How to Detect Spoofed Emails – Simple Techniques

December 20, 2016 | Views: 10357

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

 

Are your customers receiving spoofed emails? Here’s a simple solution.

Most of us have heard this term before “E-mail spoofing”. What is this? Why attackers use this? How is spoofing used in social engineering attacks? How can companies address this problem? Let’s explore a simple idea that no one had presented before.

Email spoofing is the creation of email messages with a forged/false sender address(ref). it’s as simple as someone using your internet provider’s letterhead and envelope to send you a form by mail, asking you to fill your personal details and send it back to them for a free subscription. Obviously, pretending to be someone can have many advantages especially when the person holds authority or trust with regards to the receiver.

Attackers use email spoofing for various motives. Primarily for hiding their true identity, for spamming purpose because you don’t care about email address being blacklisted, for pretending to be an organization or someone you trust in order to ask for your personal or bank information, for creating a bad reputation of an organization and could be various other objectives.

As mail-spoofing sounds simple in above example, it is just as simple in an e-mail as well because email protocols (SMTP) lack authentication. Anyone with basic Linux mail-server or PHP knowledge can able to send an email with any sender’s address to anyone in the world. Moreover, it has become very common for attackers to use forged email addresses to launch social engineering attack. Let’s assume someone sending an email to someone, who has very little computer knowledge but uses Facebook every day. If an attacker sends an email from activate@facebook.com, asking to update personal details by clicking on the link provided. Also warns that not doing so could result in an account being de-activated. I am sure that a person with very little computer knowledge will definitely click the link and provide their personal details which will eventually be captured by the attacker. Likewise, there are millions of such attacks happening every day for various malicious intentions.

1-facebook-phishing-emails

As of today, we do have few countermeasures:

  • SPF (Sender Policy Framework): Checks whether a certain IP is authorized to send mail from a given domain.
  • DKIM (Domain Key Identified Mail): Where sender digitally signs the email and associate it with its name. Verification is carried out using the signer’s public key published in the DNS
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): this policy gives a sender the option to let the receiver know whether its email is protected by SPF or DKIM and what actions to take and who to report to when dealing with emails that fail authentication

All these authentication mechanisms help in avoiding spoofed emails to reach to our mailbox. That’s the reason most of the phishing or spoofed emails lands in SPAM folder directly.

Having all these but unfortunately, still the problem hasn’t been solved. Let’s look at one more example where an attacker has bought similar looking domain name like facebooke.com or facebookmail.com to send an email with SPF or DKIM enabled. Now, the email looks completely legitimate.

2

Currently, the only solution for such attacks is customers’ awareness. Customers should perform due-diligence before clicking any link, downloading an attachment or responding to it. Due diligence should include verifying sender’s email or checking the email header.

You might know everything so far discussed here so what’s new?

Well, my next few lines will present a totally unique idea to address the spoofing issue.

I recommend a solution that’s easy to implement without massive changes or new hardware procuring. The idea is to

  • Generate a random key for every email sent to customers.
  • Embed that key in the email content and a verification link something like facebook.com/emailverification’.

3

  • Now, keep track of customer ID, unique random key, and message sent time stamp for every email sent.

Customer ID

Unique Key

Message Time Stamp

Subject

122223124

X232Assa43232aa

Thu, 6 Oct 2016 21:59:39

Service unavailable

236323123

Xc42sa23asff2asas

Thu, 6 Oct 2016 21:59:39

Unauthorized activity

 

  • Make this information available at public link ‘facebook.com/emailverification’

4

Now, whenever customer wants to verify if the email has come from legitimate facebook.com, they will simply copy the unique key and paste it at facebook.com/emailverification. The website will then tell them the email message time stamp which should be early then the actual received time displayed in email.

Let’s look at different scenarios:

Scenario 1: Charlie put a random key in an email and send it to Alice with malicious link

Alice won’t be able to verify that random key at www.company.com/emailverification giving error that key not found

Scenario 2. Bob somehow managed to get random key from one of the authentic emails forwarded by Alice to him.

Key: xasa23213ads232132as

Recipient/Customer ID: Alice@company.com

Bob uses that random key in an email and send it to Charlie. When Charlie will verify that key on the website. It will prove the email as non-authentic because the verification information will list Alice@company.com but not Charlie@company.com because the key was actually used for Alice@company.com

Conclusion

There are number of various techniques and solution to the spoofing email problem. Most of them are on technical grounds involving digital signatures, DNS check etc. Organization needs more than that. Not all phishing emails go into SPAM folder. Few of them do land in inbox which creates security concerns.

The idea to implement this process is for not all emails but for companies that sends invoices/quotation etc. where users/customers have to take actions. In such instances, maintaining email records and providing simple verification feature for customers can really help mitigate security concerns.

 

 

 

 

 

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
12 Comments
  1. It should be general practice not to include links in emails to perform this kind of work. Legitimate emails should merely state to log into their site and give some direction on where to go.

    Not having links in any email solves the problem…completely. People can be easily trained that links in emails are BAD!

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel