Tutorial Spoofing Emails - The Effective Way
#1
It doesn't matter if you are connected to the security area or not. Fake emails have become part of everyone's daily life. And with the routine appearance, messages created randomly and sent massively are easily identifiable. However, in this article we'll look at how to create a convincing email. You'll find that, with little effort, even professionals in the infosec can be fooled by a message.
 
WARNING: This is not a tutorial for criminals or a step-by-step guide on how to apply scams. This text was written for professionals in the field, red teamers, pentesters or curious people. Remember that phishing is a crime.

 
Choosing the Perfect Stage
 
First of all, forget about generic campaigns, they don't work anymore. Older users could be tricked by a fake email about their retirement; greedy traders were easily hooked on a promise of profitability; but nowadays people have access to more information. Messages created in these old models usually don't even reach their destination, being blocked by email providers before reaching the inboxes. Assume that if your message is not blocked, it will be received by someone capable of identifying fake messages.
 
That said, the first thing to do is choose a minimally viable scenario. Rather than picking up a random list of emails, we can query some of the many leaked databases on a daily basis. Do this for the following reasons:
 
  • You will be sending emails from a sender whose recipients are used to receiving messages.
  • Among the dozens of leaked companies, you'll eventually find one whose SPF settings are incorrect or have loopholes. In this case, give full priority to this company. You can learn more about SPF here to understand why this is important.

 
Preparing the Costume
 
Now that you have identified the company you are going to use - hereinafter we will refer to it as a proxy, in a figurative sense -, already has the email list of users of that service (acquired in some data leak), we need to define which message to use. First of all, avoid the following mistakes:
 
  • Do not mark the message with high priority. Companies don't do this.
  • Forget about urgency triggers or emotional content, be as neutral as possible. The aim is not to put pressure on the target, just to reduce their mistrust.
 
A big myth is that simple messages are easier to fake. The truth is that the complexity of an email is absolutely irrelevant when it comes to the possibility of it being spoofed. Email messages themselves don't have any security mechanism (* Errata: more on this below.) , unlike their servers and domains, we'll talk about this later. This means that you can - and should - use a message from the company itself. Preferably an automated one. You can, for example, see what an original registration confirmation message looks like by creating an account on the company's website.
 
Here, I'll use an email from the Make Tech Easer newsletter as an example for three reasons: 1), the message contains plenty of links, we'll be able to see our changes well. 2) The company's domains are well configured and protected against this type of scam, so smart-ass won't be able to copy this tutorial and paste it into their campaigns. 3) It's the first message in my inbox right now, it could be any other.
 
Quote:Errata: while writting this article, I noticed that some companies do include security mechanisms in their emails. Amazon, for example, removes text formatting when we include the same references to images as the original content. I will further study these protection mechanisms and write an article about them shortly.

 
The Power of Laziness
 
Below, you can check images of the last message I received from that newsletter.
 
[Image: 88ee5b95bf5a75870122f6e0fb684ab6.png]
 
[Image: deacf0cebcf7de540b68347fdef5032b.png]
 
(Sorry, my monitor is very small.)
 
The next point is: I would need knowledge in HTML to clone this message, correct? Well, yes if I were to rewrite it. But why have this job if the message has already been kindly written by the company's employees? When an email is opened through a browser interface, what you see is just a web page. And you know what they say: your browser, your rules.
 
By clicking on the message with the right mouse button, select the option "Inspect". What you're seeing now is the HTML structure of the page as a whole. No matter what your email provider is, the message will be shown inside one of several <div> tags in this text. Click as far away from the content as possible, but still inside the message divider. This ensures that you will inspect the top <div>, including the entire message:
 
[Image: 99a648a6d8f29d5c7ac9e76cfbffcb78.png]
 
To find out if you copied the correct <div>, save the content to an .html file and open it in your browser. The result should be an exact copy of the message. Don't worry about spacing. The body of the email is responsive, it will be adapted to the screen size.
 
[Image: d3c23f9d82314384996b8f1d9e8d33cb.png]
 
Looks like we got it.

 
Hands On
 
So we have the message body identical to the original. It means that we can edit it at will:
 
[Image: 03d72308391c3c6ddad64ccb364ce9df.png]
 
But changing the content is generally not what we want. You can, of course, spoof the entire message, but it's best to just modify the links. All of them. Keeping the mouse cursor over the button, we can see the destination:
 
[Image: 6f0c285d2b9572351882bb2058359d2f.png]
 
You can mask this further by using a link shortener. Now we have our proxy message, a perfectly forged message. How to send correctly?

 
Sending Messages with Official Signature
 
Remember: in our scenario, we're assuming that the chosen proxy has bad settings in its SPF. This is not the case with Make Tech Easier! If you try to use a well-secured domain, your message will be relayed with a warning saying it failed the SPF test. Modern email providers don't even direct messages with this flaw to the user's inbox. And when they do, the message goes directly to the spam box.
 
That said, there are more tools for sending forged messages on the internet than grains of sand in the Sahara. You can choose any of them, make your own, anyway. For convenience, we will use the emkey.cz website. I use it often for testing like that. There you will find the following form:
 
[Image: 24c3dee92f6aeb3977b6e3784d513deb.png]
 
Fields are self-explanatory. They must be filled in exactly with the information from the original email. For the body of the message, select the text/html tag and copy the code you just edited:
 
[Image: c50e7f0efd56fda8a5e9524753310ac3.png]
 
Solve the Captcha, and submit. If all went well, you have just sent a message that is extremely difficult to detect even to competent professionals. Slow down there! Wait! Does it mean that the message will be sent in the same name and domain as the original emails? Even if I don't know the password?
 
Exactly. This is the impact of an SPF failure. Note that many companies leave out of their bug bounty programs because they consider it "too simple". One tip is that subdomains also have their SPF settings. The example.com domain may be secure, but there may be failures in support.example.com. Use this wisely in your pentests.

 
Conclusion
 
So where is the fake email for comparison? As I don't have permission from the MTE, I didn't take the liberty of sending the email even to myself. Also because, as said, their domain is secure and I would not have received the message to show it.
 
The purpose of this article was to show you how it is possible to create highly convincing messages with very little effort. See you next time.
Reply
#2
Wow, this is pretty high quality. Thanks for sharing!

--- 果物
Reply
#3
Thanks. Smile
(I took the opportunity to correct the formatting.)
Reply
#4
You probably skipped the part about finding a domain with SPF issues. If an email fails this check, providers like Outlook (and Hotmail), Gmail, Yahoo and others will not even show the message in the inbox because it is already considered malicious. What will define the successful sending of the message is the domain you are trying to impersonate. Smile
Reply
#5
Nice tutorial, well written. Main idea; impact of an SPF failure.
Reply
#6
Great stuff, thank you. Pretty high quality/
Two things:
1. open-spf seems to be down
2. how can we check for SPFs failures? Is there an open list somewhere? Or how do we check it manually?
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  How do I make a Debian server support IP spoofing daxia 1 5,431 07-04-2021, 03:23 PM
Last Post: Insider
  Insights About Emails and Passwords Corvo 1 9,664 04-29-2021, 04:45 PM
Last Post: Wipe_TS
  Base64 and emails ekultek 3 13,874 05-30-2018, 10:50 PM
Last Post: Vector