THE DIGITAL CRIME SCENE

TEAM Editor-in-Chief Joanna Kretowicz  [email protected] Managing Editor: Michalina Szpyrka [email protected] Editors: Marta Sienicka [email protected] Marta Strzelec  [email protected] Bartek Adach [email protected] Magdalena Jarzębska [email protected] Senior Consultant/Publisher: Paweł Marciniak  CEO: Joanna Kretowicz  [email protected]  Marketing Director: Joanna Kretowicz  [email protected] DTP Michalina Szpyrka [email protected] Cover Design Hiep Nguyen Duc Publisher Hakin9 Media Sp. z o.o. 02-511 Warszawa ul. Bielawska 6/19  Phone: 1 917 338 3631  www.eforensicsmag.com All trademarks, trade names, or logos mentioned or used are the property of their respective owners. The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.





E-mail Spoofing And Forensics Investigation by Gayathry.S The world is experiencing a new digital breakthrough, and the dependency on technology, especially on e-mail, is eventually increasing as it has become instrumental. Even though technology can be helpful, it does have its downside. So many crimes are committed through computers and networks, including hacking, identity fraud, ransomware attacks, and phishing. This article mainly focuses on such crime, specifically e-mail spoofing. E-mail attacks are a significant threat nowadays to security and trust. Attackers use e-mail as a source to divulge their details, account number, credit card number, and passwords. Even though there are few protocols and security, e-mail spoofing is still something that cannot be stopped because the information they need is widely available online for free. Introduction E-mail spoofing is a technique popularly used by attackers to trick the recipients or the users into believing that the e-mail received by them is from a legitimate sender or someone they know or trust. Eventually, they fall into the trap of attackers. For example, an e-mail received from Google Pay says that the account will be suspended in a few hours. \"To restore, click the link provided below and authenticate it by using a new password.\" If the recipient believes the forged e-mail, then the sender will get access to all the credentials entered, along with the money in the recipients' account. E-mail forensics, subdomain, and network forensics e-mail spoofing is a common type of e-mail attack. E-mail forensics investigates the source and substance of e-mail messages, the recognizable proof of 5

sender and beneficiary, the date and season of the e-mail examination, and the bodies in question. It also reforms and investigates the client and server systems of suspected e-mail forgeries. E-mail spoofing is a form of imitation in which a fraudster creates an e-mail message with a fake sender address in the hope of deceiving the recipient that the message comes from another actual source. It is called e-mail spoofing because it makes the task of detecting scams more difficult. Spoofing e-mail attacks and their detection can be a challenging problem in e-mail forensics. Before looking into how and why spoofing is done, it is vital to know the structure of a standard e-mail. Structure of E-mail E-mail is also known as electronic mail, in which information is distributed through electronic means. A standard e-mail consists of two major components; a header and the body. The header consists of standard details about the mail, such as the unique identity—the sender's address, recipient's address, and subject. The body consists of the content of the mail or the information that needs to be delivered. Forged e-mails are sometimes unnoticed as the recipient looks into the mail's header, thus failing to check the authentication of the source from where it is received. Attackers intercept the user's information and forge using the e-mail header and act as a legitimate sender. Suppose, for example, the name of a legitimate courier agency is 'xpressbees,' and their domain name is 'xpressbees.com.' The forged mail will contain its domain name as 'xpresbees', which is incredibly similar if you don’t look into it too deeply. Not only this, but e-mail spoofing for Business E-mail Compromise (BEC) is increasingly prevalent, in which forged e-mails are sent to the employees or customers in the name of their senior executives. E-mail headers contain a considerable amount of tracking information that shows how the message was transported over the Internet. E-mail headers contain essential information about the origin and the path an e-mail has taken to reach its final destination, including the sender's IP address, the Internet Service Provider, and the location of e-mail clients. This information can be used to block future e-mails from the sender, in case of spam, or to establish the legitimacy of suspicious e-mails. Information about the sender of the e-mail attached to the file or document includes the e-mail and e-mail software used by the sender to compose the e-mail. It includes the custom header form and the MIME Content Transport Neutral Encapsulation Format (TNEF). 6

