Spoofing Emails

 

What is Email Spoofing?

Email spoofing is when someone sends an email that looks like it’s from a trusted source, but it’s actually from a different, often malicious sender.

This technique is used to trick the victim into thinking the email is legitimate, potentially leading to scams or phishing attacks.

For example, an email might appear to be from your bank, but it’s really from a hacker trying to steal your personal information.

Most Common Motives Behind Spoofed Emails

  • Phishing: To steal sensitive information like usernames, passwords, or credit card details by tricking recipients into thinking the email is from a legitimate source.
  • Spreading Malware: To distribute malicious software, such as viruses or ransomware, by getting recipients to open infected attachments or click on dangerous links.
  • Financial Fraud: To deceive recipients into making unauthorized financial transactions, often by pretending to be a trusted colleague or business partner.
  • Brand Damage: To harm the reputation of a brand or organization by sending harmful or offensive content that appears to come from them.
  • Gaining Unauthorized Access: To trick targets into revealing login credentials, allowing attackers to gain access to secure systems or networks.
  • Spamming: To send large volumes of unwanted emails for advertising or scam purposes, often to bypass spam filters by using a trusted name.
  • Social Engineering: To manipulate recipients into performing specific actions, like changing passwords or sharing confidential information, by pretending to be someone they trust.

How Email Spoofing Works

Email spoofing is used in various types of scams, including phishing, business email compromise (BEC), and spreading malware.

The attack works by manipulating the email header to make the message appear as if it’s from a trusted source.

For example, attackers change the “From” address to a legitimate-looking email in order to trick recipients.

The email is then sent using standard email protocols that don’t verify the sender’s authenticity.

Recipients, seeing a familiar name, might open attachments, click on malicious links, or follow harmful instructions, allowing the attacker to steal information or install malware.

To break it down even further, there are three common types of email spoofing attacks:

1. Display Name Spoofing

  • Description: The attacker changes the display name that appears in the “From” field of the email. While the actual sender address might be different or suspicious, the display name appears as someone the recipient knows or trusts.
  • Example: An email appears to come from “John Smith,” a known colleague, but the email address is something unusual like “[email protected].”

2. Domain Spoofing

  • Description: The attacker forges the domain part of the email address to make it look like it comes from a legitimate organization. This is a bit more sophisticated as it involves mimicking the domain name.
  • Example: An email appears to come from “[email protected],” but in reality, it’s from a fake domain like “[email protected]” or “[email protected].”

3. Reply-to Spoofing

  • Description: The attacker changes the “Reply-to” address so that any responses to the email are sent to the attacker’s email address instead of the legitimate sender. This can be combined with display name or domain spoofing.
  • Example: An email appears to come from “[email protected],” but when the recipient replies, the response goes to “[email protected].”

Real world email spoofing examples

  • BEC Attack on Ubiquiti Networks: In 2015, Ubiquiti Networks was deceived by a Business Email Compromise (BEC) attack, where spoofed emails convinced employees to transfer $46.7 million to fraudulent overseas accounts. The attackers posed as company executives and used social engineering tactics to execute the scam.
  • DNC Hack in 2016 US Presidential Campaign: During the 2016 US presidential campaign, Russian hackers used spoofed emails to target the Democratic National Committee (DNC) and Hillary Clinton’s campaign. This led to significant data breaches, leaking sensitive information that impacted the election.
  • FACC AG: In 2016, Austrian aerospace parts manufacturer FACC AG was hit by a BEC attack involving spoofed emails that cost the company €50 million. Attackers impersonated the CEO and other executives, tricking employees into transferring large sums of money.

How to Identify a Spoofed Email

While there’s no foolproof way to identify a spoofed email, there are several signs to look out for:

  1. Check the Sender’s Email Address: Look closely at the email address, not just the display name. Spoofed emails often use addresses that are similar to legitimate ones but have slight variations, such as extra characters or misspellings.
  2. Look for Generic Greetings: Legitimate companies usually address you by name. Be cautious of emails that use generic greetings like “Dear Customer” or “Dear User.”
  3. Examine the Email Content for Errors: Check for spelling and grammar mistakes. Legitimate companies usually proofread their emails, so errors can be a sign of a spoofed email.
  4. Check for Urgency or Threats: Be wary of emails that create a sense of urgency or pressure you to take immediate action, such as threatening account suspension if you don’t respond quickly.
  5. Inspect Links Before Clicking: Hover over any links in the email to see the actual URL. If the URL looks suspicious or doesn’t match the company’s website, don’t click it. Instead, navigate to the company’s website directly.
  6. Review Attachments: Be cautious with unexpected attachments, especially if they come from unfamiliar sources. Attachments can contain malware.
  7. Look for Unusual Requests: Legitimate companies will never ask for sensitive information like passwords, Social Security numbers, or credit card details via email.
  8. Check the Email Header: Advanced users can look at the email header to see the path the email took to get to your inbox. This can reveal discrepancies in the sender’s address and the servers used.
  9. Verify with the Source: If you are unsure about an email’s legitimacy, call the sender directly or contact the company using their official contact information from their website, not the information provided in the email.

How to Protect Against Email Spoofing

Organizations can significantly reduce the risk of email spoofing attacks by implementing a combination of technical measures, policies, and user education:

1. Implement Email Authentication Protocols

  • SPF (Sender Policy Framework): Ensures that emails are sent from authorized servers. Organizations should configure SPF records for their domains.
  • DKIM (DomainKeys Identified Mail): Uses cryptographic signatures to verify that emails are not altered in transit and are from the stated sender.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Works with SPF and DKIM to provide instructions on how to handle emails that fail authentication checks and provides reporting for monitoring.

2. Use Secure Email Gateways

  • Deploy email gateways that can filter and block spoofed emails before they reach the recipients’ inboxes. These gateways use sophisticated threat detection technologies to identify and quarantine suspicious emails.

3. Enable Multi-Factor Authentication (MFA)

  • Require MFA for accessing email accounts and other critical systems. This adds an extra layer of security, making it harder for attackers to gain access even if they obtain credentials through spoofing.

4. Regularly Update and Patch Systems

  • Keep all email servers and software up to date with the latest security patches to protect against known vulnerabilities that could be exploited in spoofing attacks.

5. User Education and Training

  • Conduct regular training sessions to educate employees about the dangers of email spoofing, how to recognize suspicious emails, and what to do if they receive one.
  • Use simulated phishing exercises to help employees practice identifying and reporting spoofed emails.

6. Implement Strong Email Policies

  • Develop and enforce email policies that dictate how sensitive information should be handled and communicated. Prohibit sharing of sensitive information over email unless using secure methods.
  • Encourage employees to verify any unusual requests for sensitive information or financial transactions through a different communication channel, such as a phone call.

7. Monitor the Dark Web

  • Continuously monitor the dark web for leaked employee, customer, or supplier credentials that could be used to gain unauthorized access, fraud, or account takeovers.
  • Monitor for any relevant lookalike, typosquatting, or homoglyph domains that could be used as part of a phishing attack.

8. Regular Security Audits

  • Conduct regular security audits and assessments to identify and address vulnerabilities in your email systems and processes.
  • Ensure that your email security practices are up to date with the latest recommendations and industry standards.