Email spoofing is one of the most common forms of cybercriminal activity. It underpins the mechanism required to conduct hacking activities such as spear phishing and business email compromise, and it can take many forms. Unfortunately, most email users will eventually receive an email that has been spoofed—whether they know it or not.
Just as forgery was a key method used by traditional criminals as the gateway key to more complex crimes, email spoofing is the forgery of an email sender address so that the message appears to have come from someone other than the actual source. Spammers will often spoof emails in order to encourage recipients to open, reply to, or even take action in response to their solicitations. And while brand spoofing is common, we are increasingly seeing criminal activities where individuals are spoofed to target employees and partners.
Display name deception is the most common form of email spoofing and is often successful because many email clients (especially on mobile devices) show only the display name. With this kind of attack, criminals can insert the identity of a trusted individual (such as the name of an executive of the targeted company) or a trusted brand (such as the name of the bank used by the targeted individual) into the display name. Since common consumer mailbox services such as Gmail and Yahoo allow a user to specify any value in the display name, this type of attack is simple and cheap to stage from such a service.
In addition to manipulating the display name, an attacker may also use the actual email address of the impersonated identity in the From header, such as “United Customer Service” <firstname.lastname@example.org>. This type of attack, known as a Domain Spoofing Attack, does not require compromising the account or the servers of the impersonated identity, but exploits the security holes in the underlying email protocols. Attackers often use public cloud infrastructure or third-party email sending services that do not verify domain ownership to send such attacks. Email authentication standards, such as DMARC, can be used by a domain owner to prevent spoofing of their domain, but are still not adopted widely by popular brands and government organizations.
In cases where a domain is protected by email authentication and domain spoofing is not possible, attackers try to deceive the recipient by registering and using domains that are similar to the impersonated domain. These types of attacks, known as look-alike domain attacks, often use homoglyphs or characters that appear similar to the original characters in the impersonated domain. Attackers can use rendering similarities, such as “PayPal” <email@example.com>, exploiting the specific fonts and rendering styles used in popular email clients. Another variation of the Look-alike Domain Attack is to add additional words to the domain name. For example, if an attacker wanted to send you a bogus invoice from Acme Corporation, whose domain might be acme.com, the attacker could simply register acme-payments.com, or invoices-acme.com. Finally, attackers can use characters from another script in the Unicode set. Cyrillic is a common choice, as in the From header “Dropbox” <notifications@ dropbox.com=””>, where the “o”s in the domain are actually Cyrillic characters, but an email client will render the version that looks exactly like the impersonated domain.
Throughout the past few years, there has been an increase in business email compromise attacks, which typically spoof CEO and CFO email addresses to initiate wire transfers. Recent research from the Agari Cyber Intelligence Division indicates that this tactic is also being used to request small-dollar gift cards for charity events or to reward staff for their work. In these cases, the email is typically coming from an executive at the organization and is directed to either an executive assistant or to junior employees in his or her department.
While it is not possible to prevent cybercriminals from spoofing email addresses, as they continuously find new ways to trick their targets, it is possible to block these messages before they reach the inboxes of your employees, customers, and partners. Here at Agari, we use a combination of email authentication and identity detection to ensure that spoofed emails are detected before they ever reach the inbox. As part of the Secure Email Cloud, this strategy ensures that intended targets stay safe from brand impersonation, identity deception, and email spoofing, ultimately helping you trust your inbox.
For information on how Agari stops all types of email spoofing, download this white paper on the Agari Identity Graph.