Email spoofing

Last updated

Email spoofing is the creation of email messages with a forged sender address. [1] The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed (for example, so that it cannot be harvested), but forwards mail sent to it to the user's real address. [2]

Contents

The original transmission protocols used for email do not have built-in authentication methods: this deficiency allows spam and phishing emails to use spoofing in order to mislead the recipient. More recent countermeasures have made such spoofing from internet sources more difficult but they have not eliminated it completely; few internal networks have defences against a spoof email from a colleague's compromised computer on that network. Individuals and businesses deceived by spoof emails may suffer significant financial losses; in particular, spoofed emails are often used to infect computers with ransomware.

Technical details

When a Simple Mail Transfer Protocol (SMTP) email is sent, the initial connection provides two pieces of address information:

Together, these are sometimes referred to as the "envelope" addressing – an analogy to a traditional paper envelope. [3] Unless the receiving mail server signals that it has problems with either of these items, the sending system sends the "DATA" command, and typically sends several header items, including:

The result is that the email recipient sees the email as having come from the address in the From: header. They may sometimes be able to find the MAIL FROM address, and if they reply to the email, it will go to either the address presented in the From: or Reply-to: header, but none of these addresses are typically reliable, [4] so automated bounce messages may generate backscatter.

Although email spoofing is effective in forging the email address, the IP address of the computer sending the mail can generally be identified from the "Received:" lines in the email header. [5] In malicious cases, however, this is likely to be the computer of an innocent third party infected by malware that is sending the email without the owner's knowledge.

Malicious use of spoofing

Phishing and business email compromise (see below) scams generally involve an element of email spoofing.

Email spoofing has been responsible for public incidents with serious business and financial consequences. This was the case in an October 2013 email to a news agency which was spoofed to look as if it was from the Swedish company Fingerprint Cards. The email stated that Samsung offered to purchase the company. The news spread and the stock exchange rate surged by 50%. [6]

Malware such as Klez and Sober among many more modern examples often search for email addresses within the computer they have infected, and they use those addresses both as targets for email, and also to create credible forged From fields in the emails that they send.[ citation needed ] This is to ensure that the emails are more likely to be opened. For example:

  1. Alice is sent an infected email which she opens, running the worm code.
  2. The worm code searches Alice's email address book and finds the addresses of Bob and Charlie.
  3. From Alice's computer, the worm sends an infected email to Bob, but is forged to appear as if it was sent by Charlie.

In this case, even if Bob's system detects the incoming mail as containing malware, he sees the source as being Charlie, even though it really came from Alice's computer. Meanwhile, Alice may remain unaware that her computer has been infected, and Charlie does not know anything about it at all, unless he receives an error message from Bob.

The effect on mail servers

Traditionally, mail servers could accept a mail item, then later send a Non-Delivery Report or "bounce" message if it couldn't be delivered or had been quarantined for any reason. These would be sent to the "MAIL FROM:" aka "Return Path" address. With the massive rise in forged addresses, best practice is now to not generate NDRs for detected spam, viruses etc. [7] but to reject the email during the SMTP transaction. When mail administrators fail to take this approach, their systems are guilty of sending "backscatter" emails to innocent parties - in itself a form of spam - or being used to perform "Joe job" attacks.

Countermeasures

The SSL/TLS system used to encrypt server-to-server email traffic can also be used to enforce authentication, but in practice it is seldom used, [8] and a range of other potential solutions have also failed to gain traction.

A number of defensive systems have come into wide use, including:

To effectively stop forged email being delivered, the sending domains, their mail servers, and the receiving system all need to be configured correctly for these higher standards of authentication. Although their use is increasing, estimates vary widely as to what percentage of emails have no form of domain authentication: from 8.6% [10] to "almost half". [11] [12] [13] For this reason, receiving mail systems typically have a range of settings to configure how they treat poorly-configured domains or email. [14] [15]

While there has been research into improving email security, little emphasis has been placed on informing users whose email addresses have been used for spoofing. Currently, only the email recipient can identify a fake email, and users whose addresses are spoofed remain unaware unless the recipient manually scrutinizes the message.[ citation needed ]

Business email

Business email compromise attacks are a class of cyber crime which use email fraud to attack organizations. Examples include invoice scams and spear-phishing attacks which are designed to gather data for other criminal activities. A business deceived by an email spoof can suffer additional financial, business continuity and reputational damage. Fake emails can also be used to spread malware.

