Email Spoofing and Credential Harvesting

Emails are at the forefront of cyber-attacks, with attackers making full use of email communications to get into the heart of an organization. The human-centric nature of emails is also an ideal playground for cybercriminals, who thrive on manipulating employees. Cybercriminals want control of emails. To get this control, they must compromise accounts by spoofing emails or using stolen login credentials to hijack an account. 

Email spoofing and credential harvesting are two tactics that cybercriminals use to manipulate people for nefarious reasons. Here, TitanHQ explores email spoofing and credential harvesting and how to identify and prevent the sinister attacks they lead to.

What is Email Spoofing?

Have you ever received an email from a friend or colleague that shows their name but is not from them? This is email spoofing. Attackers like to spoof things like URLs, SMS messages, and emails. Email spoofing is when fraudsters create an email that looks like it has been sent from a specific brand or person. They do this to exploit trust. The trust that people have in a friend, colleague, or brand, like Microsoft, helps to encourage people to perform actions that benefit a hacker. For example, a phishing email may look like M365 and contain a malicious link that takes the recipient to a website. The website will be made to look exactly like the M365 login page. If the email recipient enters their login credentials, they will be stolen by a cybercriminal.

The Result of Email Spoofing Attacks

Spoofing works because it lulls people into a false sense of security. Business Email Compromise (BEC) scams often utilize email spoofing to initiate the transfer of company funds to a hacker’s bank account. Often, the spoofed emails look like a known C-level executive has sent them. Some recent examples of email spoofing that caught our people include the following:

Pepco Group 2023: The Pepco Group fell victim to a “sophisticated phishing attack” that cost the company over $17 million. No technical details have yet been released, but a company employee was believed to be tricked into sending the money to a fraudster’s bank account in a Business Email Compromise attack involving phishing and likely spoofed emails.

TA4903 hacking group: email spoofing is part of a complex Business Email Compromise attack by hackers. The TA4903 hacking group has targeted U.S. government agencies and SMB organizations across various sectors. The hacker spoofs well-known brands and employee emails to build trust with recipients. The group sends tens of thousands of emails spoofing U.S. government entities. The spoofed emails and fake websites are then used to capture legitimate login credentials. The result is a BEC attack where employees are tricked into sending company funds to a cybercriminal's bank account.   

What is Credential Harvesting?

Research from CloudFlare found that credential harvesting was one of the top five email threats in 2023. Credential harvesting covers any method of tricking users into handing over their login credentials. In this context, credentials include username and password combos, but multi-factor authentication (MFA), such as SMS text messages, is also now targeted.

How is Credential Harvesting Carried Out?

There are many ways to harvest credentials illegally. Typical methods include:

Man-in-the-Middle (MiTM)

Unsecured Wi-Fi networks allow hackers to intercept communications sent over the Internet. These communications allow the hackers to steal data, including login credentials. Remote workers and home workers are at risk of MitM attacks, which are used to harvest credentials.

DNS Poisoning

DNS poisoning, or DNS spoofing as it is sometimes called is used by attackers to redirect users to malicious websites. Attackers target a DNS resolver “poisoning” the cache by injecting faked data. DNS poisoning attacks are difficult to detect.

Read more about this technique “Top 5 Ways Attackers Use DNS to Target Your Users.”

Phishing

All forms of phishing can be used to steal login credentials. Phishing messages are designed to trick users into performing an action that benefits an attacker. For example, they may encourage users to click on a malicious link or open an attachment. The attachment may contain a link to a spoof website or malware. Users are then manipulated into clicking links and opening attachments. The net result is stolen data, often including login credentials.

Read more on the different types of phishing.

Spoof Websites

Credential harvesting typically uses a spoof website resembling a branded login page. For example, cybercriminals have spoofed Microsoft 365, a popular brand. Phishing emails or messages often contain malicious links that take anyone clicking the link to the spoof website. If the victim clicks a phishing link, they will be taken to a spoof login page, which often looks like a trusted brand or intranet. The hackers will steal their login credentials if the user submits them.

Malware

Credential harvesting malware, such as a keyword logger, can capture login credentials when users enter them using a device. Malware that can harvest credentials is often delivered using some form of phishing.

The Result of Credential Harvesting Attacks

Some examples of credential harvesting attacks show the type of damage that can happen to targeted individuals and companies:

Reddit 2023: Reddit Admin admitted a credential harvesting attack in a notification, "We had a security incident. Here's what we know." The company described the attack as a "sophisticated and highly targeted phishing attack." The attackers targeted Reddit employees. The phishing attackers created a spoof of the Reddit Intranet and sent out phishing emails encouraging employees to click a link. This took the victim to the spoof intranet site, asking them to enter login credentials and second-factor tokens.

Target NetScaler attack 2023: IBM's X-Force researchers identified a massive credential harvesting program exploiting a flaw in NetScaler Gateways used by many businesses worldwide. The exploit allowed the attacker to insert malicious content into an authentication section of a web page. This malicious script allowed the hackers to capture user credentials when users entered them.

Spoofed Dropbox attacks 2023: researchers detected 5,440 attacks that began with a phishing email purporting to be from Dropbox. The email encouraged the recipient to view a document held in Dropbox. If the recipient clicked the link in the cleverly branded email, they were taken to a spoof login page that looked like SharePoint. If the victim entered their login credentials, they were stolen by the attackers.

All the above credential harvesting attacks steal credentials to perpetuate other cybercrimes. Login credentials give attackers power over corporate networks and accounts. With even lower privilege login credentials, an attacker can escalate those privileges to allow access to sensitive network areas. The result is crimes such as Business Email Compromise and ransomware installation.

PhishTitan uses machine learning detection models to detect malicious content, like an email link to a spoof website.

TitanHq

How to Avoid Credential Harvesting and Email Spoofing Attacks

The complex and often multi-part cyber-attacks that revolve around the theft of credentials require a layered approach to security. The following measures are essential to protect your business against these attacks:

Train Employees

A baseline response to email spoofing and credential harvesting is to use employee security awareness training. Awareness training should include interactive exercises that teach employees to spot tell-tale signs of spoofed emails. Add to this training simulated phishing exercises. A simulated phishing platform, like SafeTitan, delivers fake phishing emails to employees to train them to recognize attempts to steal credentials.

Use Multiple-Factor Authentication (MFA)

Multi-factor authentication (MFA) uses multiple layers of credentials to log in to an app or other network resource. MFA is an important layer of security. Deploying MFA adds a layer of difficulty in hacking into networks or email accounts. However, MFA alone is not enough to deter determined hackers.

Report Spoofing and Phishing

Any suspected incidents of spoofing or phishing must be reported. This allows your security team to triage the incident. Teach your employees about the importance of incident reporting and ensure that they are encouraged, not discouraged, from reporting.

Set Up Anti-Spoofing Processes.

Set in place checks and measures to help prevent the outcomes of spoofing and credential harvesting. For example, double-check payments over a certain amount.

Deploy Advanced Anti-Phishing Tools

Cybercriminals intent on spoofing emails and harvesting credentials will stop at nothing. They use various techniques as part of a chain of attack. Breaking this chain is essential to preventing a cyberattack like Business Email Compromise. PhishTitan uses machine learning detection models to detect malicious content, like an email link to a spoof website. PhishTitan also applies Natural Language Processing (NLP) to spot social engineering and other complex trust-based cyberattacks.