Email spoofing | Confirm my thoughts please

Forums › IT Pro and developers › Email spoofing | Confirm my thoughts please

martyyn

1971 posts

Uber Geek

ID Verified

Subscriber

#275910 16-Sep-2020 14:16

A local business was reportedly "hacked" two weeks ago. The details are sketchy because after talking to them they don't really understand how their email works, they don't really know what happened, what was involved or what was lost. Their IT guy has said there is nothing they can do about it, so they aren't doing anything.

I first heard about it last week when another local business came to me saying they had people calling them to say they had received email which their anti-virus had blocked.

I took a look at some examples and it was the usual case of the name was changed to their business name (although with a typo most people wont notice) and the reply address was something like <abc@huoyfhsue.df>. Even where they have changed the email address to be blah@domain.com the headers still show random domains.

The phone calls eventually stopped but there have been five today so obviously it's started again.

They have valid SPF and DKIM records and their website and email are all looking ok. One employee admitted to opening the attachment because they thought it had come from someone they knew, but all their desktops, laptops and mobiles are also clean.

The attachment appears to be an empty .docx file. It's only 172KB, so I put it on an old laptop and it scanned ok with ESET and malwarebytes and opens a blank Word doc.

So I'm assuming this is just a case of spammers spoofing their details (however badly) and there is little to nothing we can do about it ?

1 | 2

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#2566003 16-Sep-2020 14:26

SPF should be set to hard fail to reject email that hasn't come from authorised email servers.

xpd

Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2566011 16-Sep-2020 14:48

Will be fallout from the lovely Emotet malware most likely, getting calls regarding similar issues all the time. One client was getting hammered by emails, then they dropped off, but have started again.

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

martyyn

1971 posts

Uber Geek

ID Verified

Subscriber

#2566012 16-Sep-2020 14:49

I've always understood a hard fail would mess with any forwarding of genuine emails. It was a while ago so my memory may not be correct.

I've just noticed they have no DMARC set up. I see lots of conflicting advice with DMARC so never know whether it's necessary or not.

SirHumphreyAppleby

2844 posts

Uber Geek

#2566014 16-Sep-2020 14:55

SPF may help, assuming receiving servers actually checks this. As SPF applies to the envelope address, malware can get around this by randomly selecting an envelope address using a domain with no or more relaxed SPF policies.

The domain should also have a DMARC policy to instruct mail servers on how to handle failed SPF and DKIM checks. Again, it won't stop everything as it relies on the recipient checking and enforcing these policies.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2566021 16-Sep-2020 15:14

Back to original question, it looks more like a spoofed sender's address than "email hacked".

mattwnz

20141 posts

Uber Geek

#2566022 16-Sep-2020 15:20

You should be easily able to tell if the email has been hacked by looking at the header of he email, and the server IP that is sending the email.Check the header against a legit email. Most times it will be spoofed. Banks get spoofed all the time, and phishing emails pretending to be from banks are very common. So nothing new.

CYaBro

4582 posts

Uber Geek

ID Verified

Trusted

#2566057 16-Sep-2020 15:56

A few of my clients have also asked about this recently, and they forwarded many examples to me, and they were all just spoofed email addresses.

No hacking going on and the recipient's mail server/client had correctly marked the emails as junk so not sure why they were even questioning it. :)

Opinions are my own and not the views of my employer.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

dt

1152 posts

Uber Geek
Inactive user

#2566066 16-Sep-2020 16:14

xpd:

Will be fallout from the lovely Emotet malware

My understanding with Emotet is that once it infects a PC it will start spamming the contacts of the infected computers as well.. making it even harder as your regular user will be none the wiser and open attachments from a known contact

This is where proactive users education really helps, sent out an email to all network users advising if they receive an email from a known contact stating they are "receiving phishing emails from you containing malware." is that its likely coming from an infected computer and to not open any attachments

there was an email sent out from cert on 07/09 advising about this

SirHumphreyAppleby

2844 posts

Uber Geek

#2566069 16-Sep-2020 16:17

CYaBro:

No hacking going on

Based on the responses, I don't think anyone assumed that was the case. Spoofing is far more common.

I recently received an e-mail from "william from Los angeles" (IP address in India), requesting the source code for a mail application I wrote. I'd put money on it that the reason he wanted it was to alter the X-Mailer header so mail appeared to come from a popular client, and to allow the envelope address to be set to bypass SPF checks. He may have even wanted to bundle it with malware to do the actual spamming or calling home. It wouldn't be the first time.

martyyn

1971 posts

Uber Geek

ID Verified

Subscriber

#2566080 16-Sep-2020 16:43

I don't think there is any hacking going on with the company who came to me. What happened with the original company I don't know, mostly because they don't know either.

I'm just wondering if there is more I can do to help alleviate the amount of phone calls they're getting from people saying they've been hacked and are sending out a virus.

Every email I've seen so far is pretty easy to dismiss, but to Joe Public all they see is the company name and they pick up the phone.

I've told them to email their suppliers and clients explaining the situation and they've put out SM posts to reassure people but that's not stopping the calls.

BlakJak

1275 posts

Uber Geek

Trusted

#2566122 16-Sep-2020 18:23

Where's the email hosted? What's the chances that there'll be some traversal?

