gipseyavenger
Member
Does anyone here know how to Spoof emails?
Email Spoofing
- Thread starter gipseyavenger
- Start date
Spoofing emails from almost anyone in less than 5 minutes and ways to protect
What is Email Authentication?
For most of the past 40 years, users have had to take a leap of faith every time they opened their email. Do you think that the letter really comes from who is listed in the sender column? Most will easily answer “yes” and in fact be very surprised to learn how easy it is to spoof email from almost any sender.
When the Internet was created, no way was originally designed to verify the identity of the sender. During the development of the main email protocols, the costs of computing power, implementation, and ease of use were balanced against the risk of fraud. It was hard to assume that 84% of all e-mail in the future will have a malicious payload and be phishing or spam.
The result is that email headers, including the "From:" and "Reply-to:" fields, are very easy to spoof. In some cases, this is as simple as typing "[email protected]" in the "From:" field. Combining this with unsuspecting content, compelling graphics and formatting, it's entirely possible to fool people into thinking that the message in their inbox really came from a bank, FTS, executive or president of the United States.
Considering the ubiquity of email, you understand the core of our current cybersecurity crisis. Weakness in email has led to a slew of phishing attacks designed to trick people into clicking on malicious links, downloading and opening malicious files, submitting a W-2 form (similar to 2-NDFL in the US), or transferring funds to criminals.
More recently, Coupa, a Silicon Valley company, was in the spotlight after sending payroll data for all 625 employees to a scammer. Leoni AG, one of Europe's largest companies, lost $ 45 million last year when an employee mistakenly transferred money to a scammer's account due to fake email. The FBI estimates that Business Email Compromise (BEC) phishing attacks cost US companies $ 3 billion a year.
A W-2 phishing record has been compiled on databreaches.net. Work on the list this year indicates that the number of cases has been growing since 2016 and currently consists of 204 reports.... From the list, you can understand that there are known cases of theft of data of thousands of employees and this type of fraud is very common.
How an attacker can spoof unprotected email from almost anyone in less than 5 minutes
In fact, a spoofed "from" address is the basis and starting point for most attacks. Why worry about spoofing emails from the fictitious "company.com" when it is possible to simply register a similar fake domain (eg c0mpany.com) and use it? Or create a Gmail account ([email protected]), give it a friendly name that looks like the name of the company's CEO? Because, in fact, it is even easier to fake sending an email from a real person's address than registering a fake domain or creating a Gmail account.
Three easy ways
On the Internet, you can easily find sites that allow you to send fake letters. There are dozens of them, here are just a couple of examples: spoofbox.com and anonymailer.net. Many of them are free, some cost money, these services are positioned as legitimate, and the main purpose of use is supposed to be a prank of friends.
The usage algorithm is simple. All you need to do is enter the recipient's email address in the "To:" field, put any desired email address in the "From:" field, and after creating the message, confirm the sending. According to the terms of the user agreement, liability for damage lies entirely with the clients of the service.
The next way is to submit using the UNIX command line... If you have a computer with a configured mail service, just enter this command:
The result is a message in which the "From" field will contain "[email protected]". After entering the subject line and the rest of the message, after pressing Ctrl + D the message will be sent to the recipient. How well this idea works depends on how your system is configured. However, it works in many cases.
Using PHP, you can create an email with a few lines of very simple code:
In fact, these are lines of code used as an example in the online manual for the mail () function with additional headers.
These spoofing tools are greatly simplified. It takes a little more work and, of course, social engineering skills to make the messages more realistic. But the main technical component is very simple. The only thing that really prevents spoofing is email authentication by sharing SPF record, DKIM signature and DMARC. Below we will tell you how these technologies work and how these technologies differ. They are nothing new, however, fortunately for scammers, most domains on the Internet are not yet secure. For example, only about 4% of .gov domains use authentication. What about the other 96%? Attackers can send emails disguised as outgoing emails from the mailboxes of these domains at any time.
