Forging an e-mail letter is almost
What is Email Authentication?
For most of the past 40 years, users have had to take a leap of faith every time they opened their email. Do you think the letter really comes from whoever is listed in the sender column? Most will easily answer yes and in fact be very surprised to learn how easy it is to spoof email from almost any sender.
When the Internet was created, no way was originally designed to verify the identity of the sender. During the development of the main email protocols, the costs of computing power, implementation and ease of use were balanced against the risk of fraud. It was hard to assume that 84% of all e-mail in the future will have a malicious payload and be phishing or spam.
The result is that email headers, including the From: and Reply-to: fields, are very easy to spoof. In some cases, this is as easy as typing "[email protected]" in the "From:" field. Combining this with unsuspecting content, compelling graphics and formatting, it's entirely possible to fool people into thinking that the message in their inbox really came from a bank, FTS, executive or president of the United States.
Considering the ubiquity of email, you understand the core of our current cybersecurity crisis. Weakness in email has led to a slew of phishing attacks designed to trick people into clicking on malicious links, downloading and opening malicious files, submitting a W-2 form (analogous to 2-NDFL in the US), or transferring funds to criminals.
was in the spotlight after sending payroll data for all 625 employees to a scammer. Leoni AG, one of Europe's largest companies, lost $ 45 million last year when an employee mistakenly transferred money to a scammer's account due to a fake email. The FBI estimates that Business Email Compromise (BEC) phishing attacks cost US companies $ 3 billion a year.
A W-2 phishing record has been compiled on databreaches.net. The work on the list this year indicates that the number of cases has been growing since 2016 and currently consists of 204 reports. From the list, you can understand that there are known cases of theft of data of thousands of employees and this type of fraud is very common.
How an attacker can spoof unprotected email from almost anyone in less than 5 minutes
In fact, a spoofed "from" address is the basis and starting point for most attacks. Why worry about spoofing emails from the fictitious "company.com" when it is possible to just register a similar fake domain (eg c0mpany.com) and use it? Or create a Gmail account ([email protected]), give it a friendly name that looks like the name of the company's CEO? Because, in fact, it is even easier to fake sending an email from a real person's address than registering a fake domain or creating a Gmail account.
Three easy ways
On the Internet, you can easily find sites that allow you to send fake letters. There are dozens of them, here are just a couple of examples: spoofbox.com and anonymailer.net. Many of them are free, some cost money, these services are positioned as legitimate, and the main purpose of use is supposed to be a prank of friends.
The usage algorithm is simple. All you need to do is enter the recipient's email address in the "To:" field, put any desired email address in the "From:" field, and after creating the message, confirm the sending. According to the terms of the user agreement, liability for damage lies entirely with the clients of the service.
The next way is to submit using the UNIX command line. If you have a computer with a configured mail service, just enter this command:
mail -aFrom: [email protected]
As a result, you get a message in which the "From" field will contain "[email protected]". After entering the subject line and the rest of the message, after pressing Ctrl + D, the message is sent to the recipient. How this idea works depends on how your system is configured. However, it works in many cases.
Using PHP, you can create an email with a few lines of very simple code:
<?php $to = '[email protected]'; $subject = 'the subject'; $message = 'hello'; $headers = 'From: [email protected]' . "\r\n" . 'Reply-To: [email protected]' . "\r\n" . 'X-Mailer: PHP/' . phpversion();mail($to, $subject, $message, $headers);
?>
In fact, these are lines of code used as an example in the online manual for the mail () function with additional headers.
These spoofing tools are greatly simplified. It takes a little more work and, of course, social engineering skills to make the messages more realistic. But the main technical component is very simple. The only thing that really prevents spoofing is email authentication by sharing SPF record, DKIM signature and DMARC. Below we will tell you how these technologies work and how they differ. They are nothing new, however, luckily for scammers, most domains on the Internet are not yet secure. For example, only about 4% of .gov domains use authentication. What about the other 96%? Attackers can send emails disguised as outgoing emails from these domains' mailboxes at any time.
According to the source, one in four emails from .gov domains is fraudulent. The domains are justice.gov, House.gov, Senate.gov, Whitehouse.gov, and democrats.org, dnc.org, gop.com, rnc.org. and DonaldJTrump.com - all of which can be easily used for spoofing by email scammers.
