What is so special about spoof mail attack part 3#9 | Eyal Doron | o365info.com

1. Page 1 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 What is so special about Spoof mail attack? |Part 3#9 The special character of the spoofing attack is – that the “spoof action”, serves as a spearhead for most of the other mail attacks. In other words – the Spoof mail attack is accompanied by an additional type of mail attacks such as Phishing mail attack or spam mail. Spoof Mail Attack, What Is Good For? The main purpose of the “spoof phase” is – to cause the destination recipient to trust the sender identity.

2. Page 2 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 The “trust,” is the first building block in the “mail attack building.” After the hostile element manage to build the bridge of “trust” between him and his victim, there is a high chance that the next step in the attack will successfully complete. The Spoof E-mail attack does not exist by itself, but instead, serve as the first phase (the trust phase) that leads to the next phase in which the hostile element asks from his victim to do something. For example Case 1 – E-mail message + malware The hostile element presents himself as a trustworthy sender and asks from the destination recipient to open the attachment (the malware) in the E-mail message. Case 2 – Spam mail The hostile element presents himself as a trustworthy sender and asks from the destination recipient to purchase a specific product or specific service.

3. Page 3 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 Case 3 – Phishing mail attacks The hostile element presents himself as a trustworthy sender and asks from the destination recipient to “do something” such as – reset his password, access a specific website, deposit money to a specific bank account and so on. What Is The Meaning Of Spoofing, Spoof E-Mail, Spoof Attack And All The Rest? The simple explanation for the term “spoofing” is, a scenario in which entity A is masking his true identity, and present another identity such as the identity of entity B. The main purpose of the element that uses the option of spoofing his identity is to “buy the trust” of his victim by using an identity that the victim can trust. The “spoofed identity” can be an identity of a sender who “belong” to a well-known organization or in some cases, the attacker provides the identity of a sender whom the destination recipient knows such as someone from his organization.

4. Page 4 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 The purpose of Spoof mail attack As mentioned, the purpose of the “spoof mechanism” is to serve as the tool by hostel element for – “opening the gate” of the victim fortress. In case that the attacker manages to bypass the “trust obstacle,” the attacker executes the rest of attack steps such as – social engineering, Phishing website, malware and so on.

5. Page 5 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 Exploiting The “Victim Trust” The type of identities that can be used by the hostile element. 1. The identity of a sender of a famous or well-known company that has a good reputation. For example, the identity of a recipient from a well-known company such as PayPal or a famous bank. 2. The identity of a sender of the same organization of the victim. This is the classic scenario of the CFO and CIO, the scenario of “manager and assists,” the scenario of people from the Helpdesk that address an organization’s user and so on. In this type of scenario, the attacker abuses the natural tendency of people to trust someone from their organization, and especially if this person (the spoofed identity that used by the attacker) considers as VIP, manager or identity with power or authority. 3. Anonymous identity Less professional attackers, could use an E-mail account (E-mail message) that was created on the major mail, provide such as – Gmail, Hotmail, Yahoo and so on. In this case, the “trust factor” is reduced because the destination recipient is not tempted to believe that the sender is a “known sender”. A common two misconceptions about Spoof E-mail attack

6. Page 6 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 In this section, I would like to talk about two misconceptions that most of us have regarding the subject of Spoof E-mail attack. Misconception 1#2 – Spoof E-mail are executed by a professional hacker. The most common misconception about Spoof E-mail attack is, that executing Spoof E-mail attack can be implemented only by a professional or, by a super doper cyber-criminal! Most of us have an image in our head of a guy with thick glasses, sitting in a dark room full will computer screen, print in rage strange computer language commands, trying to attack our systems. The truth is much simpler, in nowadays, the ability to send anonymous E-mail or to spoof the identity of the sender is very simple and easy. No need to be a super cyber-criminal!