Typically, an attack targets specific employee roles within an organization by sending spoof emails which fraudulently represent a senior colleague, trusted customer, or supplier. [16] (This type of attack is known as spear phishing). The email will issue instructions, such as approving payments or releasing client data. The emails often use social engineering to trick the victim into making money transfers to the bank account of the fraudster. [17]

The United States' Federal Bureau of Investigation recorded $26 billion of US and international losses associated with BEC attacks between June 2016 and July 2019. [18] More recent figures estimate losses of over $50 billion from 2013 to 2022. [19]

Incidents

See also

Related Research Articles

<span class="mw-page-title-main">Email</span> Mail sent using electronic means

Electronic mail is a method of transmitting and receiving messages using electronic devices. It was conceived in the late–20th century as the digital version of, or counterpart to, mail. Email is a ubiquitous and very widely used communication medium; in current use, an email address is often treated as a basic and necessary part of many processes in business, commerce, government, education, entertainment, and other spheres of daily life in most countries.

The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync.

<span class="mw-page-title-main">Open mail relay</span>

An open mail relay is a Simple Mail Transfer Protocol (SMTP) server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. This used to be the default configuration in many mail servers; indeed, it was the way the Internet was initially set up, but open mail relays have become unpopular because of their exploitation by spammers and worms. Many relays were closed, or were placed on blacklists by other servers.

An email address identifies an email box to which messages are delivered. While early messaging systems used a variety of formats for addressing, today, email addresses follow a set of specific rules originally standardized by the Internet Engineering Task Force (IETF) in the 1980s, and updated by RFC 5322 and 6854. The term email address in this article refers to just the addr-spec in Section 3.4 of RFC 5322. The RFC defines address more broadly as either a mailbox or group. A mailbox value can be either a name-addr, which contains a display-name and addr-spec, or the more common addr-spec alone.

Various anti-spam techniques are used to prevent email spam.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

<span class="mw-page-title-main">Email spam</span> Unsolicited electronic advertising by email

Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoidable, and repetitive. Email spam has steadily grown since the early 1990s, and by 2014 was estimated to account for around 90% of total email traffic.

In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage.

Sender Policy Framework (SPF) is an email authentication method which ensures the sending mail server is authorized to originate mail from the email sender's domain. This authentication only applies to the email sender listed in the "envelope from" field during the initial SMTP connection. If the email is bounced, a message is sent to this address, and for downstream transmission it typically appears in the "Return-Path" header. To authenticate the email address which is actually visible to recipients on the "From:" line, other technologies such as DMARC must be used. Forgery of this address is known as email spoofing, and is often used in phishing and email spam.

A Joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early Joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against them, but they are now typically used by commercial spammers to conceal the true origin of their messages and to trick recipients into opening emails apparently coming from a trusted source.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Sender ID is an historic anti-spoofing proposal from the former MARID IETF working group that tried to join Sender Policy Framework (SPF) and Caller ID. Sender ID is defined primarily in Experimental RFC 4406, but there are additional parts in RFC 4405, RFC 4407 and RFC 4408.

Email fraud is intentional deception for either personal gain or to damage another individual using email as the vehicle. Almost as soon as email became widely used, it began to be used as a means to defraud people, just as telephony and paper mail were used by previous generations.

Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.

The Sender Rewriting Scheme (SRS) is a scheme for bypassing the Sender Policy Framework's (SPF) methods of preventing forged sender addresses. Forging a sender address is also known as email spoofing.

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email, a technique often used in phishing and email spam.

Website spoofing is the act of creating a website with the intention of misleading readers that the website has been created by a different person or organization. Normally, the spoof website will adopt the design of the target website, and it sometimes has a similar URL. A more sophisticated attack results in an attacker creating a "shadow copy" of the World Wide Web by having all of the victim's traffic go through the attacker's machine, causing the attacker to obtain the victim's sensitive information.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat activities.

<span class="mw-page-title-main">Email hacking</span> Unauthorized access to, or manipulation of, an email account or email correspondence

Email hacking is the unauthorized access to, or manipulation of, an account or email correspondence.

SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products:

References

  1. Varshney, Gaurav; Misra, Manoj; Atrey, Pradeep K. (2016-10-26). "A survey and classification of web phishing detection schemes: Phishing is a fraudulent act that is used to deceive users". Security and Communication Networks. 9 (18): 6266–6284. doi:10.1002/sec.1674.
  2. Yee, Alaina (6 June 2022). "What is masked email? This new spin on an old practice supercharges your security". PCWorld.
  3. Siebenmann, Chris. "A quick overview of SMTP". University of Toronto. Archived from the original on 2019-04-03. Retrieved 2019-04-08.
  4. Barnes, Bill (2002-03-12). "E-Mail Impersonators". Slate. Archived from the original on 2019-04-13. Retrieved 2019-04-08.
  5. "e-mail impersonators: identifying "spoofed" e-mail". Archived from the original on 2017-06-21. Retrieved 2019-04-08.
  6. Mundy, Simon (11 October 2013). "Fraudsters' fingerprints on fake Samsung deal" . Financial Times. Archived from the original on 2019-02-10. Retrieved 2019-04-08.
  7. See RFC3834
  8. "Transport Layer Security for Inbound Mail". Google Postini Services. Archived from the original on 2016-11-11. Retrieved 2019-04-08.
  9. Carranza, Pablo (16 July 2013). "How To use an SPF Record to Prevent Spoofing & Improve E-mail Reliability". DigitalOcean . Archived from the original on 20 April 2015. Retrieved 23 September 2019. A carefully tailored SPF record will reduce the likelihood of your domain name getting fraudulently spoofed and keep your messages from getting flagged as spam before they reach your recipients. Email spoofing is the creation of email messages with a forged sender address; something that is simple to do because many mail servers do not perform authentication. Spam and phishing emails typically use such spoofing to mislead the recipient about the origin of the message.
  10. Bursztein, Elie; Eranti, Vijay (2013-12-06). "Internet-wide efforts to fight email phishing are working". Google Security Blog. Archived from the original on 2019-04-04. Retrieved 2019-04-08.
  11. Eggert, Lars. "SPF Deployment Trends". Archived from the original on 2016-04-02. Retrieved 2019-04-08.
  12. Eggert, Lars. "DKIM Deployment Trends". Archived from the original on 2018-08-22. Retrieved 2019-04-08.
  13. "In First Year, DMARC Protects 60 Percent of Global Consumer Mailboxes". dmarc.org. 2013-02-06. Archived from the original on 2018-09-20. Retrieved 2019-04-08.
  14. "Prevent spoofed messages with spoofed senders detection". Archived from the original on 2019-03-23. Retrieved 2019-04-08.
  15. "Anti-spoofing protection in Office 365". Archived from the original on 2019-04-09. Retrieved 2019-04-08.
  16. Joan Goodchild (20 June 2018). "How to Recognize a Business Email Compromise Attack". Security Intelligence. Archived from the original on 23 March 2019. Retrieved 11 March 2019.
  17. "Tips to Avoid Phishing Attacks and Social Engineering". www.bankinfosecurity.com. Archived from the original on 2020-12-02. Retrieved 2020-11-17.
  18. "Business Email Compromise Is Extremely Costly And Increasingly Preventable". Forbes Media. 15 April 2020. Archived from the original on 23 October 2021. Retrieved 2 December 2020.
  19. "Business Email Compromise: The $50 Billion Scam".
  20. "Dublin Zoo lost €500k after falling victim to cyber-scam". 22 December 2017. Archived from the original on 8 August 2019. Retrieved 23 October 2021.
  21. "Austria's FACC, hit by cyber fraud, fires CEO". Reuters. 26 May 2016. Archived from the original on 21 March 2021. Retrieved 20 December 2018.
  22. "Te Wananga o Aotearoa caught up in $120k financial scam". NZ Herald. Archived from the original on 20 December 2018. Retrieved 20 December 2018.
  23. "Fire Service scammed out of $52,000". RNZ News. 23 December 2015. Archived from the original on 20 December 2018. Retrieved 20 December 2018.
  24. Hackett, Robert (August 10, 2015). "Fraudsters duped this company into handing over $40 million". Fortune magazine. Archived from the original on 20 December 2018. Retrieved 20 December 2018.
  25. Wallack, Todd (13 December 2018). "Hackers fooled Save the Children into sending $1 million to a phony account". The Boston Globe. Archived from the original on 20 December 2018. Retrieved 20 December 2018.
  26. Powell, Dominic (27 November 2018). "Business loses $300,000 to 'spoofed' email scam: How to protect yourself from being impersonated". Smart Company. Archived from the original on 27 November 2018. Retrieved 14 December 2018.
  27. "Sentence in BEC Scheme". Federal Bureau of Investigation. Archived from the original on 2020-01-31. Retrieved 2020-02-01.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.