Spearphishing

Spearphishing messages are customized phishing emails that seem to come from one source when in reality they come from another. Spammers use these emails to get employees to take actions that will benefit the spammer.

Typical example of a CEO Scam

- Example of a typical CEO Scam.

IN THIS ARTICLE  
The Spoofing Problem SMTP-From Spoofing
Content-From Spoofing From-Name Spoofing
How We Block Spoofed Emails

The Spoofing Problem

Over the years, spammers have found many ways of passing themselves off as others (ie.: spoofing). Spoofed emails have been used in many purposes by spammers. Some spam campaigns aim to get you to give up personal information (login credentials, banking information, etc) or to install some malicious code (ransomware, malware, botnets). These emails are easier to detect due to their payload they want you to download or links they want you to click. Other spam campaigns aim to get your cooperation in an activity (eg.: sending a money transfer or buying gift cards). These emails are typically void of any incriminating content such as dangerous links or attachments and are sent to a limited number of recipients. This makes them very difficult to detect by conventional means. 

In order to understand how to block these types of spam emails, it important to understand how spammers are spoofing senders.

There are three types of spoofed emails that we frequently see:

  • SMTP-From spoofing
  • Content-From spoofing
  • From-name spoofing

Before we get into describing the differences between these spoofing techniques, let's start with a short explanation about how emails use and display sender information. By design, emails can have multiple sender addresses:

  1. There's the sender's address used in the SMTP transaction. This is given during the MAIL FROM command by the sending server. This is the SMTP-From.
  2. There's also the sender's address that shows up in the email content. This is given in the  From: email header and is composed of two parts: the From-name (sender's name) and the From-address (sender's email address). This is the Content-From.

With this in mind, we can now learn more about different types of spoofing as well as how to block them.

SMTP-From Spoofing

Problem: As you can guess, SMTP-From spoofing is when the spammer uses a domain that doesn't belong to them during an SMTP transaction. This type of spoofing has existed for a very long time, as has its solution.

Solution: The best way to block SMTP-From spoofing is by using an SPF record (see Related Articles).

This solution can be a little tricky because it requires that everyone who has a domain needs to set up an SPF record. Failure to set up an appropriate SPF record means that spammers can keep on sending spoofed emails using this technique. What's more, since this affects sending domains, there is little you -as a recipient- can do if your sender is not using SPF. 

Content-From Spoofing

Problem: With the growing adoption of SPF records, spammers started to switch spoofing techniques. They started sending emails either by using domains that had no SPF record or by sending from domains which pass SPF verifications. This can easily be done by registering free domains, using freemailer email addresses, or using their botnets. As long as the SPF verification was not an issue, spammers could send emails spoofing a domain at the Content-From level by displaying a spoofed From-address.

Solution: The best way to block Content-From spoofing is by using a DMARC record (see Related Articles).

This solution has a similar limitation as SPF records: it requires that everyone who has a domain configures a DMARC record. What's more, DMARC records are much newer and thus have much lower adoption when compared with SPF. Regardless, DMARC remains the best method of blocking Content-From spoofing emails.

From-Name Spoofing

Problem: The most recent type of spoofing, From-name spoofing, arose due to the growing adoption of SPF and DMARC records. Spammers have started spoofing the From-name without even spoofing the SMTP-From or Content-From addresses. From-Name Spoofing (sometimes also called Whaling, BEC compromise, CEO Fraud, or CEO Scams) is especially hard to block since many modern email clients only display a sender's name. 

Solution: There is currently no globally available "best way" of blocking From-name spoofing. This is because there is currently no SPF or DMARC equivalent which ties a person's name to their domain name.

With that being said, we have developed a specialized module in order to reliably block these kinds of attacks. The Spearphishing Module (see Related Articles) is available to all our clients and is ready to be configured to block from-name spoofing emails.

How We Block Spoofed Emails

We offer two layers of detection against spearphishing and spoofed emails.

General Detection 

Based on the analysis of thousands of spearphishing samples, we have implemented filters that effectively block most attacks based on the following factors:

  • Basic authentication verifications: SPF, DKIM and DMARC.
  • The correspondence between the declared sending address, the real sending address, and the reply to address.
  • The lexical distance between the to and from domains (ie.: lexicographical distance).
  • The validity of the sending domain.
  • The presence of text related to money transfers or exportation of sensitive information.

These filters are constantly updated as new threats and operating schemes appear. These spearphishing detection capabilities are built-in and automatically apply to all clients.

Spearphishing Module

In a typical spearphishing attack, spammers impersonate a C-level executive who has the authority to request wire transfers or the release of confidential information. Only a handful of people would have this power in any given organization. When these people send such requests to members of their team, it would normally be an internal email (messages from a sender in your organization to a recipient in your organization). Internal messages are not routed through the Internet, so they don’t go through our filters. A spearphishing email would come from the Internet and would appear to come from a very specific person within the organization. The spearphishing module builds on this idea to block purporting to come from these sensitive senders in your organization.

The spearphishing module is an optional component of our filtering architecture that can be used at no additional cost and that does not interact with our basic spearphishing detection rules. If the spearphishing module is activated and fails to recognize a spearphishing message, that message can still be blocked by our generic spearphishing detection rules. The module greatly increases our spearphishing detection power by concentrating on the most incriminating elements of such messages: the  From-name. You can learn how to configure our spearphishing module by viewing the Related Articles.