{"id":18555,"date":"2020-02-05T16:59:19","date_gmt":"2020-02-05T16:59:19","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/36c3-fake-emails\/18555\/"},"modified":"2020-02-05T16:59:30","modified_gmt":"2020-02-05T16:59:30","slug":"36c3-fake-emails","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/36c3-fake-emails\/18555\/","title":{"rendered":"Faking e-mails: Why it is even possible"},"content":{"rendered":"<p>Sometimes it\u2019s easy to spot phishing e-mails just by checking the \u201cFrom\u201d field. However, that\u2019s not always the case; making a fake e-mail indistinguishable from a genuine one actually <em>is<\/em> possible. If an attacker knows how to do such a thing, the targeted organization is really in trouble. Most people wouldn\u2019t have a second thought before clicking on a malicious link or file that they got in an e-mail seemingly from their boss or their top client \u2014 and it\u2019s hard to blame them, especially if there\u2019s no way to tell the e-mail was spoofed.<\/p>\n<p>But why is it possible to forge a perfect fake e-mail in the first place? Andrew Konstantinov\u2019s <a href=\"https:\/\/media.ccc.de\/v\/36c3-10730-email_authentication_for_penetration_testers\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">talk on e-mail authentication for penetration testers<\/a>, at the <a href=\"https:\/\/www.kaspersky.com\/blog\/tag\/36c3\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">36th Chaos Communication Congress<\/a>, answers this very question and gives some insight into the effectiveness of protection from e-mail spoofing.<\/p>\n<h2>Problem 1: E-mail must flow<\/h2>\n<p>E-mail is a staple communication method of the modern world, and every organization relies heavily on e-mail in its daily operations. Though we don\u2019t think much about the technology when everything goes smoothly, if all of a sudden e-mails start going missing, you can be sure everybody will notice. Therefore, reliability is generally the top priority of every e-mail server administrator. E-mail simply has to be sent and delivered, no matter what.<\/p>\n<p>The implication here is that every organization\u2019s e-mail server has to be as compatible as possible with everything else in the world. And therein lies the problem: E-mail standards are badly outdated.<\/p>\n<h2>Problem 2: The e-mail protocol with no authentication<\/h2>\n<p>The main protocol used both for client-to-server and server-to-server e-mail communications is SMTP. This protocol was first introduced in 1982 and last updated in 2008 \u2014 more than a decade ago. And like many other ancient standards, SMTP is a security nightmare.<\/p>\n<p>First let\u2019s take a look at what your typical e-mail message consists of:<\/p>\n<ul>\n<li>SMTP envelope. This part is used for server-to-server communications and is never shown in e-mail clients. It specifies the sender\u2019s and recipient\u2019s addresses.<\/li>\n<li>E-mail clients display this part. It\u2019s where you\u2019ll find the familiar \u201cFrom,\u201d \u201cTo,\u201d \u201cDate,\u201d and \u201cSubject\u201d fields that you see for any e-mail.<\/li>\n<li>Message body. The e-mail text and other contents.<\/li>\n<\/ul>\n<div id=\"attachment_32364\" style=\"width: 1356px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2020\/02\/05165923\/36c3-fake-emails-1.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-32364\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2020\/02\/05165923\/36c3-fake-emails-1.jpg\" alt=\"What's in an e-mail message.\" width=\"1346\" height=\"700\" class=\"size-full wp-image-18556\"><\/a><p id=\"caption-attachment-32364\" class=\"wp-caption-text\">What\u2019s in an e-mail message. <a href=\"https:\/\/cdn.media.ccc.de\/congress\/2019\/slides-pdf\/36c3-10730-email_authentication_for_penetration_testers.pdf\" target=\"_blank\" rel=\"noopener nofollow\">Image source<\/a><\/p><\/div>\n<p>The main problem is that the standard provides no means for authentication. Responsibility for the sender\u2019s address field \u2014 in both the SMTP envelope and the header \u2014 lies completely with the sender\u2019s server. What\u2019s worse, the sender\u2019s address in the SMTP envelope doesn\u2019t have to match the one in the header (and the user sees only the latter).<\/p>\n<p>Also, though the standard specifies one header per e-mail, SMTP doesn\u2019t actually enforce the limit. If a message contains more than one header, then the e-mail client simply chooses one to show to the user.<\/p>\n<p>It doesn\u2019t take a professional hacker to see a lot of room for trouble here.<\/p>\n<blockquote><p>The e-mail protocol provides no means of making sure an e-mail actually came from the indicated sender<\/p><\/blockquote>\n<h3>Problem 3: Fake in, fake out \u2014 gotta watch them both<\/h3>\n<p>To complicate things even more, every e-mail communication involves two parties, so this no-authentication problem actually unfolds into two subproblems.<\/p>\n<p>On the one hand, you definitely want to be sure any e-mail you receive was actually sent from the address indicated. On the other hand, you probably want to prevent other people from sending e-mails that seem to be coming from your address. Unfortunately the standard can\u2019t help with any of that.