Well in the last few days, some people reported that they got an email from a CEO company, saying that the CEO wants to talk to him (perhaps to discuss a secret project? lol :-p). see the email below.
This email is suspicious, because:
- He never had any contact with the CEO before
- The email goes into the spam folder
- Too good to be true?
I had this experience before, and asked him to check the reply-to section of the email. And tadaa… it turns out that the “reply-to” address is different than the “from” email address. Well, without further due, we just reported SPAM email.
HOW phishing email happens?
A phishing email attack is not new. Its been there since many years ago. This attack happens by exploiting the flaw in email protocol (SMTP – simple mail transport protocol). The SMTP protocol does not require to have a strict checking on the sender. Meaning, when you send an email, you can pretend that you are sending from email@example.com while actually you are not. the protocol was designed many years ago with the spirit of trusted internet, and flexibility.
- It usually started with a compromised server, where the attacker sends emails to the targeted address, where the “from” section is usually a well-known email address, but the “reply-to” section is different.
- If the victims did not do enough checking on this, then they will reply to the reply-to address, and the conversation continues. the attacker can send an attachment that contains virus/malware, ask them to go to a website, or anything else.
How to stop the phishing-email attack?
Well, short answer is NO. it’s up to attacker, and they can attack whenever they like right?
With the current wide adoption of the SMTP protocol (together with its flaw), I think this is going to hard to stop.
OK what about preventing the phishing-email attack?
Despite the fact that there are flaws in the SMTP protocol. There are some initiatives to enhance its security aspects, at least to identify them:
- Using SPF (sender policy framework). basically the legitimate email server informs which IP address is legitimate for sending email from its domain. If the emails were sent from different addresses, the destination email server can consider those emails as spam/attack.
- Using DKIM (DomainKeys Identified Mail). This method will sign all outbound emails from the legitimate server, which then can be verified by the destination email server. inbound email without sign will be considered spam/attack.
- Using GPG (Gnu Privacy Guard). This method is considered the best because it provides end-to-end encryption. its not only signed the email, but also encrypt it.
Thanks for reading. This topic is part of GLCnetworks sysadmin training. if you are interested, please contact us.