Email Spoofing — Part 1

Hivint continues to see a notable increase in the amount of Business Email Compromise or CEO Fraud attacks (a type of social engineering attack targeting people in executive positions, or their assistants), Board members, or people in Accounting or Finance departments.

The premise is simple — An attacker typically crafts an email or series of emails where they pretend to be someone else within your organisation, in a bid to convince them to transfer money to bank accounts they control.

The sophistication of these attacks can vary, but because the rewards can be very substantial — for example Mattel transferred $3 million and a Boeing and Airbus supplier called FACC lost ~$47 million — so there is a great incentive for scammers to run these attacks as highly orchestrated campaigns spanning many weeks, and expending a great deal of time and effort in gathering intelligence towards making these emails appear perfect.

The request itself will generally carry a sense of urgency, it will be executed using a range of phishing techniques including anything from the use of compromised domain credentials to fake domains, spoofed email addresses, and even phone calls.

Successful attacks have generally averaged transfers around $50,000 and these funds are rarely recovered.

This year the FBI has announced that $5.3 Billion USD was lost to BEC scams between Oct 2013 and December 2016.

During the course of a recent engagement to assess an organisation’s resilience to malware and phishing attacks, we carried out some testing to establish the behavior of the email infrastructure and were surprised to discover the ease at which we were able to spoof internal users of that organisation.

This blog is the first part of a series that will look at some of the possible scenarios that may lead to your employees falling victim to such a scam.

Scenario 1: Attacker Masquerades as an Internal User

In this scenario, the attacker may go to great lengths to format the email and mirror the normal tone of the email, perhaps by communicating with the victims before hand in order to obtain email signatures and signoff details.

Figure 1 — Attacker pretends to be a Legitimate User

In this scenario, email is sent from an external server, but Alice’s email address is supplied as the ‘from’ address.

What is interesting about this scenario is that In some cases where organisations are using O365 or Exchange we have observed that the receiving email server will not only permit this email, but add legitimacy to it by appending a photo of Alice from the Global Address List in Bob’s email client.

The caveat with this scenario from the attackers perspective is that if Bob replies, that reply will go to the real Alice, who will raise the alarm, and so they may attempt to discourage a response in the verbiage of the email.

Figure 2 — Note the Contact Photo added by the email system

Issue Validation

It is relatively easy to test your email systems to see how it behaves in this scenario should you wish to do so using the following steps.

1. Choose a marketing email provider (in our testing we used sendgrid.com because it is relatively simple to use, and a free account can be setup in minutes ) and set up an account.

2. Create a new email account in your email client of choice using the address of one of your colleagues and the outgoing server details of your chosen email provider above. (You will need to populate the incoming details, and this will throw an error but ignore this, as we are only sending mail, not receiving it).

Figure 3 — Outlook Account Settings

3. Send an email to your own organisational email address ensuring that you select your newly created spoof account in the From: dialogue.

4. If the email arrives in your organisational inbox, your organisation is vulnerable to spoofing. (NB Be sure to check Junk Mail folders if it does not appear in your inbox. The use of Sendgrid or equivalent is designed to prevent this)

Mitigating this Attack

The solution to this problem will differ from company to company depending upon your choice of technology, and there are likely to be several junctions where it is possible to block spoofed emails, however the following approaches address some of the most common technologies.

Caveat Emptor

Before proceeding you should be aware that the blanket blocking of email from your internal domain from external sources will in some circumstances break legitimate existing functionality, so you should first seek to understand any third party reliance on this functionality in order to add exceptions for this.

Common scenarios where this is employed include the use of:

• Automated Ticketing Exchange with Managed Service Providers
• Software as a Service Applications configured to deliver email to internal users for example in the case of report delivery
• Any external companies engaged to generate and send out information on your behalf

Control Implementation

The following providers have written articles in their respective knowledge-bases to mitigate these threats.

Symantec (Messagelabs)

How to block messages coming from your own domain (spoofed)

O365 and Exchange

Configure your spam filter policies: Exchange Online Help

Domain Spoof Prevention in Exchange 2013/2016 & Office 365

GSuite

Restrict messages to authorized addresses or domains

Other Considerations

Hivint can carry out these tests for you and assess both the resilience of your technological controls against these types of attacks, the awareness levels of your employees, and the robustness of those processes.

Good security is where all of these factors are working in balance to provide a layered defence.