Email spoofing is a technique to trick users into thinking a message came from a trustworthy source.
Email spoofing is made possible by the message structure and lack of verification of control headers in the dominant mail protocol — SMTP.
Email structure
An email message consists of the following structural elements:
- SMTP envelope. This element contains the real sender and recipient addresses. It is not displayed in mail clients.
- Headers. These give information about the sender, recipient, date and subject of the message, and are displayed in mail clients. There are two main headers that can contain the sender’s address:
- From — this field contains the sender’s name and the address from which the message was sent. Some mail clients show only the name by default, which must be clicked to see the address.
- Reply-to — this field contains the address to which replies will be sent. It may differ from the sender’s address. Most mail clients do not show this address by default, but do allow you to customize its display.
- Message body. This is the content of the message: text, attachments, etc.
Ways to spoof the sender’s address
There are several kinds of email spoofing.
Lookalike domain. The headers display the real sender’s address, which is similar to the address of the organization that the cybercriminals are imitating. To mimic another’s address (for example, info@example.com), attackers can use:
- A top-level domain with a spelling similar to the original. For example, info@example.co.
- A .com second-level domain with a country-code top-level domain. For example, info@example.com.ru.
- A second-level domain that differs from the organization’s real domain by one or two characters. For example, info@exampIe.com with an uppercase i instead of a lowercase L.
- A second-level domain that evokes associations with the company being imitated. For example, info@example-support.com.
- The name of the company being imitated as the mailbox name. The mailbox itself is located in a public domain. For example, info.example@mail.ru.
Spoofing the sender’s name. In this case, the From and Reply-to headers contain the real address of the attackers, while the sender’s name is faked. This type of spoofing is effective in mail clients that display only the name by default, such as mobile ones.
As the sender’s name attackers can specify:
- Only a fake name (title, position). In this case, the From field will look something like Bob <alice@mail.ru>.
- A fake name with a fake email address. This technique is known as ghost spoofing. In this case, the From field will look something like Bob <bob@example.com> <alice@mail.ru>.
Changing the From and Reply-to fields. Since SMTP does not verify the content of headers in any way, an attacker can spoof not only the sender’s name, but also the email addresses in the From and Reply-to fields. In this case, it is almost impossible for the recipient to distinguish a fake email from a genuine one.
Email spoofing in practice
Email spoofing has both legitimate and malicious applications. Legitimate spoofing is used:
- When a company hires external contractors for certain tasks, but their emails must appear to clients as if from the company’s address.
- When a company does not want to disclose the addresses of specific employees who correspond with clients through an alias, such as sales@example.com.
With legitimate email spoofing, the From and Reply-to headers are changed completely.
Malicious purposes include:
- Spam. Cybercriminals send messages in the name of well-known companies or contacts of the recipient.
- Phishing. Attackers fake the email addresses of services to lure the victim to visit a phishing site and enter their account credentials.
- Business email compromise (BEC). Cybercriminals pretend to be employees, clients, partners, or contractors of the company to get real employees to transfer money to them or give out confidential information.
- Extortion. Fraudsters send the victim an email seemingly from the latter’s own address, claiming to have hacked their mail account, and demand a ransom to restore access or blackmail them with private information allegedly stolen as a result of the hack.
Protection against email spoofing
To protect against corporate-level email spoofing, a set of technologies that cover vulnerabilities in the SMTP protocol exist:
- Sender Police Framework (SPF) checks the authenticity of the mail server from which the message arrived.
- DomainKeys Identified Mail (DKIM) uses a digital signature to protect messages from forgery.
- Domain-based Message Authentication, Reporting and Conformance (DMARC) is used to manage and enhance SPF and DKIM.
The downside of these security technologies is that they are not used by all companies. To guarantee authentication, the technology must be supported by both the sender and the recipient. Nevertheless, a company that has implemented SPF, DKIM, and/or DMARC can at least protect internal correspondence from spoofing.