Sunday 31 July 2011

How much do we trust our email?

The purpose of this article is show how an attacker can trick someone into thinking that they are talking to someone else on email. It uses the following two websites:

1.Mailinator [http://mailinator.com] - Instant access and anonymous web mail.
2.Fake Emailer [http://emkei.cz/] - Builds fake emails.

Scenario
Bob wants to trick Alice that her boss is contacting her. Alice works for Fireweb in Japan. He wants to use social engineering to make Alice give up her home phone number.

Using Fake Emailer to create the engineered email
Fake emailer is a really quick and easy way to build an email that looks (from the outside at least), trustworthy. You can tailor it to have any from and two address, and reply-to address, any contents, even the headers themselves can be tailored.

We will use the following:
To address: Alice@herhomeemail.com
From: The.Boss@fireweb.ne.jp
Reply-to Address: The.Boss.a.fireweb.ne.jp
Message: Hi Alice, I'm afraid we are having an emergency here in the office, and I would like to contact you ASAP, could you please send me your home phone. Thank you. The Boss.

What Alice sees:
Alice gets a very official looking email. The from address is the boss' real address.

She clicks reply and the reply to address is The.Boss.a.fireweb.ne.jp . She then types her reply.

The result
Alice sends her information to the Mailinator address which Bob can instantly access anonymously.

Conclusions and preventions:
Alice had very few clues to tell her what was happening. The biggest and most obvious to us now is that the reply-to address is completely wrong. However it gets pretty well hidden. For starters the initial From address is completely legit (assuming Bob knew it). Not many people go out of their way to double check the email reply address is write, and even a quick glance here is still not enough to catch what is going on.

This could be furthered by putting HTML on the site to make it look more official, or getting Alice to do something that doesn't even involve replying to the address, like clicking on a contained link, or contacting a 3rd person on the Boss' behalf.

In this case, we have to look at the header information to see what is going on:

X-Originating-IP: [46.167.245.101]
Authentication-Results: mta1451.mail.mud.yahoo.com from=fireweb.ne.jp; domainkeys=neutral (no sig); from=fireweb.ne.jp; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO emkei.cz) (46.167.245.101)
by mta1451.mail.mud.yahoo.com with SMTP; Wed, 19 Jun 2011 01:18:08 -0700
Received: by emkei.cz (Postfix, from userid 43)
id 6096281AA11; Thu, 30 Jun 2011 06:18:11 +0200 (CEST)
To: alice@yahoo.com
Subject: firey shark
From: "The boss"
X-Priority: 3 (Normal)
Importance: Normal
Errors-To: boss@fireweb.ne.jp
Reply-To: The boss@fireweb.ne.jp
Content-Type: text/plain; charset=utf-8
Message-Id: <20110630041811.6096281AA11@emkei.cz>
Date: Thu, 30 Jun 2011 06:18:11 +0200 (CEST)
Content-Length: 1
Doing an IPlookup [http://ip-lookup.net/index.php], shows us that the originating IP of 46.167.245.101 is obviously wrong and the message-Id contains the source site.
The received information is also different from normal, as if it has bounced off of emkei.cz, not something you normally see on emails.

Despite all of these anomolies, both Yahoo and google mail both send through the information without detecting and warning the user.