Email Forensic

IT Security Guide to Email Spoofing and Risk Management

Author: Abhinav Sethi | Updated on October 29, 2020 | Email Forensic | Email Forensics | 7 min read

Email spoofing is the forging of a sender's email address to mislead the recipient on the origin of the message. Usually, the sender's intention is to deceive the recipient into opening the email message and respond to it. This way, the sender tricks the receiver into sharing a sensitive information, clicking a malicious link, etc.

Email spoofing poses a serious threat to the IT security of any organization (or individual user) where just one phishing attack can cause an irreversible damage. It can lead to theft of trade secrets or a massive data breach that can hurt a company financially, malign its reputation or even lead to legal action. Therefore, it is critically important for companies to be aware of such risks and understand how email spoofing is performed.

The following are some common ways used to perform email spoofing:

1. Display Name Deception

In this, the scammer or malicious sender poses as a reputable and legitimate brand to dupe the recipient in sharing personal details, financial transaction details, etc. This email spoofing technique exploits a common feature of email clients, especially on mobiles. These email clients display only the name of an email sender. So, a receiver may think that they have received the email from a trusted entity, whereas in reality, the email address belongs to a malicious sender. See Image 1

email viewed on mobile

Image 1: An email item viewed on Gmail mobile app

The above image shows an email received on Gmail mobile app. It is to be noted that the app only shows the name of sender (Flipkart, a reputable and well-known brand) by default, rather than the actual email address. However, the sender with any random email address can set the name as Flipkart which is visible to the receiver, instead of the email address. This is a common way of deceiving email recipients about the actual identity of the sender.

2. Domain Spoofing

When a malicious email sender disguises themselves as a representative of a trusted company by using a fake domain name, one that appears to be from the company rather than the sender's, it is known as domain spoofing or phishing.

Not all email services verify domain ownership when someone sends an email. Cybercriminals manipulate the email protocols of these services to display the desired email address in the "From" header along with the name. Email injection attack, which is also a form of domain spoofing, is an apt example (discussed below) to understand how it works.

Email Injection Attacks

dummy contact form

Image 2: A dummy contact form commonly used on websites for collecting user information

Many websites and web applications use contact forms (like the one shown in Image 2) to collect user enquiries or registration details, triggering emails to the webmaster or admin. These forms often use headers that are processed by the email library on the webserver. The interpretation generates SMTP commands that are then handled by the appropriate SMTP server for the successful transmission of message. In most cases, everything will work seamlessly and the messages will reach the recipients without a problem. However there is a risk, if a user's message is not validated before it's processed, then this may make the contact form vulnerable to email header injection aka SMTP header injection attack.

How Do Email Injection Attacks Work?

Simple Mail Transfer Protocol ( SMTP ) is a set of communication guidelines that allow transmission of an email from sender to receiver across the Internet. It can interpret different commands that are shared by an email.

An email can be divided into two parts:

  • Body
  • Envelope

Email body is the message that the sender wants to transmit. Envelope contains different commands that SMTP can interpret. The following are some of the commands that you need to know:

  • MAIL FROM: Sets the message sender.
  • RCPT To: Sets the message recipient. Can be used multiple times to deliver a message to many people at the same time.
  • DATA: Informs server that message data which includes email header and body text shall be sent.

It's important to remember that email headers are not part of SMTP protocol. They are used by email clients to display emails in standard formats. The following are some email headers that you need to know:

  • From: Sets the visible sender. This email address can be different than MAIL FROM email address.
  • To: Sets the visible recipient. This can be different than RCPT TO content.

This is an example of SMTP communication:

  • > MAIL FROM:(yourenemy@email.com)
  • < 250 OK
  • > RCPT TO:(victim@useremail.com)
  • < 250 OK
  • > DATA
  • < 354 Send message content; end with (CRLF).(CRLF)
  • > Content-Type: text/html
  • > Date: Wed, 15 April 2020 00:04:05
  • > From Your Friend : (yourfriend@email.com)
  • > Subject: Need Your Help
  • > To: Victim (victim@useremail.com)
  • >
  • > Hey Pal!
  • > Hope you are doing well. Actually, I am writing to you coz I need money on an urgent basis. It's for my mom's emergency surgery. I will call you later to explain but for now, I am not asking for a specific amount. Just please send as much money you are comfortable parting with. Here is the link to my bank account: www.maliciouswebsiteaddress.com . Please try to send as soon as you get this.
  • > --
  • > Love You Man!
  • > Your Friend
  • > .
  • < 250 OK

The above email will be received by victim@useremail.com. However, they will see that it was sent by Your Friend (not YourEnemy@email.com). This is how a cybercriminal can deceive the recipient.

Email libraries used in web programming languages don't usually allow you to add envelope commands. However, if you supply email headers, then these can be converted by the libraries into appropriate SMTP commands. This functionality is exploited by cyber criminals as they can use certain email headers which are converted into appropriate SMTP commands.

How to Avoid Email Header Injection Attacks?

Email header injection attacks can be mitigated by validating users' input in contact forms. You should ensure that a user isn't able to add any newline characters in the message as these characters can allow attackers to append email headers. A simple way to achieve this is to create and implement a whitelist of authorized characters.

3. IDN Homograph Attacks: Visual Spoofing

Take a look at the following domains:

www.ɡoogle.com  
www.google.com 

They both are Google's web addresses, right? The answer is actually "no". The two websites may look identical to an average web user but for a computer, there is an important distinction between them. This is because the "g" in the first URL is Latin small letter script whose Unicode Hex is U+0261. In the second one, it is Latin small letter G whose Unicode Hex is U+0067. Computers can identify this difference and treat domain names differently.

In the Latin letter system, many common characters visually look the same but their hexadecimal values are different. These letters which are called homoglyphs can pose some serious security threats. Let's take an example to understand the problem in a real-world situation.

We know that the technology giant Apple has an official website whose address is www.apple.com. However, someone can use a visually similar domain name www.apple.com in which the a and e characters are borrowed from the Cyrillic letter system and have different Unicode values (U+0430 and U+0435 compared to Latin letter system in which the Unicode values for these letters are U+0061 and U+0065). So, if someone receives an email from an email address that looks like customercare@apple.com, then they will believe it's from Apple, the iconic smartphone company. Trusting this email will be easy for the recipients and they may fall for a phishing attack.

Note: In your email view, both customercare@apple.com and customercare@apple.com will look visually identical.

Preventive Measures: Multiple measures can be taken to prevent homograph attacks. You can configure browsers so that they don't support Internationalizing Domain Names in Applications (IDNA). You can also block International Domain Names (IDNs) websites that use different scripts like Cyrillic.

Your Responsibility Towards IT Security

To fortify your IT security stronghold, you must adopt a multi-pronged approach. For instance, you can implement the 3 pillars of email security - DKIM, SPF, and DMARC - to ensure that both inbound and outbound emails are properly validated. You should also keep yourself and your staff abreast of all types of emerging techniques and trends in email security through regular training sessions.

82% of people found this article helpful