Why is e-mail spoofed? Attackers spoof e-mail for the following reasons: • To damage the forged sender's reputation. • To gain financial profit. • To get access to the recipient's credit card data and other confidential information. • To hack some sensitive data of corporate companies or organizations. E-mail forensics begins with the study of e-mail headers, as these contain an enormous amount of information about the e-mail message. From the header, we can find information about multiple servers. The analysis consists of examining the contents of the header. E-mail header analysis can help identify most email-related crimes, such as spear phishing, spamming, and e-mail spoofing. E-mail protection protocols Three main protocols work in protecting our e-mail. They are SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail), and DMARC (Domain-Based Message-Authenticating, Reporting, Conformance). • SPF protocols are designed to mention which server or IP address is authorized to send mail. It is done using domain name system records. If the IP address is recorded in the DNS, then the sender is legitimate. If not, then it is a forged e-mail. • DKIM further adds a signature to the mail to get altered while moving from sender to receiver. • Based on SPF and DKIM, DMARC will automatically process the mail by simply accepting them or rejecting them. E-mail Forensic Investigation Analyzing e-mail for its source and content is what is called e-mail forensics. It also includes identifying the legitimate sender, recipient, date, and time when it was sent. This analysis begins from the recipient's mailbox in which the message is received. The header of the mail is analyzed to track down the source of the mail, which contains the sender's address. Various software tools are used to detect the authenticity of mail, such as eMailTrackerPro, and EmailTracer. 7

EmailTrackerPro examines the headers of an e-mail to identify the computer's IP address that sent the e-mail and where the sender was found. The location of the IP addresses is the crucial data to decide the level of danger and the legitimacy of the e-mail. The headers in the e-mail are scanned by Agari Email Security and IronPort devices. Conclusion Spoofing disguises an e-mail address, sender name, phone number, or website URL by changing a letter, icon, or number to convince us that we are interacting with a trusted source. Cybercriminals frequently target organizations and people with e-mail messages intended to appear as though they come from an authentic bank, government office, or association. In these e-mails, the sender asks the recipient to click on a link that takes him to a page to verify personal information or account details. We can do a few things to determine whether an e-mail from a fake e-mail address is malicious. Display name spoofing represents the display name of the person who embodies another person, while the e- mail address sent remains intact. When fraudsters use e-mail spoofing, they know that the person is likely to deal with the contents of the e-mail because they know who sent it. E-mail provides an easy way of communication and distribution of information in public and person. However, loopholes in security and lack of authentication enable cybercriminals to misuse this and fulfill their needs. Even though several security protocols have been established to protect the e-mail, they are not always appropriately adapted, which paves the way for attackers to spoof e-mails. It can be prevented by careful analysis of the sender's address, and if found suspicious, avoid opening it. Report this to the original sender and the investigation team. Thus working with consciousness can prevent such types of crimes. Cybercriminals exploit people through various e-mail-based strategies to steal confidential and sensitive information. Phishing programs use spoofing techniques to lure you into taking the bait. Research in the past has tried to combat e-mail detection through various mechanisms. Here are e-mail phishing examples to help detect malicious e-mails and maintain e-mail security. Suppose we have received an unsolicited e-mail from an institution that contains a link or attachment to ask to supply sensitive information. In that case, it is likely to be a scam. When a phishing e-mail begins today with 8

\"Greetings to the son of the deposed Prince of Nigeria,\" it becomes difficult to distinguish between a fake and a verified e-mail. In general, it is impossible to prove an e-mail is genuine without suitable proof that it is. In this case, the only thing that can be deduced with certainty is that the e-mail originating from one of the original IP addresses must have sent a packet from that IP address to the network. In some cases, it can be said that the original e-mail is fake, but the date and the original IP address suggest that it is not fake. The analysis of the e-mail message itself and the analysis of the machine from which the e-mail originated do not provide any evidence. There is no inconsistency in the data generated by the subsequent SMTP server, which proves that the e-mail in question is fake. If possible, one can receive the e-mail and follow the same path as the e-mail investigation to see how the idiosyncratic line is changing. React to suspicious messages by performing the following tasks to make sure they are reliable. The first is to treat all messages belonging to an ISP with information on the radius of the protocol and the subscriber's name. References: • https://www.sciencedirect.com/topics/computer-science/spoofing-email, • https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/spoofing-and-phishing, • https://dl.acm.org/doi/abs/10.1145/3442520.3442527, • https://linuxhint.com/email_forensics_analysis/, • https://www.cse.scu.edu/~tschwarz/COEN252_09/Lectures/Email%20Investigation.html, • https://www.cmu.edu/iso/news/2020/email-spoofing.html, • https://www.forensicfocus.com/articles/email-forensics-investigation-techniques/, • https://alyninc.com/2018/11/10/email-headers-what-can-they-tell-the-forensic-investigator/, • https://www.ttu.edu/cybersecurity/lubbock/digital-life/digital-identity/scams-spam-phishing-spoofing- pharming.php, • https://proprivacy.com/blog/email-security-protocols, • https://www.proofpoint.com/us/threat-reference/email-spoofing.html, 9

• https://help.hover.com/hc/en-us/articles/217282017-Email-spoofing-and-undeliverable-notices, • https://securityboulevard.com/2020/01/email-spoofing-101-how-to-avoid-becoming-a-victim/amp/. About the Author Gayathry.S - Forensic Student at B.Sc.Forensic Science Kalasalingam University. Fascinated about forensics by reading crime novels, journals and writing poems. Email: [email protected] 10