Spoofing Identities

Popularity:

8

Simplicity:

8

Impact:

7

Risk Rating:

8

You can use the mail function in PHP to generate and customize email messages, including the ability to manipulate the email headers to make the email appear to have come from another person's email account. The following code listing demonstrates a PHP script that would send an email from [email protected] to eric .[email protected]:

$headers = "From: Mark Manager <[email protected]>\r\n"; $headers .= "MIME-Version: 1.0\r\n"; $boundary = uniqid("SPOOFINGIDENTITIESDEMO"); $headers .= "Content-Type: multipart/alternative" .

"; boundary = $boundary\r\n\r\n"; $headers .= "This is a MIME encoded message.\r\n\r\n"; $headers .= "—$boundary\r\n" .

"Content-Type: text/html; charset=ISO-8859-1\r\n" . "Content-Transfer-Encoding: base64\r\n\r\n"; $headers .= chunk split(base64 encode("<html><body>Hi Eric,<br> I have just ...</body></html>")); $subject="Your ENUM Server Account";

mail("[email protected]", "$subject", "", $headers); ?>

Combined with the information gathered in the previous sections, an attacker is able to generate an almost infallible email that can be used to manipulate employees into giving out sensitive information or access to systems. Besides the corny names, how many of your employees would be taken in by the resulting email shown in Figure 13-13.

This email manipulates a number of the employee's trust relationships, mainly at a subconscious level. It appears to have come from his manager, who is an authority figure, which tends to destroy any questioning of the request. It is personalized to the employee,

M

File Edit View Message

Reply Reply to All Forward Print Delete Junk

*

From: Mark Manager <mark.manaqer(3oraanizatlon,com> To: Eric Employee <eric,erriployee<®orqanlzatlon,corn> Subject: Your ENUM Server Account

Hi Eric,

1 have just gotten off the phone with Irnah Acker from IT Services, He has informed me that the /etc/shadow file on the Fedora Core 5 server (ENUM) at 10,99,5.12 has become corrupt because of a disk failure, similar to last year, and they are going to have to recreate our accounts.

This means that you need to phone Irnah on 555 5372 to give him your account details, This will ensure the continuation of your account eemplOOl.

Thanks for your assistance,

Mark

Marketing Manager

Organization Examples Pty Ltd.

Figure 13-13 Spoofing an identity via email spoofing and utilizing gathered information

Figure 13-13 Spoofing an identity via email spoofing and utilizing gathered information which makes the email look legitimate. It places the attacker within a trusted group, IT Services, creating a trust relationship. It uses valid detailed information relating to internal systems and previous issues with the system, as well as throwing in a little jargon. For a nontechnical person, this email may also cause some confusion about the technical details that are being given, but it is quite clear in the actions that the employee needs to take to rectify the situation. Then finally, the signature at the bottom is the standard organization format that is widely used for emails, also supporting the email legitimacy.

Similar emails can also be created depending on the attack's aim. Attackers may use a range of approaches, such as aggressive or flirty, and the emails may come from different types of employees, such as IT staff informing users of an upgrade or the new girl who just needs a little help. One of these aims may initially be awareness hijacking, where an attacker spoofs the identity of an authority figure in an attempt to manipulate what an employee believes is contained in the organizational security policy. This may allow the attacker to then use this employee to circumvent organizational security policy.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment