Sending Spoofed Emails for Spear Phishing and Advanced Persistent Threat (APT) attacks.

September 18, 2016
Sending Spoofed Emails for Spear Phishing and Advanced Persistent Threat (APT) attacks.

Criminals use spoofed email domain from addresses to launch Spear Phishing and Advanced Persistent Threat malware attacks. The “FROM” address of the sender’s email is maliciously changed to the victim’s domain. From the recipients point of view the email looks and feels like an internal email.

Cybercriminals can easily send an email to anyone within the organization such as a Senior Executive, and spoof the “FROM” address to it appears the email is internal. Making the email look and feel like an internal email – immediately give the sender and message legitimacy – as it is “FROM” a “trusted” source – a big leap forward in the Social Engineering component. Next step is to simply provide the malicious payload.

Preventing spoofed emails from entering the organization’s network can be combatted by implementing a range of widely accepted technologies and protocols.

The Sender Policy Framework (SPF) is the most common method to combat email spoofing.  The DNS administrator will need to create a sender policy framework (SPF) record for the domain MX file. This will enable authentication via SPF records of the organisation’s domain. The senders IP address will become authenticated at the source by reading the header section of the email.

Domain Message Authentication Reporting & Conformance (DMARC) is an additional protocol that can better enforce your SPF record values to prevent spoofed email from passing through the gateway.

The business can provide a front layer of defense against spear phishing and APT attacks with the correct implementation of the DNS and mail server settings and services.

emailmessageThe criminal can use a generic web mail server to send an email that looks like it has come from your colleague or manager or executive.

Let us explore how the criminal can easily use email to commit this part of social engineering.

One of the limitations of the original Simple Mail Transport Protocol (SMTP) is the lack of sender authentication capabilities. This has resulted in the great proliferation of spam email since email became widely adopted. SMTP limitations also allow the sender to spoof any email address.

About the author

Leave a Reply