Spoof Spotting

by | May 31, 2019 | Cyber Incident and Response

Recognizing Those Trouble-Making Emails and Stopping Them in Their Tracks

Spoof Spotting Transcript and Slides:

Hello! My name is Katherine Parker. I represent Secure Networkers, a business dedicated to help businesses navigate through the often perilous terrain of network security. Learn more about Secure Networkers at SecureNetwokers.com.

Today we’re covering the subject of Spoof Spotting: recognizing those pesky email forgeries that lure you to follow links or download attachments that are meant to infect your network, or dupe you into disclosing sensitive information that will give the Spoofers the opportunity to rob you of personal identity information, money, or other sensitive information. Every Spoof we spot with you today will include a visual and description. By the end of this video, my goal is for you to feel confident that you can readily recognize all the tell-tale signs of a spoofing email.

Spoof Spotting Part 1: Anatomy of an Email SpooferHuman error is, by far, the biggest reason for cyber security issues, and email is the most successful attack vector for cyber criminals. This is why Spoofers exist. Humans are easier to trick than machines, and if they can trick you into giving them access to your business network, then they have their payday. A spoofing email may be after an individual to, for example, disclose personal bank account information, but spoofing emails now target corporations, with the objective to deliver ransomware, or gain access to trade secrets or other proprietary information. For that reason, spoofing emails are a tool of major cyber crime syndicates. If they can get you to open an attachment to an email that, for all the world, looks like it is official and authentic, opening that attachment, or clicking on that link, while sitting at your office desktop can not only expose your computer to malware, but the whole business network could be immediately compromised.

Learning to identify spoofing email has never been more important.

Who is a Spoofer

So who is this Spoofer trying to trick you? It could be a man or a woman, someone right down the street from where you live or half the world away. Chances are good that they are employed by a syndicate. A Spoofer is paid to produce something that will be successful, a spoof email that will be opened, with links clicked on or attachments opened, paving the way for the ultimate attack. So a Spoofer will often put a lot of research into you, your business and all of its employees, so that the contents they put in that email they are constructing will look entirely convincing to you. Experience a 4-minute dramatic presentation of a Spoofer’s role in delivering a ransomware attack, produced by Cisco.

Spoof Spotting Part 2: The First Things You See

You will not always be able to spot a spoof from the sender/subject view of an email inbox. As you scan through your emails, the one that looks like it is from a trusted sender is just as likely to be a spoofed email as any other.

In this example the Sender is Sully Smartwise. He is a manager at the company where you work.

Example of a Spoof Email in Your Inbox

  • The subject line, “Please Read Before the Meeting,” prompts your sense of urgency.
  • There are a few things, however, that might be red flags that you can spot.
  • If you do have an upcoming meeting, then this would not necessarily raise any red flags with you. But if you knew nothing of an upcoming meeting: beware. It may be that there is no upcoming meeting. A Spoofer would not mind it if they tricked you into thinking you forgot something in your schedule – it might make you more eager to click on the bait in the email.
  • There is also .zip file attached.
  • Before you open the email, here are the things to consider:
    • Is this a person at the company with whom you normally communicate? Does it seem random for this person to send you an email about an upcoming meeting? Spoofers are often able to get name and email address information from a business directory, but they cannot as easily know the correct business relationships you have within the company. If this is someone with whom you do not usually correspond, it is a reason to be concerned.
    • Exercise caution if the email is from:
      • Anyone outside OR inside the organization with whom you do not normally correspond
      • ANY email from a vendor, a customer, or even a trusted business partner, if it seems out of character or unusual.
    • The attachment is a .zip file. Anything can be in it, including malware. There are a limited number of file types that are always safe. We will review these later.
    • Furthermore, if you were not expecting documents or files from this person, or the title of the attachment does not seem to relate to your business concerns or even to the subject line of the email to which it is attached, beware.
    • Also take a look at the time it was sent. This email came to your inbox at 12:54 AM. Certainly not during regular business hours for Sully! But if this is a spoofed email and the Spoofer is in Asia, it would make complete sense.

Opening the email, the first thing you ought to do, before you even read what the sender has to say, is read the email’s envelope information. This is accessed in different ways in different email clients. The example I show here is Gmail.

Spoof Email Envelope Information Red Flags

  • The recipient list has a down-arrow at the end of it (orange arrow). Click on it, and it will open up the details of the email that will help us determine its authenticity (foreground box).
  • The envelope information provides a lot of clues that help us to determine if the email is a spoof. It will show the distribution of recipients, in this case all recipients are email addresses belonging to employees of Innovative Collaboratives.
    • First, look at the distribution list. Does this look like a list of hand-picked colleagues that are operating on a project together, or a list of all employees whose names begin with K? This should cause serious concern about the legitimacy of this email and the sender.
    • Second, look at the email address and the domain from whence the email was sent. Email addresses are domain-specific. If you notice a misspelling in the name, or in this case, an ‘s’ missing from ‘collaboratives’ at the end of the sender’s domain and email address, it is a sign of an email coming from someone who purchased and registered a domain name that is nearly the same as that of the company, but is not the company. This is a HUGE red flag. Someone here is definitely trying to pass himself off as Sully, but this is not coming from Sully’s correct email address.