According to the source, one in four emails from .gov domains is fraudulent. The domains are justice.gov, House.gov, Senate.gov, Whitehouse.gov, and democrats.org, dnc.org, gop.com, rnc.org. and DonaldJTrump.com - all of which can be easily used for spoofing by email scammers.
Anti-spoofing methods
The simplicity of exploiting an unauthenticated email vulnerability described above and the widespread use of these methods as the initial stage for the largest cyber attacks draws the attention of the IT community to the need to use email authentication technologies. By implementing email authentication, you can ensure that any user — employee, customer, or partner — who receives the email can determine whether the email was sent by a legitimate company representative. Plus, you can gain transparency and control over who is sending emails on your behalf.
This has grown in importance due to the rapid growth of cloud services (SaaS), more than 10,000 of whom send emails on behalf of their clients on the topic of sales, marketing, customer support, HR, accounting, legal and other services. Thanks to forced authentication, you can block everyone who tries to send an email on your behalf - spammers, phishers and even "gray" senders who may be legitimate, but are not listed by you.
Email Authentication Standards allow the mail server to verify that an email with your domain in the "From:" field has been allowed to be sent on your behalf. Before the message reaches the recipient's Inbox, the mail server can check:
Why is it necessary to use these technologies together?
In a simplified sense, SPF allows you to whitelist IP addresses. If a mail server with an IP address that is not on your list tries to send an email using your domain, the SPF authentication test will fail. However, the big problem with SPF is that it uses the domain specified in the Return-Path for authentication, not the From field, which people actually read.
Worse, phishing attackers can set up an SPF record for their own domains. They can then send emails that appear to come from a trusted company or brand, but that company's domain will appear in the From field and the scammer's domain in the Return-Path. Such emails will pass SPF authentication. The additional use of DMARC solves this problem by allowing the domain owner to require "alignment", which means that the return and outbound addresses must be the same.
SPF records are text, but the syntax is quite complex. It is easy to make typos that are difficult to detect. However, they will make the SPF record useless. An analysis of the SPF records of all 62 RSA 2017 conference sponsors showed that only 58 published SPF, with 17 cybersecurity conference sponsors having recording errors. Companies that don't have much IT experience often find SPF even more challenging.
Likewise, DKIM is not particularly effective against fraud without DMARC. To stop phishing, the most important address is the domain in the From field. However, checking only the DKIM signature does not say anything about the domain in this field. The domain used to sign the message can be completely different from the domain specified in the "From" field. In other words, hackers can create messages that are signed through DKIM using the domain they control, but the "From" field will contain your bank's email address. Most people are not going to dig into the headers of all incoming messages to make sure that the DKIM signature data is legitimate. It is also worth considering the large number of legitimate mail services that can do mailings on behalf of the sender and the problem of maintaining the secrecy of the private key,
These two early standards, while important, contain important gaps. DMARC builds on and complements them. DMARC greatly increases the credibility of the email you send, whether the emails come from your own mail servers or cloud services that you authorize to send email to.
The main contributions of DMARC are:
You can check that DMARC is configured using services
→ mail-tester.com and others.
This article is based on translations from sources:
→ How to Fake an Email From Almost Anyone in Under 5 Minutes
→ What Is Email Authentication?
→ What Is SPF?
→ What Is DKIM?
→ What Is DMARC?
What is Email Authentication?
For most of the past 40 years, users have had to take a leap of faith every time they opened their email. Do you think that the letter really comes from who is listed in the sender column? Most will easily answer “yes” and in fact be very surprised to learn how easy it is to spoof email from almost any sender.
When the Internet was created, no way was originally designed to verify the identity of the sender. During the development of the main email protocols, the costs of computing power, implementation, and ease of use were balanced against the risk of fraud. It was hard to assume that 84% of all e-mail in the future will have a malicious payload and be phishing or spam.