7. Page 7 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 The option of sending Spoof E-mail is very simple, and if we want to make even simpler, there are many online web-based tools that can help us to accomplish this task. In the following screenshot, we can see an example of the search result for the search string “send mail anonymous tool”. As we can see, there are 28,000,000 results for this specific search term. You are most welcome to try out yourself to realize, how easy and simple is the process is spoofing your E-mail address identity. Note – if you want to read more information about the way of simulating Spoof E-mail attack, you can read the article – How to Simulate E-mail Spoof Attack |Part 11#12

8. Page 8 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 Misconception 2#2 – my mail server “know” how to identify and block Spoof E- mail. The simple true on the assumption in which our mail infrastructure includes a protection mechanism that will protect us from Spoof E-mail attack, most of the time this assumption is wrong! In other words, most of the existing mail infrastructures don’t deal so not handling well or not handling at all scenarios of Spoof E-mail and Phishing mail attacks. Spoof E-mail is not a virus and not a spam mail! Most of the mail infrastructure include some kind of anti-virus protection and some kind of anti- spam filter, and this protestation mechanism provides pretty good protection.

9. Page 9 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 The strange answer to the declaration of the fact that most of the mail infrastructure are not handling well scenario of Spoof E-mail is because an Inherent weakness of the SMTP mail protocol. The SMTP protocol can be described as a “naive protocol” or “innocent protocol” because the SMTP protocol was not created with an awareness of a scenario in which hostile elements will try to spoof their identity. The main goal of the people who created the SMTP protocol was to enable the delivery of E-mail message from point A to point B quickly and efficiently. The mail server that represents the sender addresses the mail server that represents the destination recipient and asks him to deliver the E-mail message to the specific recipients. Very easy and very straight forward. The mail server that represents the destination recipient (the receiving mail server) was not configured to suspect or, to doubt the information about the sender identity. If the senders claim that his identity is X, as long as the E-mail address format is correct, the destination mail server will “believe” the information about the sender identity. Let’s assume that we have improved the awareness of the destination mail server to the fact that some of the senders could be hostile elements. How can we verify the sender identity, so we will be able to trust him?

10. Page 10 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 The good news that in nowadays, we have a couple of mail sender authentication standards such as SPF, DKIM and DMARC, that can help is to verify the sender identity. The less good news is that the implementation of this protocol is not so simple because of many reasons that we will review later in the article – The questions that we will need to answer before we start the project of – building a defense system that will protect us from Spoof mail attacks | Part 7#9 The Two Major Flavors Of Spoof E-Mail Attacks A very important subject that I would like to emphasize is that when we use the term – “Spoof E- mail attack,” the term can be translated into two major scenarios: Scenario 1 – Spoof mail attack that is directed towards “other users” (not our users) but the attacker uses our organizational identity when performing the Spoof mail attack. Scenario 2 – Spoof mail attack in which the attack is directed towards our users. The attacker can use a false sender E-mail address which includes our domain name or use an “external E-mail address” (an E-mail address that includes other domain names that represent other organizations with a good reputation that considers as trusted organization. The common association that appears in our mind regarding the Spoof mail attack is related to “scenario 2” in which our users become the victim of Spoof mail attack. Although this type of attack is more “viable” and more tangible, it’s important to emphasize that the other scenario, in which hostile is Stealing our organizational identity and abuse it by

11. Page 11 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 attacking another organization is also a “problematic scenario” which could lead to unwanted results that can harm our organization’s reputation. Scenario 1 – Spoof mail attack that is directed towards “other users” (not our users). A scenario in which the attacker is “stealing” our organization identity. For example, our organization domain name is – o365info.com A hostile element, present himself by using a sender E-mail address, that includes our domain name such as – ceo@o365info.com The reason that the attacker chooses to use our domain is – probably because our organization is considered as an organization with a good reputation that can be trusted. In this case, the main purpose of the attacker is – persuade the victim (the recipients from the other organization) “believe him” because his identity (his E-mail address that uses our domain name) can be trusted. In this case, the hostile element is using “our organization good reputation” for abusing recipient from other organizations.