Let’s inspect what this email contains. This email has an attachment, a zip file with a very general name, “Education.” Truth is, you might be getting an education you don’t want if you open this and explore the contents inside.

Spoof Email Contents

There is a short list of file extensions you can trust. If it is a .jpg picture, an .mp3 or a .wav audio file, you should be safe. The only document you can absolutely trust is a text (.txt) file. If you are presented with any other type of file, verify that it is legit before you open it. Otherwise you might find out that you were responsible for the delivery of a malware payload into your office network.

Now let’s look at another kind of email, a phishing email, this one with click-able hyperlink bait. It’s an email that tells you that your domain registration is overdue, and you are at risk of losing your domain if you do not renew it right now!


Phishing Email Contents

If you hover over that “Secure Online Payment’ link, without clicking on it, you will notice a box will materialize, either right next to your cursor or in the bottom left corner of your screen, containing the URL that is behind the clickable link.

  • Red Flag! This link takes you to a URL for GoDoddy dot com, NOT the place where your domain is likely to be registered!
  • By the way, if you ever need to verify your domain registration and when it is actually up for renewal, you can always look it up at Whois.com. Registration of domain names are public, and you and all your fellow employees can verify your business’ domain registration information without accessing the confidential account where it is registered.

Here is how to look up any domain name. Go to Whois.com.

Type in the domain name in question, and look it up.


Who is Domain Registration Lookup Part A

If someone out there has this domain registered, Whois.com will report to you that the domain is unavailable. Click on the “Whois” prompt to find out all there is to know about who is the owner and registrar of that domain.


Who is Domain Registration Lookup Part B

If the registrant has chosen privacy options, you will find portions of the raw Whois data redacted.


Domain Registration Information

However, the domain registration creation date, updated date, expiration date, and the name of the registrar are always public information.

  • This way, you can always check your own domain’s status if you need, OR learn something about any domain related to any scam you suspect.


Spoof Spotting part 3: Wher to Look for Spoofs (All Devices!)

We live in the age of the internet of things, so it is important to keep mindful of spoofs showing up on all of your devices. Tablets are becoming handy portable computers in many work environments, and they are connected to the network. Laptops, too. The laptop that gets infected while at home can be transported to work the next day, and share its bug with the whole network. Cell phones, too, are usually set to connect with the office wireless the moment you go through the door. All these devices, and many more, can cross-infect each other, so be wary.


Email Security that includes DKIM, SPF, and DMARC

So the obvious question is, Aren’t there security solutions that can stop Spoofed emails in their tracks? The simple answer is, YES. Secure Networkers deals largely with Cisco security solutions, and Cisco offers a solution called, aptly enough, Cisco Email Security. Another reputable product that can accomplish good email security might be Agari.

Any email security software you choose needs to be able to do certain functions:

  • Incoming mail should be run through both DKIM and SPF authentication. DKIM stands for DomainKeys Identified Mail. It is an email authentication method designed to detect forged sender addresses in emails. SPF stands for Sender Policy Framework, a record used to indicate to mail exchanges which hosts are authorized to send mail for a domain.
  • SPF records of emails get checked against DNS records. These are the addresses of the domains to which the emails are associated.
  • Likewise, the DKIM should verify the DNS agrees with the email.
  • DMARC stands for Domain-based Message Authentication, Reporting & Conformance. This is a protocol with many jobs, but one of it’s primary jobs is to match the header and envelope domain names, preventing “header from” spoofs. It works with the SPF and DKIM authentication processes. Brands protected with DMARC as part of their email security measures are unattractive to Spoofers, so having an email security solution with this feature is well worth it!


Be Vigilant to Block Spoofed Emails

Internet criminals are always innovating to find new ways of running successful scams. Take both/and approach to your email security. Get both educated with knowledge to spot scams and equipped with the best email security software available. Together these two things will make your business a very unlikely target for a multitude of scams that have been taking out many enterprise-level businesses as well as smaller companies. The problem is only getting worse, so it is to your own peril to not protect yourself. If you have further questions, you can contact us at SecureNetworkers.com.

Has this presentation been helpful to you? Please let us know with a “like” and a “follow” of our Youtube channel, and let us know if you have any specific topics you would like us to cover. We gladly take requests.

Hybrid VDI - Total Economic Impact of VMWare End User Computing