In a society where virtual exchanges are increasingly predominant, methods of identity theft and counterfeiting have evolved in parallel with the means of communication.
However, we assume too easily that these exchanges are secure and cannot be fraudulent or altered.
One common type of fraud (also common in the age of paper) is to produce false documents, such as official letters, invoices, corporate communications, etc. The purpose is to convince the recipient to perform one or more actions for the benefit of the offender.
In our virtual era, this type of scam applies particularly well to emails (“spoofing”), whether it is for identity theft, sending viruses, etc. This article will cover one of the approaches used by some hackers, the personification of a user in the context of a corporate e-mail.
BASIC PRINCIPLES
By default, the SMTP protocol does not have an authentication mechanism. It is therefore possible to usurp an identity. The identity of the FROM receiver is noted in two places. The first is the envelope header or MAIL FROM, the equivalent of the front of an envelope, which is used to deliver the e-mail. The second place is in the normal header, which is part of the DATA or, more simply, the e-mail message itself. Here is an example of an SMTP trace containing the two FROM:
S: 220 smtp.example.com ESMTP Postfix
C: HELO relay.example.org
S: 250 Hello relay.example.org, Happy to meet you.
C: MAIL FROM:<bob@example.org>
S: 250 Ok
C: RCPT TO:<alice@example.com>
S: 250 Ok
C: DATA
S: 354 End data with <CR><LF>.<CR><LF>
C: From: "Bob Example" <bob@example.org>
C: To: Alice Example <alice@example.com>
C: Date: Tue, 15 March 2017 12:01:52 -0500
C: Subject: Test Message
C:
C: Hello Alice.
C: This is a test message.
C: Your friend,
C: Bob
C: .
S: 250 Ok: queued as 12345
C: QUIT
S: 221 Bye
{The server closes the connection}
The second FROM, the one from the DATA, is much less important for the SMTP protocol and several clients (computer / email sending software) do not really take this into account for routing and verifying the identity of the sender. It is also this FROM part of the DATA that can be easily changed or spoofed by the identity of someone else or simply by a false identity. When the recipient receives the e-mail, the e-mail address indicated by his e-mail client is usually that of the normal header which may prove to be false.
Next week we will see some examples of security measures to protect emails from spoofing.
David-Alexandre Alarie, CEH, CSX
Jonathan Roy, MCP, GWAPT
