the name, but leaving their real address in the From header. This address is often even protected by a DKIM signature and SPF, so authentication mechanisms pass the message as legitimate.
Ghost Spoofing
The most popular and frequent type of display name spoofing is Ghost Spoofing. Its essence lies in the fact that the attacker specifies as a name not only the name of the person or company under which he is masquerading, but also the address of the intended sender, as in the example in the screenshot below.
Ghost Spoofing Example
However, the email actually comes from a completely different address.
Real sender's address in Ghost Spoofing and mail authentication
AD Spoofing
AD (Active Directory) Spoofing is also a type of display name spoofing, but unlike the Ghost technique, Spoofing does not involve specifying a fake address as part of the name. At the same time, the malicious address from which such emails are sent uses the name of the person on whose behalf they are sent.
AD Spoofing Example
This method looks more primitive compared to Ghost Spoofing, but scammers may prefer it for several reasons. First, if the recipient's mail agent still displays the entire contents of the From header, then a double sender address will cause the user more suspicion than an address on a public domain. Secondly, Ghost Spoofing is technically easier to block with spam filters: just send spam emails where the sender's display name contains the email address. As a rule, it is not possible to prohibit all incoming emails from the namesakes of all colleagues and contractors.
Lookalike domain Spoofing
In more complex attacks, attackers use specially registered domains that are similar to the domain of the target organization. This is a bit expensive: finding and buying a specific domain, setting up mail, DKIM and SPF signatures, and DMARC authentication on it is still more difficult than just changing the From header a little. But it is also more difficult to recognize a fake in this case.
Primary Lookalike
Lookalike domains are domains that are similar in spelling to the domains of the forged organization, but differ from them by one or more letters. We talked about them in more detail in the article "Lookalike domains and protection against them"). For example, the email in the screenshot below came from the domain deutschepots.de, which is very easily confused with the domain of the German postal company Deutsche Post (deutschepost.de). If you click on the link in such an email and try to pay for the delivery of the parcel, you can not only lose 3 euros, but also leave your card details to fraudsters.
Example of an email from a lookalike domain
However, with the proper level of care, such an error can be noticed. But there are also cases when simple care is no longer enough.
Unicode Spoofing
Unicode Spoofing is a type of spoofing in which one of the ASCII characters in a domain name is replaced with a similar-spelled character from the Unicode range. To understand this technique, you need to understand how domains that use non-Latin characters (such as Cyrillic or umlauts) are encoded. The Punycode conversion method was created to work with them, according to which Unicode characters are mapped to so-called ACE sequences (ASCII Compatible Encoding), consisting of letters of the Latin alphabet, hyphens, and numbers from 0 to 9. However, many browsers and email clients display the Unicode version of the domain. For example, the domain:
kaspersky.rf
converted to:
xn--80akjebc7ajgd.xn--p1ai
However, in the browser, you will most likely see exactly "kaspersky.Russian Federation". At the same time, since this technology provides for partial encoding (not the entire string is encoded, but a separate character), the domain can contain both ASCII and Unicode characters, and attackers actively use this.
Example of a message with Unicode spoofing
In the screenshot above, we can see a message that is supposedly sent from the domain apple.com. The spelling matches perfectly, and the email passed mail authentication. The design of the email is surprising, but the average user rarely receives messages about blocking, so there is not much to compare it with. If an unsuspecting user clicks on the link, they end up on a fake site and leave their account details there.
If you look in the headers of this message (this can be done in most email clients for PC and Mac), you will see a completely different picture.:
Punycode-domain record
The point here is that the domain аррle.com just falls under the rule of encoding Unicode characters in ASCII — the first three characters are Cyrillic "a "and"p". But the mail agent that opened the message converted the Punycode combination to Unicode for the user's convenience, and the message displayed "аррle.com".
Note that some mail clients warn the user that non-standard characters are used in the domain name, or even display Punycode in the From header. However, such protection mechanisms are not provided everywhere, and this plays into the hands of scammers.
Conclusion
There are different ways to convince the recipient of an email that it came from a trusted sender. Some of them look primitive, but they allow attackers to successfully bypass email authentication. At the same time, spoofing as a technique is used to implement a variety of types of attacks, starting with ordinary phishing and ending with advanced BEC attacks. And they, in turn, can be one of the stages of more complex targeted attacks. Accordingly, the damage caused by spoofing even within the framework of a single attack can range from identity theft to suspension of work, loss of reputation and multimillion-dollar losses.
There are also a variety of ways to protect against spoofing, from simple but not very reliable attentiveness to special components in business solutions. Kaspersky Lab has included the required module in solutions for mail servers running on Microsoft Exchange, Linux, and virtual environments, as well as a separate product for Microsoft Office 365.
media.kasperskycontenthub.com
