What is email spoofing?
Email spoofing is a technique attackers use to hide the true sender address in a malicious email and replace it with a legitimate one by impersonating a company or a user using an exact domain. Attackers often use this technique in malicious phishing or spam campaigns to improve their effectiveness by evading anti-spam controls and making emails appear more credible.
But to understand how email spoofing works, you need to take a step back to understand the mechanisms involved in the communications.
Communications in sending emails
The systems that manage the sending and receiving of emails use three main protocols: the SMTP (Simple Mail Transfer Protocol) gets used for delivering the mail. Also, the IMAP or POP protocols get implemented for reception, depending on the server used.
The SMTP protocol hinges on transactions between sender and receiver, issuing scripts and supplying the necessary data ordered using a connection transmission control protocol (TCP). One of these transactions has three command/response sequences: the return or sender address (MAIL), the recipient address (RCPT), and the message content (DATA).
This data generally gets completed by the mail provider’s server, where all users have prior authentication, with which the protocol does not need any identity verification in its use. Although some email providers such as Gmail or Outlook do not allow spoofing the identity of emails within their domain, most existing addresses can become victims of this attack.
Anti spoofing technical measures
Current email services and providers have defined some security parameters that allow mechanisms to detect malicious emails. These parameters are:
SPF (Sender Policy Framework) helps prevent third parties from sending unauthorized emails from your domain (site or web page). But, in some cases, when an email service does not have this option configured, the emails may get detected as malicious or spam.
DKIM (DomainKeys Identified Mail) verifies that the content of the message is authentic and not modified. Also, DKIM gets included as a signature in the messages sent so that the servers that receive these emails can verify the signature to validate the information.
DMARC (Domain-Based Compliance, Reporting, and Message Authentication Policy) specifies how a domain (site or page) handles suspicious emails received; Let’s say that it is in charge of indicating that it is a possible SPAM or identity theft. It gets activated when SPF and DKIM have indicated an error or problem.
These security measures must be active and configured in the email service you use to identify emails that are looking to spoof and, in turn, know what steps to take. If you manage the systems of a team or organization, we recommend that you take them into account.
Let’s take the impersonation email that we show at the beginning of the text as an example. It is what it would look like:
Most frequent types of attacks that use email spoofing
Social engineering attacks work when it’s possible to convey confidence to the receiver not to suspect the attack. Thereby, simulating being an organization or individual related to the victim by impersonating the identity of the email (some service that uses possible common contacts of a previous victim, among others) makes it more difficult to detect deception. On the other hand, by personifying a company with your real domain, you avoid raising suspicions of spam or phishing on email servers.
Next, we analyze the attacks and threats that are most frequently distributed or used by email spoofing.
Ransomware and botnets
These attacks again won mentions in 2020, a year in which there was a great deal of botnet activity and in which ransomware attacks were the protagonists, affecting several areas, including health. These attacks seek the victim to download and run a file that will infect their computer. Then, they might intend to encrypt part or all the information it contains and request a monetary ransom for the supposed release of the files or turn the computer into a “zombie.” Again, being controlled by the master network equipment to send spam, host malware, and other things.
The malicious file may arrive as an attachment or be hosted on a site linked to the email, disguised as a harmless file such as an electronic receipt in PDF or Excel format, a compressed file, or a simple program installation.
In the case of ransomware, in addition to paying the ransom using various extortion methods such as DDoS attacks or the leak of stolen information – a recent trend, but here to stay – attackers can also monetize the incident by selling the stolen data in black markets.
Like ransomware, this type of attack seeks to convince the victim by impersonating a company, for example, to enter an attached link that seeks to steal information. Usually, attackers impersonate well-known companies or banks that offer online services, claiming some inconvenience or suspicious movement in an account in the name of the victim, and then tell them to access a site that has pretended to be the official of the company and sign in. In this way, the victim hands over her credentials, and the attacker gains access to the account.
Cybercriminals are inventive when they use two-faced methods to cheat in an attempt to get illegal profits. Thus, they use a variety of tactics to force users to take specific actions: click links, download malware, share sensitive information. Email spoofing is one such example.
Spoofing is the best tactic used in phishing and spam campaigns. The purpose of this scam is to allow recipients to open and even respond to a request. For example, the request could be selling a counterfeit product, transferring money, or authorizing access to the system. Also, fake emails sometimes contain attachments that malware installs when they get opened.
While email spoofing gets used to carrying out phishing attacks, cybercriminals can use this technique to avoid spam on email blacklists, steal identity, or tarnish the sender’s image.
So, you need to protect your company and employees from email spoofing. You must get affected with email security, and malicious email reaches your inboxes. Then, you should avoid clicking links which ask you to authenticate and type official domain in your browser.