A common thread behind email account compromise (usually by way of phishing - being conned into giving away your credentials) is to then leverage the compromised email account's good reputation to further distribute malicious emails. So yes, good chance that the dodgy email you receive is actually from the system of someone you trust.

Bad actor will access the compromised email account and harvest as many email addresses as they can from places like the sent items folder, other filed email folders, the address book. These become future spam targets.

As you've noted, the suspicious email attachment could well be innocuous. Or it could have something 'less malicious' tied to it - like maybe a tracking pixel or something, so they get some intel as to who has opened the document. Hard to assess based on your comments.

Importantly regarding SPF. You can publish an SPF record which others can then _choose_ to use to assess whether an email they receive, is actually from the domain being claimed. SPF results can be used to make an absolute delivery decision (so a record with -all essentially says - no match, do not accept), or "score" an email (couple with other elements to help make that decision). It's really important to understand the difference between the "Envelope Sender' (the sender email address as given during the mail-server-to-mail-server transaction) and the "From" (which is contained within the message headers - the headers are actually part of the email payload, and are NOT part of the delivery system).. SPF evaluates the Envelope-sender ONLY and the From: field in the email headers may still say something else.

So in other words an SPF record properly addressed by the recipient, still won't prevent an email address being 'spoofed' if the sender is a little clever.

As a simple example of how this works, legitimate email distribution lists (newlsetters and such) will use an envelope-sender that uniquely identifies you as a recipient - so that a failure to deliver (bounce) can be automatically processed in a way that affects your own subscription without affecting anyone elses. But the From will still simply look like the place you're subbed to. Mailing lists (Mailman etc) work this way as well.

There's really no substitute for education; ensuring staff know to look for signs that the email is not 'as expected' and to then ask questions. A rogue Reply-To header, a source domain that looks different, a subtle difference in formatting, these are all cues that something's up.

Also... hate the use of the term 'hacked', it's quite inspecific. Social engineering attacks are not necessarily 'hacks' when they're targeting the human element.

No signature to see here, move along...

SomeoneSomewhere

1802 posts

Uber Geek

Lifetime subscriber

#2566196 16-Sep-2020 19:42

I've had some of these arrive, purporting to be from someone legitimate, but the actual sender is a nonsense address. A .doc with a random name is attached.

Interestingly it has the title and content of a previous email conversation I had with them, so the malware must have access to their email inbox.

MadEngineer

4271 posts

Uber Geek

Trusted

#2566203 16-Sep-2020 19:54

I’ve seen a tonne of emails replied back to the original sender with .doc attachments with simply something like, “thanks for that, please see attached”.

The original email might be 6 or 12 months old and is a real email that they had sent all those months back. This email with the attached virus is coming from a third party, usually an open or hacked mail server.

This can only mean that the email account some time ago was slurped of all emails for the purpose sending back to the original sender with the payload. The slurp would have been performed by a hack of their office365 account. I say office365 as it’s a common theme that I see.

At some point someone has clicked a dodgy link in a phishing email to a website where they entered their outlook.com password. From experience, most likely one of the Xero fakes or similar where you’re asked to click a link to view an invoice

(Party A sends an email to Party B. Party B gets hacked by party X. Party X uses hacked server of party Q to send payload back to party A with emails between parties A+B and all contacts of party B. There is a very high chance that party A now gets hacked because it’s a reply to their own email, their own subject, their own contact is named. Rinse, repeat.)

Somewhere out there is a massive database of ancient emails from many many hacked accounts.

Some of them have had the email signature changed ever so slightly, eg the mobile number has a couple of digits swapped around so when the recipient goes to ring them for confirmation before clicking the attachment they don’t get anywhere, increasing the chances of the payload.

You're not on Atlantis anymore, Duncan Idaho.

xpd

Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#2566241 16-Sep-2020 21:02

SomeoneSomewhere:

I've had some of these arrive, purporting to be from someone legitimate, but the actual sender is a nonsense address. A .doc with a random name is attached.

Interestingly it has the title and content of a previous email conversation I had with them, so the malware must have access to their email inbox.

That's the method Emotet uses for spreading itself.... fricking annoying thing.

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

1101

3122 posts

Uber Geek

#2566613 17-Sep-2020 09:29

martyyn:

The attachment appears to be an empty .docx file. It's only 172KB, so I put it on an old laptop and it scanned ok with ESET and malwarebytes and opens a blank Word doc.

Upload it to Virustotal.com for scanning
https://www.virustotal.com/gui/

A doc attatchment I was given , thought to have caused a ransomware attack , scanned as clean with NOD, Bitdefender & Mbytes, but showed as infected in Virustotal .

"Somewhere out there is a massive database of ancient emails from many many hacked accounts. "
Actually not old emails, recent sent (eg Dec 2019) emails are on hackers databases . They use these emails to make the spammed email look like a legit reply , this is becoming more common

One thing that should be done , is have companies remove email address from their websites. But no matter how many times you advise them to do this, nothing happens
Some company websites have staffers Full Name ,photo, job title & email address . Making it all to easy to spoof emails to look like invoices or payment requests from the company accountant or managers (and it happens)

1 | 2