How to Detect Spoofed Emails - Simple Techniques

 Are your customers receiving spoofed emails? Here’s a simple solution.Most of us have heard this term before “E-mail spoofing”. What is this? Why attackers use this? How is spoofing used in social engineering attacks? How can companies address this problem? Let’s explore a simple idea that no one had presented before.Email spoofing is the creation of email messages with a forged/false sender address(ref). it’s as simple as someone using your internet provider’s letterhead and envelope to send you a form by mail, asking you to fill your personal details and send it back to them for a free subscription. Obviously, pretending to be someone can have many advantages especially when the person holds authority or trust with regards to the receiver.Attackers use email spoofing for various motives. Primarily for hiding their true identity, for spamming purpose because you don’t care about email address being blacklisted, for pretending to be an organization or someone you trust in order to ask for your personal or bank information, for creating a bad reputation of an organization and could be various other objectives.As mail-spoofing sounds simple in above example, it is just as simple in an e-mail as well because email protocols (SMTP) lack authentication. Anyone with basic Linux mail-server or PHP knowledge can able to send an email with any sender's address to anyone in the world. Moreover, it has become very common for attackers to use forged email addresses to launch social engineering attack. Let’s assume someone sending an email to someone, who has very little computer knowledge but uses Facebook every day. If an attacker sends an email from activate@facebook.com, asking to update personal details by clicking on the link provided. Also warns that not doing so could result in an account being de-activated. I am sure that a person with very little computer knowledge will definitely click the link and provide their personal details which will eventually be captured by the attacker. Likewise, there are millions of such attacks happening every day for various malicious intentions.As of today, we do have few countermeasures:

• SPF (Sender Policy Framework): Checks whether a certain IP is authorized to send mail from a given domain.
• DKIM (Domain Key Identified Mail): Where sender digitally signs the email and associate it with its name. Verification is carried out using the signer's public key published in the DNS
• DMARC (Domain-based Message Authentication, Reporting, and Conformance): this policy gives a sender the option to let the receiver know whether its email is protected by SPF or DKIM and what actions to take and who to report to when dealing with emails that fail authentication

All these authentication mechanisms help in avoiding spoofed emails to reach to our mailbox. That’s the reason most of the phishing or spoofed emails lands in SPAM folder directly.Having all these but unfortunately, still the problem hasn’t been solved. Let’s look at one more example where an attacker has bought similar looking domain name like facebooke.com or facebookmail.com to send an email with SPF or DKIM enabled. Now, the email looks completely legitimate.Currently, the only solution for such attacks is customers’ awareness. Customers should perform due-diligence before clicking any link, downloading an attachment or responding to it. Due diligence should include verifying sender’s email or checking the email header.You might know everything so far discussed here so what’s new?Well, my next few lines will present a totally unique idea to address the spoofing issue.I recommend a solution that’s easy to implement without massive changes or new hardware procuring. The idea is to

• Generate a random key for every email sent to customers.
• Embed that key in the email content and a verification link something like facebook.com/emailverification’.

• Now, keep track of customer ID, unique random key, and message sent time stamp for every email sent.

Customer ID	Unique Key	Message Time Stamp	Subject
122223124	X232Assa43232aa	Thu, 6 Oct 2016 21:59:39	Service unavailable
236323123	Xc42sa23asff2asas	Thu, 6 Oct 2016 21:59:39	Unauthorized activity

 

• Make this information available at public link ‘facebook.com/emailverification’

Now, whenever customer wants to verify if the email has come from legitimate facebook.com, they will simply copy the unique key and paste it at facebook.com/emailverification. The website will then tell them the email message time stamp which should be early then the actual received time displayed in email.Let’s look at different scenarios:Scenario 1: Charlie put a random key in an email and send it to Alice with malicious linkAlice won’t be able to verify that random key at www.company.com/emailverification giving error that key not foundScenario 2. Bob somehow managed to get random key from one of the authentic emails forwarded by Alice to him.Key: xasa23213ads232132asRecipient/Customer ID: Alice@company.comBob uses that random key in an email and send it to Charlie. When Charlie will verify that key on the website. It will prove the email as non-authentic because the verification information will list Alice@company.com but not Charlie@company.com because the key was actually used for Alice@company.comConclusionThere are number of various techniques and solution to the spoofing email problem. Most of them are on technical grounds involving digital signatures, DNS check etc. Organization needs more than that. Not all phishing emails go into SPAM folder. Few of them do land in inbox which creates security concerns.The idea to implement this process is for not all emails but for companies that sends invoices/quotation etc. where users/customers have to take actions. In such instances, maintaining email records and providing simple verification feature for customers can really help mitigate security concerns.