<\/p>\n<p>It\u2019s no surprise that the SMTP protocol was so frequently abused that people started devising new technologies to fix the flaws mentioned above.<\/p>\n<h2>Fix attempt 1: Sender Policy Framework (SPF)<\/h2>\n<h2><\/h2>\n<p>The idea behind the Sender Policy Framework is rather simple: The receiving server should be able to check whether the address of the server that actually sent an e-mail matches the address of the genuine e-mail server associated with the domain.<\/p>\n<p>Unfortunately, that\u2019s easier said than done. The SMTP standard has no means to perform such a check, so any method of authentication would have to be added on top of the existing stuff. Getting such technology to the point of becoming a \u201cproposed standard\u201d took a decade. Today only about 55% of the top 1 million servers use SPF, and most use quite relaxed policies.<\/p>\n<p>SPF faces loads of other problems here as well, such as messy architecture that makes it easy to misconfigure, certain ways to bypass it using other servers hosted on the same address, and so on. But SPF\u2019s fatal flaw is that it checks only the address indicated in the SMTP envelope and completely ignores the \u201cFrom\u201d field in the header \u2014 the one that a user actually sees.<\/p>\n<p><b>Outcome:<\/b><\/p>\n<ul>\n<li>SPF helps check if an e-mail came from a genuine server.<\/li>\n<li>The address visible to users still can be faked.<\/li>\n<\/ul>\n<h2>Fix attempt 2: DomainKeys Identified Mail (DKIM)<\/h2>\n<h2><\/h2>\n<p>DomainKeys Identified Mail approaches the problem differently: DKIM cryptographically signs the message header and part of the message body using a private key, which signature can be verified using a public key that is published in the Domain Name System.<\/p>\n<p>It is worth mentioning, however, that DKIM is not supposed to encrypt the whole message. Rather, it appends a cryptographically signed addendum to it. That is a problem. The crypto part is hard to modify, but deleting the signature entirely and crafting a fake message is easy \u2014 and the results are undetectable.<\/p>\n<p>DKIM is hard to implement because it involves issuing and managing cryptographic keys. Also, misconfigured DKIM can enable an <a href=\"https:\/\/noxxi.de\/research\/breaking-dkim-on-purpose-and-by-chance.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">attacker to preserve the genuine DKIM signature<\/a> in a message while completely changing its header and body.<\/p>\n<p><b>Outcome:<\/b><\/p>\n<ul>\n<li>DKIM lets you digitally sign messages, helping assure the receiving server that a message really came from you.<\/li>\n<li>It\u2019s hard to implement because it involves cryptographic key management.<\/li>\n<li>Forgers can simply delete the signature while faking an e-mail in your name.<\/li>\n<li>Certain misconfigurations can result in fake messages containing genuine DKIM signatures.<\/li>\n<\/ul>\n<h2>Fix attempt 3: Domain-based Message Authentication, Reporting and Conformance (DMARC)<\/h2>\n<p>Despite its rather lengthy name, the Domain-based Message Authentication, Reporting and Conformance protocol is actually easier to understand than SPF or DKIM. It is really an extension of the two that fixes their most glaring omissions.<\/p>\n<p>First, DMARC helps the domain administrator specify which protection mechanism \u2014 SPF, DKIM, or both \u2014 the server is using, which really fixes the DKIM mechanism. Second, it fixes SPF as well, providing a check of the address specified in the header\u2019s \u201cFrom\u201d field (the one that is actually visible to a user), on top of the check of the sender address in the SMTP envelope.<\/p>\n<p>The downside is that the DMARC protocol is relatively new, is not yet a proper standard (<a href=\"https:\/\/tools.ietf.org\/html\/rfc7489\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">RFC 7489<\/a> defines it not as standard or even proposed standard, but only as \u201cInformational\u201d), and is not as widely used as it should be. According to <a href=\"https:\/\/s3.amazonaws.com\/250ok-wordpress\/wp-content\/uploads\/2019\/07\/09140509\/Global-DMARC-Adoption-2019.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">this study<\/a> of 20,000 domains, only 20% had adopted DMARC at all by 2019, and only 8.4% had strict policies.<\/p>\n<div id=\"attachment_32365\" style=\"width: 1356px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2020\/02\/05165928\/36c3-fake-emails-2.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-32365\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2020\/02\/05165928\/36c3-fake-emails-2.jpg\" width=\"1346\" height=\"662\" class=\"size-full wp-image-18558\"><\/a><p id=\"caption-attachment-32365\" class=\"wp-caption-text\">Unfortunately, DMARC adoption is not yet widespread, and in many cases it is used with \u201cnone\u201d policy. <a href=\"https:\/\/s3.amazonaws.com\/250ok-wordpress\/wp-content\/uploads\/2019\/07\/09140509\/Global-DMARC-Adoption-2019.pdf\" target=\"_blank\" rel=\"noopener nofollow\">Image source<\/a><\/p><\/div>\n<p><b>Outcome:<\/b><\/p>\n<ul>\n<li>Fixes the most important issues of SPF and DKIM.<\/li>\n<li>Not widely adopted yet, and therefore not as effective as it could be.