Sender Spoofing Flashcards

1
Q
A

Sender spoofing is the process of making the sending address in an email look the same as a legitimate email to make the recipients believe it is coming from a genuine sender. This is typically used with credential harvesters where the attacker wants the recipient to believe the email has actually come from the impersonated company so they will be more likely to enter in valid credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How Does Spoofing Work?

A

In a spoofing attack, the malicious actor sends an email with a “From:” address that appears to be from a source the recipient trusts, such as a well-known brand, work colleague, or family member. There is no verification done at this point, so SMTP emails can use any FROM address they want. Want to send an email that looks like it comes from contact@securityblue.team? You can! (But don’t.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Example Workthrough

A

Example 1 (FROM address)

Let’s put on our black hats and go through an example where we want to phish the user James.Smith@DicksonUnited.co.uk. James has done his security awareness training and is pretty good at spotting suspicious emails. Any email coming from an external domain is probably going to alert him. So let’s pose as the IT service desk at DicksonUnited. We craft an email with the FROM address on our SMTP server set as “ServiceDesk@DicksonUnited.co.uk and send it to James, including a hyperlink to an Office365 credential harvester. James falls for it because on his end the email looks 100% legitimate, and he doesn’t question the call to enter his email details, as he thinks it’s come from the IT Service Desk, which manages email accounts.

Detecting this attack: Although the FROM address will look completely legitimate, we can look at the sending server IP (X-Originating-IP) and perform a WHOis or IP lookup search to determine whether this server actually belongs to the organization the email claims to be from. We will cover email security technology that can prevent these emails, such as SPF, DKIM, and DMARC, which are elaborated on in PA6) Taking Defensive Actions.

Example 2 (FROM address with Reply-to)

If we send an email as contact@amazon.com, and we want the user to reply to us, the reply would actually go to contact@amazon.com, and we don’t want that, as we’ll never see it. That’s where the Reply-to address comes in. When crafting our email, we can set a value for the Reply-to address as an email address that we actually have access to, such as hacktheplanet@gmail.com, and set the From address to contact@amazon.com. Now if the recipient replies, it will be sent to the Gmail address and we can read it.

Detecting this attack: We can look at the Reply-to address and see where replies would be sent. We can then block this address on the email gateway to prevent emails from going outbound to this address. We will cover email security technology that can prevent these emails, such as SPF, DKIM, and DMARC, which are elaborated on in PA6) Taking Defensive Actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly