Email Spoofing for Beginners



Hello Everyone,

Greetings to all,

In this article, I'll talk about email spoofing in a little depth.

So, First of all
What is Email Spoofing? 

If you already know about email spoofing then congratulations But don't worry if u don't know about email spoofing.

Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. It's not a new technique. It's a very old technique and still widely used in phishing and scamming.

This article is going to be interesting and I'll try to short this long article as much simple as possible.

Recently, my friend ask me
How it's possible to spoof an email?

So, there are a lot of questions related to this issue. 

When a Domain is Spoofable?

It is just as simple in an email as well because email protocols (SMTP) lack authentication. Anyone with a little basic knowledge can able to send an email with any sender’s address to anyone in the planet.
Because the core email protocols do not have any mechanism for authentication.


Simple, 
It means that due to some mail server misconfiguration, hackers can take the advantage and can easily spoof anyone email. 

What's Misconfiguration?
  • Absence of SPF/DMARC/DKIM records.
  • Misconfigured or Incorrect records.
  • Insecure or no Policy set on records   
 etc.

Is it possible to prevent this?

Yes. Offcourse, it's possible to prevent this completely.

 Let's discuss about the countermeasures and types of records

SPF:

A Sender Policy Framework (SPF) record is a type of DNS TXT record that identifies which mail servers are permitted to send email on behalf of your domain.
It is an email authentication method designed to detect forged sender addresses in emails, a technique often used in phishing and email spam. SPF allows the receiver to check that an email claiming to come from a specific domain comes from an IP address authorized by that domain's administrators.  

DMARC:

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email-validation system designed to detect and prevent email spoofing. It is built on top of two existing mechanisms, SPF and DKIM. It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the From: field presented to end users; how the receiver should deal with failures - and a reporting mechanism for actions performed under those policies.

DKIM: 

Domain Keys Identified Mail (DKIM) is a form of email authentication that works via a digital signature and makes it easier to identify spoofed emails. The sending mail server signs the email with the private key, and the receiving mail server uses the public key in the domain's DNS information to verify the signature. One domain can have several DKIM keys publicly listed in DNS, but each matching private key is only on one mail server.



Many companies have SPF record and they think that they are safe.
But  
Due to some misconfiguration in SPF, it's possible to easily spoof the email. 
Like,
Too many included DNS Lookups, Duplicate records, IP ranges, etc.

"Your SPF records authenticates the entire internet. Spammers are using your domain"

Also, other misconfiguration in SPF mechanism
like 
Invalid Syntax
SPF record set to Neutral(?) or SoftFail(~) instead of strict(-) Hardfail.

SoftFail Example: v=spf1 include:spf.site.com ~all

When you'll receive an email which have SPF issue look like this


 The above email have either no SPF record or SPF set to Neutral.

Let's talk about DMARC.

If the company have SPF records but they are missing DMARC or have misconfigured DMARC. It's possible to easily spoof the email directly to inbox.

If DMARC is missing or set to ‘p=none;’ it causes SPF to fail open. When a spoofed email is sent, the receiver checks the SPF, which fails, then looks at DMARC for what to do next, If DMARC doesn’t exist then the spoofed email is accepted.
  
If you have no DMARC then hackers can easily spoof your email.

Also, if you have a valid DMARC but the policy set to none (p=none) then again your email is spoofable.
Just enable or set reject policy on DMARC.
So,
DMARC is very important just like SPF.

Now, 

Let's discuss the Attack

How hacker's send fake or spoofed email?

Some skiddies use emkei.cz which is very popular for email spoofing but common. Sometimes emkei email endedup in the Spam folder, So use your own code.

Why Spam? 

Mail servers rely on spam filters.
Spam filters run an assortment of criteria in a checklist which they use to determine an overall view on the validity of incoming mail.
A spam filter looks for malicious scripts or images and also checks the header and email body content to identify common spam phrase like hack and repeatedly words.
Spam filters check the spam score.

Generally, your email should have a score of 5.0 or lower to be considered passing.

The higher the positive score is for your email, the higher the probability that the message is spam.
The lower your score, the more likely your email is going to be received in your subscribers' inboxes.
So, 
when spoofing an email, some skiddies don't follow the pattern and hits up the spam score that's why their email ended up in the spam folder. 

So, just change your contents in the subject or text field and don't repeat the same contents.

Here is the piece of exploit code. 
A simple PHP script to send an email and used for email spoofing

<?php
$to = "[email protected]";
$subject = "Pentest";
$txt = "Pentesting";
$headers = "From: [email protected]";
mail($to,$subject,$txt,$headers);
?>

Keep in mind

Some skiddies note, while reporting DMARC issue

Note:
If you don't find it in your inbox, see spam folder. If the victim is using Gmail account it might be in spam folder. In other mailing service like yahoo it is directly received in inbox.

Remarks: (False Note)
The above statement is not true

In GMail, the spoofed email directly comes to Inbox. 

OK

Let's discuss the vulnerable companies or domains.

WHO IS VULNERABLE:

Many companies and domains including the top 100 - 500 ranked sites on Alexa.

I've a list of vulnerable domains but due to security purpose I don't share every domain but some, like Github, Magento, Sony, Toyota, Tesla, US DoD etc.

PoC Screenshot:



Even the Google is vulnerable.

Yes, you heard right.

Google Mail means GMail is vulnerable

Gmail have no policy set (p=none) on DMARC which allows hackers to easily spoof GMail users email.

Here is the PoC screenshot:

 

Another

I try to spoof my brother email to my email that directly comes to my inbox

I spoofed an email from a simple php script



Not only that

Another email service by Microsoft, Outlook(hotmail) is also vulnerable.


Another



I've tried to spoof my own outlook email to my another email.

So, huge companies like Google and Microsoft is also vulnerable.

So, 
What are the advantage of email spoofing to Black Hats or what can hackers do?


Impact and Risk:


Attacker can spoof your email address to perform social engineering or phishing attack.

Phishing leads to the security breach. As you know that most cyber attacks starts with phishing.

Attacker can easily spoof your email which could be resulted in a serious security issue.


Let's suppose

Your personal email is vulnerable OR Your business/company is vulnerable


Attacker can spoof your personal email and send a fake email to your friends n family etc.

Attacker can spoof your business or company email and send fake emails to your customers and clients etc.

Another,
(You have registered an account on example.com with the personal or company email and that site allows to create a support ticket by sending an email.

So,
Attacker can spoof your email and send a fake email to that site and the support ticket will be created from your account.
Attacker may ask that site to alter your account settings or delete the account etc.)

Attacker can spoof your email and send a malicious file, attachments or any phishing link which redirects to another link then the attack starts.

Attacker can spoof your company email and send fake email to your workers to launch further attacks.

Attacker can also perform Ransomeware and other type of attacks etc by email spoofing.

Others

To degrade, destroy or ruin your business or company.
To destroy your trusted relationship
To impersonate your organization
To hack your users account.
To Blackmail and Scamming
etc.


Prevention:

It's easy to prevent this.
Setup your SPF, DMARC and DKIM configuration properly.


Now, lets talk about email spoofing scope in bug bounty for bug hunters

I've reported Email Spoofing several times and I received a lot of Bounties, Certificates and Swags many times.

PoC Screenshot:



Also received on duplicate reports



More



A huge swag from private site on h1


More


Another

and many Bounties and Hall of Fame or Acknowledgements etc.


Some programs accepts this finding as a Low risk and some accept this as Medium or some as High risk.

Some programs exclude Email spoofing from it's scope because of two reasons

  • They are already aware.
  • They don't know about email spoofing and it's impact. 

In my Opinion, 
Lot of companies don't know about email spoofing and it's impact.

Some companies have SPF records but missing DMARC and sometimes have both SPF and DMARC but misconfigured SPF or no policy set on DMARC which allows hackers to easily spoof their email to anyone email address directly to Inbox.



I hope you like this article.

Any suggestion or correction?

Feel free to leave a comment and share your opinion.

Thanks for reading.

Comments

Popular posts from this blog

A Tricky Open Redirect

DoS on WAF Protected Sites by Abusing Cookie

Sensitive Data Exposure or Password Disclosure in H1C Private site