12. Page 12 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 Scenario 2 – Spoof mail attack in which the attack is directed towards our users. A scenario in which the hostile element attacks our organization recipients by presenting false sender identity. The false sender identity which the attacker is using can be implemented in two ways: Scenario 2.1 – the attacker attacks our organization, using a “well know” E-mail address. In this scenario, the attacker uses a false identity that is based on email messages that include a domain name of a company that is well known or, considered as trusted organization.

13. Page 13 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 Scenario 2.2 – the attacker attacks our organization, using an E-mail address that includes our domain name. This type of scenario is the most “painful” scenario because, in this case, the attacker Disguises himself using the identity of a person from the same organization as the person that he attacks (the victim). An example to such as scenario could be a spear phishing, a specific type of Phishing mail attack, in which the attacker uses an identity of a “well know” person from our organization such as the E-mail address of the company CFO. The attacker uses this identity for attacking Key People in the organization. Because the victim sees a familiar sender’s identity, he is easily tempted to trust the “sender E- mail”.

14. Page 14 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 Note – technically speaking, regarding the scenario in which the Phishing mail attack is pointed toward our organization users, there could be an additional variation on this scenario in which the hostile element does not bother to “cover his real identity” using a “good fake identity” and instead, uses a general identity or public mail provider such as Yahoo, Hotmail, Gmail, etc. Spoof E-Mail Attacks | What Are The Possible Damages? Let’s briefly review the most obvious damages in the case that the attacker manages to execute his Spoof E-mail attack. As mentioned before, in reality, that hostile element is not satisfied with Spoof E-mail attack because he cannot gain anything by succeeding the complete this type of attack. The attacker uses the Spoof E-mail attack as an “appetizer” for the “main course.” course”. The optional damage in case that the hostile element manages to complete the attack (such as Spoof E-mail attacks and Phishing E-mail attacks) is the damage that will be realized from the specific attack that was executed.

15. Page 15 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 For example – in as scenario of an E-mail message that includes a malware, the damage that we will experience, depend on the malicious activity that the malware was programmed to do. Another question that can appear in our mind could be – is this is the only damage that can happen? Is there a possibility for additional and further damages? The damages of the “attack” could be a minor damage but on the other side, can cause a huge damage. For example, let’s assume that the attacker executes Phishing E-mail attacks (that include a Spoof E-mail attack) in which he persuaded the company CEO to transfer to his bank account the amount of money worth 500, 000$.$. What could be the damage of this attack beside of the financial loss? The damage could be a “CEO rage attack,” which can lead to a scenario in which we need to update our CV because we need to look for a new job (the politically-correct term is – looking for a new challenge).

16. Page 16 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 A scenario in which the attacker uses our organizational identity for attacking other victims. Now, let’s talk about the possible damages in a scenario, in which the hostile element uses our organization identity and attacks another organization. Let’s assume that the attacker manages to complete the attack, and let’s assume that we don’t care what is the damage caused by another organization. So what do we care if a hostile element uses our organizational identity? The answer is that we should care! The fact that the attack was executed using “our identity” is very bad for our reputation. In many scenarios, the “other organization” that was the victim of the Spoof E-mail attack, will reward us be reporting this information to blacklist providers. The process in which our domain name is registered in the email blacklist is quite simple (because there is real evidence for the fact that our organization “attack” other organizations). The process of “delist,” in which we recognize that our domain name appears in a well know blacklists, and we ask to remove our name from this “respectable list”, is not so simple and in many cases, could be a long exhausting process.

17. Page 17 of 17 | What is so special about Spoof mail attack? |Part 3#9 Written by Eyal Doron | o365info.com | Copyright © 2012-2016 Meanwhile, while our domain name appears on a blacklist, the outcome could be that many of the outgoing E-mail messages that sent by organization users to external recipients, will be blocked or rejected by the destination mail infrastructure because our domain name appears as a problematic domain. Additional reading Video lecture  How To Avoid Falling Prey To Phishing Scams The next article in the current article series is What is the meaning of mail Phishing attack in simple words? | Part 4#9