The result is that email headers, including the "From:" and "Reply-to:" fields, are very easy to spoof. In some cases, this is as simple as typing "[email protected]" in the "From:" field. Combining this with unsuspecting content, compelling graphics and formatting, it's entirely possible to fool people into thinking that the message in their inbox really came from a bank, FTS, executive or president of the United States.
Considering the ubiquity of email, you understand the core of our current cybersecurity crisis. Weakness in email has led to a slew of phishing attacks designed to trick people into clicking on malicious links, downloading and opening malicious files, submitting a W-2 form (similar to 2-NDFL in the US), or transferring funds to criminals.
More recently, Coupa, a Silicon Valley company, was in the spotlight after sending payroll data for all 625 employees to a scammer. Leoni AG, one of Europe's largest companies, lost $ 45 million last year when an employee mistakenly transferred money to a scammer's account due to fake email. The FBI estimates that Business Email Compromise (BEC) phishing attacks cost US companies $ 3 billion a year.
A W-2 phishing record has been compiled on databreaches.net. Work on the list this year indicates that the number of cases has been growing since 2016 and currently consists of 204 reports.... From the list, you can understand that there are known cases of theft of data of thousands of employees and this type of fraud is very common.
How an attacker can spoof unprotected email from almost anyone in less than 5 minutes
In fact, a spoofed "from" address is the basis and starting point for most attacks. Why worry about spoofing emails from the fictitious "company.com" when it is possible to simply register a similar fake domain (eg c0mpany.com) and use it? Or create a Gmail account ([email protected]), give it a friendly name that looks like the name of the company's CEO? Because, in fact, it is even easier to fake sending an email from a real person's address than registering a fake domain or creating a Gmail account.
Three easy ways
On the Internet, you can easily find sites that allow you to send fake letters. There are dozens of them, here are just a couple of examples: spoofbox.com and anonymailer.net. Many of them are free, some cost money, these services are positioned as legitimate, and the main purpose of use is supposed to be a prank of friends.
The usage algorithm is simple. All you need to do is enter the recipient's email address in the "To:" field, put any desired email address in the "From:" field, and after creating the message, confirm the sending. According to the terms of the user agreement, liability for damage lies entirely with the clients of the service.
The next way is to submit using the UNIX command line... If you have a computer with a configured mail service, just enter this command:
Code:
mail -aFrom:[email protected]The result is a message in which the "From" field will contain "[email protected]". After entering the subject line and the rest of the message, after pressing Ctrl + D the message will be sent to the recipient. How well this idea works depends on how your system is configured. However, it works in many cases.
Using PHP, you can create an email with a few lines of very simple code:
Code:
<?php
$to = '[email protected]';
$subject = 'the subject';
$message = 'hello';
$headers = 'From: [email protected]' . "\r\n" .
'Reply-To: [email protected]' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
?>In fact, these are lines of code used as an example in the online manual for the mail () function with additional headers.
These spoofing tools are greatly simplified. It takes a little more work and, of course, social engineering skills to make the messages more realistic. But the main technical component is very simple. The only thing that really prevents spoofing is email authentication by sharing SPF record, DKIM signature and DMARC. Below we will tell you how these technologies work and how these technologies differ. They are nothing new, however, fortunately for scammers, most domains on the Internet are not yet secure. For example, only about 4% of .gov domains use authentication. What about the other 96%? Attackers can send emails disguised as outgoing emails from the mailboxes of these domains at any time.
According to the source, one in four emails from .gov domains is fraudulent. The domains are justice.gov, House.gov, Senate.gov, Whitehouse.gov, and democrats.org, dnc.org, gop.com, rnc.org. and DonaldJTrump.com - all of which can be easily used for spoofing by email scammers.
Anti-spoofing methods
The simplicity of exploiting an unauthenticated email vulnerability described above and the widespread use of these methods as the initial stage for the largest cyber attacks draws the attention of the IT community to the need to use email authentication technologies. By implementing email authentication, you can ensure that any user — employee, customer, or partner — who receives the email can determine whether the email was sent by a legitimate company representative. Plus, you can gain transparency and control over who is sending emails on your behalf.
