The word “spoof” is just one of many that has had its meaning warped by the Internet. Historically, spoof meant a good-natured imitation—think the Scary Movie series, which is a spoof of the Hollywood horror genre. Now, though, to spoof means to mount a malicious prank or hoax based on impersonation, particularly through email. It is a threat that has grown increasingly serious in recent years. However, more sophisticated defenses are also becoming available to mitigate the threat.
What is email spoofing?
Email spoofing is a form of hacking that tries to trick email recipients into believing the sender is a familiar brand or known acquaintance. It’s a standard element of spear phishing attacks, for instance. Consider the following example: You get an email from support@appIe.com asking you to confirm your password for your iTunes account. It seems real. It’s a reasonable request, so you click on the link and fork over your Apple ID and password. Too bad. A hacker just successfully spoofed the Apple brand to steal your credentials.
What happened? To understand the attack, you have to know the difference between apple.com and appIe.com. Say what? They’re the same. But, they’re not. One is apple.com, the website for the real company and the second is appIe.com with a capital “i” replacing the lowercase “l” in “apple.” It’s not under the domain of Apple. It’s a URL set up by a hacker. No human user could ever tell the difference.
The continuum of email spoofing
Email spoofing exists on a continuum of sophistication. Some forms of spoof attacks are quite simple. Others require a high degree of technology skill and an investment of resources. In our experience, there are three main types of spoofing along this spectrum:
- Visible alias spoofing—This is a simple but effective approach to email spoofing. With email, especially on mobile devices, the sender’s name is usually displayed but the email address is not. You might get an email on your phone that looks like it’s from “Bank of America,” but the actual email address it comes from is firstname.lastname@example.org. The attacker is working under the assumption that most busy people won’t check the sender email address carefully. When combined with social engineering, as might occur with spear phishing, visible alias spoofing can trick people into taking actions they might otherwise avoid. For instance, the attacker will research the target and use known facts to establish trust, e.g. “As you know I am on a business trip in Japan,” etc.
A variant of this type of attack also arises in connection with “CEO fraud,” where a hacker impersonates a high-level executive of a company and demands that an employee send a fund transfer. If the CEO of your company is named Don Smith, you might receive a message from “Don Smith” <email@example.com> on a weekend. It starts with someone innocuous like, “Jim, are you there?”. You reply, “Yes, boss. I am here. How can I help?” The attacker then continues with, “I’m on a trip. We’re closing a confidential merger agreement. As it’s the weekend, no one is in the office. I need you to wire $100,000 right away to the following bank account to finalize this merger. I trust you to tell no one as this is a very sensitive case. This is a very pressing matter so please proceed and confirm immediately.” It doesn’t matter that the real Don Smith doesn’t have a Gmail address and would never issue such a request on a weekend. Under the right social engineering circumstances, the recipient could easily fall for the ploy.
- Domain spoofing—With the right tools, an attacker can send a spear phishing email that appears to come from a legitimate domain. The attacker’s goal is to trick the you into believing that he or she is the real, legitimate sender. For example, an attacker could send an email that appears to come from firstname.lastname@example.org, a legitimate Bank of America email address. Except, it doesn’t actually come from that address. It could be a trick designed to get you to click on a URL that sends you to a spoofed web page that looks like www.bofa.com. Domain spoofing has become harder to do, though, due to the proliferation of standards like the Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). Once incorporated into DNS settings, SPF or DKIM prevent unauthorized user of domain names for spoofing attacks. Not everyone uses these, however.
- Close cousin—The apple.com example above is a “close cousin” or cousin domain attack. This form of hacking tricks the target by creating a send domain that’s close to the real one or even indistinguishable from it. The technique might involve using the .co domain extension instead of .com or by adding or subtracting a letter from the URL. For example, let’s say your company is called Maine Express and has the domain maineexpress.com. A spoofer could register the domain mainexpress.com or maineexpresss.com and be able to fool at least some portion of email recipients. We often see spoofing that simply adds a reasonable-looking word to the URL, making it maineexpressglobal.com and so forth.
Protecting Yourself from Email Spoofing Attacks
It is possible to defend against email spoofing attacks. The best practice is to blend training, policies and technology. Employee training is your first line of defense. Though some spoofing attacks are extremely hard to detect, many are easy to spot. People can make a difference with spoofing defense. Establishing clear policies about processes like wire transfers also helps mitigate the risk of CEO fraud and comparable social engineering attacks. To counter the “close cousin” attack, some businesses deliberately buy all similar domains. This has the added benefit of reducing the risk of trademark infringement.
Technological countermeasures comprise tools that can quickly analyze inbound emails for signs of spoofing. For example, Vade Secure for Office 365 can inspect an email and check to see if the visible alias and email address are consistent with the company’s employees and email addresses. It also adds an SPF-like layer into the email filtering process that spots unauthorized use of legitimate domain names, as well as close cousin domains detection. The solution looks for revealing inconsistencies in email structures and Calls to Action within the email content (CTAs, e.g. money transfer, pressing matters, etc.).. In these cases, a customizable warning banner is placed inside the email alerting the email to a suspected spoofing attempt.