<\/li>\n<\/ul>\n<h2>How to protect yourself from e-mail spoofing<\/h2>\n<p>To sum up: Faking e-mails is still possible because the SMTP protocol wasn\u2019t designed with security in mind, so it lets an attacker insert any sender\u2019s address in a forged e-mail. In the past few decades, certain protection mechanisms emerged \u2014 namely, SPF, DKIM, and DMARC. However, for those mechanisms to be effective, they have to be used \u2014 and implemented correctly \u2014 by as many e-mail servers as possible. Ideally, they should be implemented on every mail server on the Internet.<\/p>\n<p>In addition, it is important to consider that some mail relay server may start adding something to the letters due to configuration errors, and this will automatically fail the DKIM check. Also, we must not forget that these technologies will help to deal with mass threats, but to protect your business from sophisticated e-mail attacks you should still use additional protective solutions <a href=\"https:\/\/www.kaspersky.co.uk\/small-to-medium-business-security?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">both on workstations and on the mail server.<\/a><\/p>\n<p>Here are some recommendations for e-mail protection:<\/p>\n<ul>\n<li>Adopt SPF at the least. Make sure that it is configured properly. Also keep in mind that resourceful attackers can bypass SPF (<a href=\"https:\/\/media.ccc.de\/v\/36c3-10730-email_authentication_for_penetration_testers\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">more details in the talk<\/a>).<\/li>\n<li>Implement DKIM for better protection. It might be a bit harder, but it\u2019s worth considering. And again, make sure it\u2019s configured properly (<a href=\"https:\/\/noxxi.de\/research\/breaking-dkim-on-purpose-and-by-chance.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">some tips on what attackers look for<\/a>).<\/li>\n<li>Adopt DMARC, ideally, because it fixes most of SPF\u2019s and DKIM\u2019s exploitable flaws.<\/li>\n<li>Check your configuration for incoming e-mails as well.<\/li>\n<li>Use security solutions that support modern authentication mechanisms. For example, use <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Security for Mail Servers<\/a> or <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/microsoft-office-365-security?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kso365___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Security for Microsoft Office 365<\/a>.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>Phishing and business e-mail compromise attacks rely on fake e-mails. But why is it so easy for attackers to make them so convincing?<\/p>\n","protected":false},"author":421,"featured_media":18560,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1836,2360,2361,2026],"tags":[2624,2592,2090,2091,1640,76,990],"class_list":{"0":"post-18555","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"category-threats","11":"tag-36c3","12":"tag-bec","13":"tag-ccc","14":"tag-chaos-communication-congress","15":"tag-e-mail","16":"tag-phishing","17":"tag-spear-phishing"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/36c3-fake-emails\/18555\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/36c3-fake-emails\/18466\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/36c3-fake-emails\/15342\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/36c3-fake-emails\/20227\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/36c3-fake-emails\/17055\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/36c3-fake-emails\/21035\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/36c3-fake-emails\/19876\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/36c3-fake-emails\/26277\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/36c3-fake-emails\/7644\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/36c3-fake-emails\/32362\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/36c3-fake-emails\/13700\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/36c3-fake-emails\/13910\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/36c3-fake-emails\/12746\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/36c3-fake-emails\/21957\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/36c3-fake-emails\/26726\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/36c3-fake-emails\/24957\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/36c3-fake-emails\/20916\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/36c3-fake-emails\/25747\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/36c3-fake-emails\/25579\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/36c3\/","name":"36c3"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/18555","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/421"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=18555"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/18555\/revisions"}],"predecessor-version":[{"id":18559,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/18555\/revisions\/18559"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/18560"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=18555"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=18555"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=18555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}