How Cybercriminals Dodge Email Authentication

Email authentication and validation is one method that is used to help bring down the levels of spam and phishing by identifying senders so that malicious emails can be identified and discarded. Two frameworks are in common usage today; these are SPF and DKIM.

  1. SPF (Sender Policy Framework): Defined in RFC 7208, SPF provides a mechanism to allow receivers to check that incoming mail from a domain is being sent from a host authorized by that domain’s owner. The list of authorized IP addresses for a domain is published in the domain’s DNS records.
  2. DKIM (DomainKeys Identified Mail): Defined in RFC 6376, DKIM allows mail recipients to check that incoming mail from a domain is authorized by that domain’s owner. A digital signature included with the message can be validated by the recipient using the signer’s public key published in the DNS.

Recently, DMARC (Domain-based Message Authentication, Reporting and Conformance) has also been used by some sites. This provides extra report mechanisms to domain owners and uses existing SPF and DKIM authentication results. Data from Google indicates that as of last year, half a million domains implement DKIM, 3.5 million domains implement SPF and 80,000 domains implement DMARC.

Attackers are well aware of these techniques, and are already circumventing these in their email attacks. We will show three cases where attackers were able to bypass these checks and make their emails appear to be legitimate.

Apple Phishing
Method: Use a fake user-friendly display name and random email address to bypass email authentication.

When we check who sent us an email, we actually see two different this: the email address that (supposedly) sent the email (in the form username@example.com), and a display name that is meant to be read by humans (i.e., the name of the person sending the email). However, the two are set independently of each other and don’t have to be related at all. This is frequently seen in spam and phishing emails.

We observed two types of phishing emails that both pretend to be from Apple. In the first type, the display name is iTunes, with the sending address being an apple.com address.

Figure 1. Phishing message with forged sender address

These emails will fail authentication if an SPF check is performed (as it was not actually sent from an apple.com email server).  However, if the situation is slightly different – the sending address is not modified, but the display name is still fake, some email clients will display the (fake) phishing address instead, as seen below:

Figure 2. Mail client showing only the display name

Other clients will show the email address correctly.

Figure 3. Mail client displaying sending address

We have blurred out the name of the ISP in question, but it is clear that it is not apple.com. It is a large ISP, which we’ll call large-isp.com.

This email would pass email authentication. The email could be sent by the ISP’s mail servers, so it would pass SPF. DKIM would also pass, as the e-mail would appear to be from a large-isp.com address. Due to above, it may also pass DMARC checks.

While we used an (obsolete) mail client to demonstrate the flaw, it is worth noting that mobile email clients generally do not show the actual sending address, only the display name.

Australia Post
Method: Use a similar domain to the target domain and set up their own SPF/DKIM authentication. Passing these will make the email more credible, increasing the chance of delivery.

Fundamentally, email authentication merely assures that the email came from the domain that it says it came from. It does not say anything about the reputation of the organization that sent it.

Attackers are currently creating domains that appear to be from the target organizations and set up their own email authentication. Organizations that increase the chance of delivery for email that merely pass an email authentication check are making a dangerous choice, as this can lead to serious security problems. A reputation check must also be made.

Consider the email below:

Figure 4. Email supposedly from Australia Post

The email is supposedly from the Australian email provider Australia Post. The domain name used post-au.net sounds like a plausible domain for the company, and is slightly similar to its actual domain auspost.com.au. A user may believe that this email is real and click on the phishing link.

The attacker set up SPF and DKIM policies on the domain they created. If an organization automatically lets through email that has passed SPF and DKIM checks, users within that organization would be able to see this email and be led to the malicious sites.

The SPF record of post-au.net is below:

;; ANSWER SECTION:
post-au.net.            3600    IN      TXT     "v=spf1 ip4:146.185.248.52 a mx ~all"

;; AUTHORITY SECTION:

post-au.net.            3373    IN      NS      ns1.post-au.net.
post-au.net.            3373    IN      NS      ns2.post-au.net.

The DKIM record of post-au.net is below:

dkim._domainkey.post-au.net

v=DKIM1; k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxeNwJu91Ul5SFOGxUtViXaCPaGw3PSNHsITOJ33l8
PH/NuLo9WnyBoFkIj4qtbtnvvBDa1t3UCTfEnEW1RpQowsxy3YWlU9dhplfioH+UsSHzb9KyB9aLh+TmX2D2mb
3N/DS88zq2CRbFSy8c5RyA/OV9/mUZnKdv09/pGHUezQIDAQAB

Fake speeding camera notice
Method: Use a domain similar to the legitimate government domain and a modified display name to fool users. Set up an SPF policy to ensure phishing emails pass authentication and increase mail credibility.

This particular case involved phishers sending users a fake speeding camera notice, saying they had exceeded the speed limit and they had to “act now” to avoid costs.

Like the previous case, the supposed sender and address are both designed to plausibly sound legitimate. The sender is supposedly the “Office of State Revenue”, with the email addresses’s domain (state3-nsw-gov.com) also sounds plausible when first seen. However, this is actually a domain under the control of the phishers.

Figure 5. Fake penalty notice email

Like the previous case, this domain is set to have its own SPF policy. They also wanted to increase the email’s credibility through the email authentication. The email’s headers note that it passed SPF (as expected, since the whole domain is under the control of attackers):

Received-SPF: Pass ({recipient mail server}: domain of
support@state3-nsw-gov.com designates 91.218.228.194 as
permitted sender) identity=mailfrom;
client-ip=91.218.228.194;
receiver={recipient mail server};
envelope-from=”support@state3-nsw-gov.com”;
x-sender=”support@state3-nsw-gov.com”;
x-conformance=sidf_compatible; x-record-type=”v=spf1″

Summary

Email authentication is already a part of email server best practices, and properly implemented it represents a valuable solution to some phishing attacks. However, it is not a universal solution to email phishing; as this post demonstrates it can be bypassed.

Authentication solves several specific issues related to email, but other problems are completely out of scope. Attackers know this, and have designed some of their attacks accordingly. Perversely, they are actually using authentication to improve the quality of their campaigns.

E-mail providers (such as ISPs) and organizations that run their own e-mail servers (like large companies) need to understand that other e-mail solutions – particularly those based on content filtering – are still a necessary part of email solutions.

End users need to keep in mind two things:

  • The display name and address in an email can be easily forged by a phisher. If an email’s content is already suspicious, just looking at the “From” field will not be conclusive, as this field can be modified too.
  • Links in email are frequently suspicious. Unless you are certain that the links in question are from really do go to an organization’s legitimate site (and not a plausible-sounding but fake one), as much as possible, you should not click on these sites.

We will continue to monitor these new email threats in order to protect our users as they appear.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

How Cybercriminals Dodge Email Authentication

Read more: How Cybercriminals Dodge Email Authentication

Story added 19. December 2014, content source with full text you can find at link above.