Email spoofingEmail spoofing is the creation of email messages with a forged sender address.[1] The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed (for example, so that it cannot be harvested), but forwards mail sent to it to the user's real address.[2] The original transmission protocols used for email do not have built-in authentication methods: this deficiency allows spam and phishing emails to use spoofing in order to mislead the recipient. More recent countermeasures have made such spoofing from internet sources more difficult but they have not eliminated it completely; few internal networks have defences against a spoof email from a colleague's compromised computer on that network. Individuals and businesses deceived by spoof emails may suffer significant financial losses; in particular, spoofed emails are often used to infect computers with ransomware. Technical detailsWhen a Simple Mail Transfer Protocol (SMTP) email is sent, the initial connection provides two pieces of address information:
Together, these are sometimes referred to as the "envelope" addressing – an analogy to a traditional paper envelope.[3] Unless the receiving mail server signals that it has problems with either of these items, the sending system sends the "DATA" command, and typically sends several header items, including:
The result is that the email recipient sees the email as having come from the address in the From: header. They may sometimes be able to find the MAIL FROM address, and if they reply to the email, it will go to either the address presented in the From: or Reply-to: header, but none of these addresses are typically reliable,[4] so automated bounce messages may generate backscatter. Although email spoofing is effective in forging the email address, the IP address of the computer sending the mail can generally be identified from the "Received:" lines in the email header.[5] In malicious cases, however, this is likely to be the computer of an innocent third party infected by malware that is sending the email without the owner's knowledge. Malicious use of spoofingPhishing and business email compromise scams generally involve an element of email spoofing. Email spoofing has been responsible for public incidents with serious business and financial consequences. This was the case in an October 2013 email to a news agency which was spoofed to look as if it was from the Swedish company Fingerprint Cards. The email stated that Samsung offered to purchase the company. The news spread and the company's stock price surged by 50%.[6] Malware such as Klez and Sober among many more modern examples often search for email addresses within the computer they have infected, and they use those addresses both as targets for email, and also to create credible forged From fields in the emails that they send.[citation needed] This is to ensure that the emails are more likely to be opened. For example:
In this case, even if Bob's system detects the incoming mail as containing malware, he sees the source as being Charlie, even though it really came from Alice's computer. Meanwhile, Alice may remain unaware that her computer has been infected, and Charlie does not know anything about it at all, unless he receives an error message from Bob. The effect on mail serversTraditionally, mail servers could accept a mail item, then later send a Non-Delivery Report or "bounce" message if it could not be delivered or had been quarantined for any reason. These would be sent to the "MAIL FROM:" a.k.a. "Return Path" address. With the massive rise in forged addresses, best practice is now to not generate NDRs for detected spam, viruses etc.[7] but to reject the email during the SMTP transaction. When mail administrators fail to take this approach, their systems are guilty of sending "backscatter" emails to innocent parties – in itself a form of spam – or being used to perform "Joe job" attacks. CountermeasuresThe SSL/TLS system used to encrypt server-to-server email traffic can also be used to enforce authentication, but in practice it is seldom used,[8] and a range of other potential solutions have also failed to gain traction. A number of defensive systems have come into wide use, including:
To effectively stop forged email being delivered, the sending domains, their mail servers, and the receiving system all need to be configured correctly for these higher standards of authentication. Although their use is increasing, estimates vary widely as to what percentage of emails have no form of domain authentication: from 8.6%[10] to "almost half".[11][12][13] For this reason, receiving mail systems typically have a range of settings to configure how they treat poorly-configured domains or email.[14][15] While there has been research into improving email security, little emphasis has been placed on informing users whose email addresses have been used for spoofing. Currently, only the email recipient can identify a fake email, and users whose addresses are spoofed remain unaware unless the recipient manually scrutinizes the message.[citation needed] Business emailBusiness email compromise attacks are a class of cyber crime which use email fraud to attack organizations. Examples include invoice scams and spear-phishing attacks which are designed to gather data for other criminal activities. A business deceived by an email spoof can suffer additional financial, business continuity and reputational damage. Fake emails can also be used to spread malware. Typically, an attack targets specific employee roles within an organization by sending spoof emails which fraudulently represent a senior colleague, trusted customer, or supplier.[16] (This type of attack is known as spear phishing). The email will issue instructions, such as approving payments or releasing client data. The emails often use social engineering to trick the victim into making money transfers to the bank account of the fraudster.[17] The United States' Federal Bureau of Investigation recorded $26 billion of US and international losses associated with BEC attacks between June 2016 and July 2019.[18] More recent figures estimate losses of over $50 billion from 2013 to 2022.[19] Incidents
See also
References
External links
|