This has grown in importance due to the rapid growth of cloud services (SaaS), more than 10,000 of whom send emails on behalf of their clients on the topic of sales, marketing, customer support, HR, accounting, legal and other services. Thanks to forced authentication, you can block everyone who tries to send an email on your behalf - spammers, phishers and even "gray" senders who may be legitimate, but are not listed by you.
Email Authentication Standards allow the mail server to verify that an email with your domain in the "From:" field has been allowed to be sent on your behalf. Before the message reaches the recipient's Inbox, the mail server can check:
- Using an SPF record, does the sending server have the right to use the domain name (s) specified in the message headers?
- If a DKIM cryptographic signature is attached to a message , using the public version of the key in the domain's DNS record, you can decrypt the headers of incoming messages and find out if the message really comes from the claimed sender.
- Thanks to DMARC setupdomain owners can create rules for processing emails that come from unauthorized domains and check if the headers match each other (for example, the From: and Reply-to
fields. The rules include instructions on what the receiving server should do with unauthenticated messages, such as not letting them through, placing them in a spam folder, or marking them as potentially harmful. Email authentication gives the domain owner global control over what happens to messages sent on their behalf by anyone and anyone. For example, if you represent a sender domain of mail and publish a DMARC record with a request for information, then you will receive statistics about all mails from all recipient domains that also support DMARC, that come with a return address from your domain. Statistics comes in XML and contains the IP address of each sender that is signed by your domain, the number of messages from each IP address, the result of processing these messages in accordance with DMARC rules, SPF results and DKIM results
Why is it necessary to use these technologies together?
In a simplified sense, SPF allows you to whitelist IP addresses. If a mail server with an IP address that is not on your list tries to send an email using your domain, the SPF authentication test will fail. However, the big problem with SPF is that it uses the domain specified in the Return-Path for authentication, not the From field, which people actually read.
Worse, phishing attackers can set up an SPF record for their own domains. They can then send emails that appear to come from a trusted company or brand, but that company's domain will appear in the From field and the scammer's domain in the Return-Path. Such emails will pass SPF authentication. The additional use of DMARC solves this problem by allowing the domain owner to require "alignment", which means that the return and outbound addresses must be the same.
SPF records are text, but the syntax is quite complex. It is easy to make typos that are difficult to detect. However, they will make the SPF record useless. An analysis of the SPF records of all 62 RSA 2017 conference sponsors showed that only 58 published SPF, with 17 cybersecurity conference sponsors having recording errors. Companies that don't have much IT experience often find SPF even more challenging.
Likewise, DKIM is not particularly effective against fraud without DMARC. To stop phishing, the most important address is the domain in the From field. However, checking only the DKIM signature does not say anything about the domain in this field. The domain used to sign the message can be completely different from the domain specified in the "From" field. In other words, hackers can create messages that are signed through DKIM using the domain they control, but the "From" field will contain your bank's email address. Most people are not going to dig into the headers of all incoming messages to make sure that the DKIM signature data is legitimate. It is also worth considering the large number of legitimate mail services that can do mailings on behalf of the sender and the problem of maintaining the secrecy of the private key,
These two early standards, while important, contain important gaps. DMARC builds on and complements them. DMARC greatly increases the credibility of the email you send, whether the emails come from your own mail servers or cloud services that you authorize to send email to.
The main contributions of DMARC are:
- setting up a policy that tells the receiving email servers what to do with emails that are not authenticated (nothing, quarantine or denial),
- providing a reporting mechanism.
You can check that DMARC is configured using services
→ mail-tester.com and others.
This article is based on translations from sources:
→ How to Fake an Email From Almost Anyone in Under 5 Minutes
→ What Is Email Authentication?
→ What Is SPF?
→ What Is DKIM?
→ What Is DMARC?
gipseyavenger
Member
Thanks