Anti-spoofing methods
The above-described ease of exploiting an unauthenticated email vulnerability and the widespread use of these methods as the initial stage for the largest cyber attacks, draws the attention of the IT community to the need to use email authentication technologies. By implementing email authentication, you can ensure that any user — employee, customer, or partner — who receives the email can determine if the email was sent by a legitimate company representative. Plus, you can gain transparency and control over who is sending emails on your behalf.
This has grown in importance due to the rapid growth of cloud services (SaaS), more than 10,000 of which send emails on behalf of their customers on the topics of sales, marketing, customer support, HR, accounting, legal and other services. Thanks to forced authentication, you can block everyone who tries to send an email on your behalf - spammers, phishers, and even "gray" senders who may be legitimate, but are not listed by you.
Email authentication standards allow the mail server to verify that an email with your domain in the "From:" field has been authorized to be sent on your behalf. Before the message reaches the recipient's inbox, the mail server can check:
Using an SPF record, does the sending server have the right to use the domain name (or names) specified in the message headers?
If a DKIM cryptographic signature is attached to a message, using the public version of the key in the domain's DNS record, you can decrypt the headers of incoming messages and find out if the message really comes from the claimed sender.
Thanks to the DMARC setting, domain owners can create rules for processing emails that come from unauthorized domains and check if the headers match each other (for example, the From: and Reply-to :) fields. The rules include instructions on what the receiving server should do with unauthenticated messages, such as not letting them through, placing them in a spam folder, or marking them as potentially dangerous. Email authentication gives the domain owner global control over what happens to messages sent on their behalf by anyone and anyone. For example, if you represent a sender domain of mail and publish a DMARC record with a request for information, then you will receive statistics from all recipient domains that also support DMARC, statistics about all mail messages that come with a return address from your domain. Statistics comes in XML and contains the IP address of each sender that is signed by your domain, the number of messages from each IP address, the result of processing these messages in accordance with the DMARC rules, SPF results and DKIM results
Why is it necessary to use these technologies together?
In a simplified sense, SPF allows you to whitelist IP addresses. If a mail server with an IP address that is not on your list tries to send an email using your domain, the SPF authentication test will fail. However, the big problem with SPF is that it uses the domain specified in the Return-Path for authentication, not the From field, which people actually read.
Worse, phishing attackers can configure an SPF record for their own domains. They can then send emails that appear to come from a trusted company or brand, but that company's domain will appear in the From field and the scammer's domain in the Return-Path. Such emails will pass SPF authentication. The additional use of DMARC solves this problem by allowing the domain owner to require "alignment", which means that the return and outbound addresses must be the same.
SPF records are text, but the syntax is quite complex. It is easy to make typos that are difficult to detect. In doing so, they will make the SPF record useless. An analysis of the SPF records of all 62 sponsors of the 2017 RSA conference found that only 58 published SPFs, with 17 cybersecurity conference sponsors having recording errors. Companies that don't have a lot of IT experience often find SPF even more challenging.
Also, DKIM is not particularly effective against fraud without DMARC. To stop phishing, the most important address is the domain in the From field. However, checking only the DKIM signature does not say anything about the domain in this field. The domain used to sign the message can be completely different from the domain specified in the From field. In other words, hackers can create messages that are signed through DKIM using the domain they control, but the From field will contain your bank's email address. Most people are not going to dig into the headers of all incoming messages to ensure that the DKIM signature data is legitimate. It is also worth considering the large number of legitimate mail services that can do mailings on behalf of the sender and the problem of maintaining the secrecy of the private key used to sign messages.
These two early standards, while important, contain important gaps. DMARC builds on and complements them. DMARC significantly increases the credibility of the email you send, whether the emails come from your own mail servers or cloud services that you authorize to send email to.
The main contributions of DMARC are:
setting up a policy that tells the receiving email servers what to do with emails that are not authenticated (nothing, quarantine or denial),
providing a reporting mechanism.
Having a policy and a feedback mechanism is what makes it all work.
You can check that DMARC is configured using services
→ mxtoolbox.com
→ mail-tester.com and others.