Issue No. 70May 2018
Email spoofing basically comes down to sending emails with a false sender address. This can be used in various ways by threat actors. Obviously pretending to be someone else can have its advantages especially if that someone else holds a position of power or trust with regards to the receiver.
Why spoof the sender address?
Although most well-known for phishing purposes, there are actually several reasons for spoofing sender addresses:
How are they (the bad guys) able to pull it off?
One way to spoof emails is if the evil-doer finds a mail server that has an open SMTP (Simple Mail Transfer Protocol) port.
SMTP itself lacks authentication so servers that are poorly configured in this way are prey to abusers. And there is nothing that can stop a determined attacker from setting up his own email server.
Having done that there is – freely available – software that will allow you to use any sender address you like. The receiver would have to check the full headers of the mail to find out whether the mail came from the “real sender” or if it was spoofed. This takes some knowledge and time, that you probably do not want to spend on every incoming mail. In these cases however replies go to the actual handler of the email address and not the attacker.
That is why, in cases like CEO/CFO fraud you will often see that the attackers registered a domain very similar to the one of the company they were trying to trick.
A difference in the domain that could be easily missed by the intended victim, like for example Ka$mare$.com.That will enable them to get any replies from their victim in case they were asked for more information or confirmation.