In a nutshell, email spoofing is the creation of fake emails that seem legitimate. This article analyzes the spoofing of email addresses through changing the From header, which provides information about the sender’s name and address.
SMTP (Simple Mail Transfer Protocol, the main email transmission protocol in TCP/IP networks) offers no protection against spoofing, so it is fairly easy to spoof the sender’s address. In fact, all the would-be attacker needs is a tool for choosing in whose name the message will arrive. That can be another mail client or a special utility or script, of which there is no shortage online.
Email spoofing is used in both fraudulent schemes and targeted attacks against organizations. Cybercriminals use this technique to convince victims that a message came from a trusted sender and nudge them into performing a specific action, such as clicking a phishing link, transferring money, downloading a malicious file, etc. For added credibility, attackers can copy the design and style of a particular sender’s emails, stress the urgency of the task, and employ other social engineering techniques.
Legitimate Domain Spoofing
The simplest form of the technique is legitimate domain spoofing. This involves inserting the domain of the organization being spoofed into the From header, making it extremely difficult for the user to distinguish a fake email from a real one.
To combat spoofing, several mail authentication methods have been created that enhance and complement each other: SPF DKIM and DMARC. By various means, these mechanisms verify that the message was actually sent from the stated address.
- The SPF (Sender Policy Framework) standard allows a mail domain owner to restrict the set of IP addresses that can send messages from this domain, and lets the mail server check that the sender’s IP address is authorized by the domain owner. However, SPF checks not the From header, but the sender’s domain specified in the SMTP envelope, which is used to transmit information about the email’s route between the mail client and the server and is not shown to the recipient.
- DKIM solves the problem of sender authentication by means of a digital signature generated on the basis of a private key stored on the sender’s server. The public key for authenticating the signature is placed on the DNS server responsible for the sender’s domain. If in reality the message was sent from a different domain, the signature will be invalid. However, this technology has a weakness: an attacker can send a fake email without a DKIM signature, and the message will be impossible to authenticate.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) is used to check the domain in the From header against a DKIM/SPF-validated domain. With DMARC, a message with a spoofed legitimate domain fails authentication. However, if the policy is strict, DMARC can also block wanted emails.
Naturally, with the widespread implementation of the above-described technologies, attackers faced a tough choice: to hope that the company they are impersonating did not configure mail authentication properly (still common, sadly), or to use From-header spoofing methods that bypass authentication.
Display Name Spoofing
The display name is the name of the sender that gets shown in the From header before the email address. In the case of corporate mail, it is usually the real name of the relevant individual or department.
Example of a display name
To make the email less cluttered for the recipient, many mail clients hide the sender’s address and show only the display name. This allows cybercriminals to substitute the name, but leave their real address in the From header. And this address is often protected by a DKIM signature and SPF, so the authentication mechanisms see the message as legitimate.
The most common form of the above method is known as ghost spoofing. Here, the attacker specifies as the name not only the name of the person or company being spoofed, but also the address of the supposed sender, as in the example in the screenshot below.
Example of ghost spoofing
In actual fact, the message comes from a completely different address.
Real sender address in ghost spoofing, and mail authentication.
AD (Active Directory) spoofing is another form of display name spoofing, but unlike the ghost version, it does not involve specifying the spoofed address as part of the name. What’s more, the address from which the cybercriminals send messages features the name of the person being imitated.
Example of AD spoofing
This method looks more primitive than ghost spoofing, but some scammers prefer it for several reasons. First, if the recipient’s mail agent does display the contents of the From header in its entirety, the double sender address will make the user more suspicious than the address on the public domain. Second, ghost spoofing is technically easier to block with spam filters: it is enough to consign to the spam folder emails where the displayed sender name contains the email address. It is not generally feasible to block all incoming emails sent from addresses with the same names as colleagues and contractors.
Lookalike Domain Spoofing
More sophisticated attacks use specially registered domains, similar to the domain of the target organization. This requires a bit more effort, since finding and buying a specific domain, then setting up mail, DKIM/SPF signatures and DMARC authentication on it, is rather more difficult than simply modifying the From header slightly. But it also complicates the task of recognizing a fake.
A lookalike domain is a domain name that looks similar to that of the organization being spoofed, but with a couple of alterations. For example, the email in the screenshot below came from the domain deutschepots.de, which can easily be confused with the domain of the German mail company Deutsche Post (deutschepost.de). If you follow the link in such an email and try to pay for delivery of a parcel, you will not only lose 3 euros, but also hand your card details to the fraudsters.
Example of a message from a lookalike domain
However, with the right level of vigilance, it is possible to spot misspelled domains. But in other cases, simple attentiveness is no longer sufficient.
There are various ways to convince the recipient of an email that it came from a trusted sender. Some of them seem primitive, yet they enable cybercriminals to successfully bypass mail authentication. At the same time, the technique of spoofing is used to carry out various types of attacks, from standard phishing to advanced BEC. They, in turn, can be just one step in a more sophisticated targeted attack. Accordingly, the damage from spoofing, even if restricted to a single attack, can range from identity theft to business downtime, loss of reputation and multi-million dollar losses.