Email messages aren’t always what they seem. We talk often about how hackers obfuscate text and code within messages. That can be an effective way to bypass security services.
Another way to fool users is to manipulate the sender field. The “From” field in an email–or even in snail mail–is just an address line that the sender types in. Just like anyone can go to a post office and send a card that comes from Santa, anyone can do that with email.
Hackers are using that ability to have messages appear like they come from one address, but are actually coming from another. It’s that other address where replies are going to–and it’s going into the hackers’ hands.
We are seeing this technique used in interesting industries. For instance, in the example below, the attack is aiming to obtain a centrifuge. This is potentially sanctions-bypassing activity and could present a fairly easy way for hackers to get their hands on something troubling.
In this Attack Brief, researchers at Avanan, a Check Point Software company, will discuss how hackers are crafting Replier Attacks, by changing the replier address.
In this attack, hackers are changing the reply-to address to steal money.
- Vector: Email
- Type: Phishing
- Techniques: Replier Trickery
- Target: Any end-user
Email Example #1
This attack is trying to trick the recipient. The sender address is a well-known domain (although it’s spoofed. The SPF fails.)
The reply-to address is the actual sender–the hacker– behind the email. The domain is not associated with Total Energy. Total Energy is a legitimate company, but the attack is not coming from someone at the company. The address has been spoofed. In fact, the domain from which it was sent was created a few days before the sender pressed send. The sender is not sending this from France, but rather from Taiwan.
In the attack, the hackers are asking for a quotation surrounding the purchase of a centrifuge. A document is attached that has all the requested information–and how the hacker will begin the process of interacting with the end-user, ultimately taking their money at the end.
The attack itself is hoping that someone will think it’s legitimate and be in need of a centrifuge. This particular email was sent to a wide variety of industries across companies in Europe. It’s more of a spray-and-pray message than something super targeted.
This technique is called a Replier Attack. The sender is spoofed and the reply goes to another mailbox. That mailbox is the hacker’s mailbox, not the purported sender.
What’s clever about this attack is that most users, should they reply, won’t realize that their message goes to another mailbox. Most email clients don’t show the REply-to field, which can be different from the sender address. As a result, most users think that they are replying to the sender when they click on the reply button.
That’s not the case here. Sometimes, there can be a discrepancy for legitimate reasons. This is not one of those times.
Hackers, in this attack, are hoping that their targets won’t have advanced knowledge of how email works from a technical perspective. Ask a bunch of your colleagues–do they know about the reply-to field?
Chances are the answer is no.
That makes this attack a great way for the sender to successfully trick end-users into thinking the email is legitimate, and use it to steal money and other information.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Make sure the sender address and reply-to address match
- Before sending over sensitive banking information, be sure to ask IT or finance if the email is legitimate.