The first of the STRIDE threats in the canonical Threat Model.
The key to any identity-based attack is impersonation—manipulating components of an email message to exactly match or bear similarity to identity markers in a real message sent from a trusted identity. The most common message components that have these identity markers are the From header, the Subject header, and the body of the message.
Of these, the From header is the most commonly recognized identity marker, as it is displayed prominently in most email clients. It is also the identity marker that is most commonly abused since the sender of a message can specify any value for it. The Subject header and body can contain identity markers, such as words, phrases, brand names, logos, URLs and narrative structures, but these are often secondary to those in the From header and primarily serve to support, rather than define, the perceived sending identity for a message.
The From header is generally made up of two parts: a display name that is the suggested display label for an email client and an email address, which in itself has a local part and a domain. For example, the From header “Bo Bigboss” <firstname.lastname@example.org> has a display name of “Bo Bigboss,” a local part of “hackyjoe666,” and a domain of “gmail.com.” Since, as shown below, many email clients show only the display name in certain views, Display Name Attacks are the most common form of identity deception. Attackers often insert the identity of a trusted individual (such as the name of an executive of the targeted company) or a trusted brand (such as the name of the bank used by the targeted individual) into the display name. Since common consumer mailbox services such as Gmail and Yahoo allow a user to specify any value in the display name, this type of attack is simple and cheap to stage from such a service.
- Display Name Attack Example
- Forms of Identity Deception
- Manipulating Identity Markers to Trick Recipients
7 | www.agari.com Domain Spoofing Attack Look-alike Domain Attacks In addition to manipulating the display name, an attacker may also use the actual email address of the impersonated identity in the From header, such as “United Customer Service” <email@example.com>. This type of attack, known as a Domain Spoofing Attack, does not require compromising the account or the servers of the impersonated identity, but exploits the security holes in the underlying email protocols. Attackers often use public cloud infrastructure or third-party email sending services that do not verify domain ownership to send such attacks. Email authentication standards, such as DMARC, can be used by a domain owner to prevent spoofing of their domain, but are still not adopted widely by popular brands and government organizations.
In cases where a domain is protected by email authentication and domain spoofing is not possible, attackers try to deceive the recipient by registering and using domains that are similar to the impersonated domain. These types of attacks, known as Look-alike Domain Attacks, often use homoglyphs or characters that appear similar to the original characters in the impersonated domain. Attackers can use rendering similarities, such as “PayPal” <firstname.lastname@example.org>, exploiting the specific fonts and rendering styles used in popular email clients. Another variation of the Look-alike Domain Attack is to add additional words to the domain name. For example, if an attacker wanted to send you a bogus invoice from Acme Corporation, whose domain might be acme.com, the attacker could simply register acme-payments.com, or invoices-acme.com. Finally, attackers can use characters from another script in the Unicode set. Cyrillic is a common choice, as in the From header “Dropbox” <notifications@ dropbox.com>, where the “o”s in the domain are actually Cyrillic characters, but an email client will render the version that looks exactly like the impersonated domain.
Finally, the most pernicious form of identity deception can take place when the attacker has compromised the email account or server of the identity they are impersonating. This type of attack, known as an Account Takeover Attack, while low in volume, is generally the hardest to detect, since it leverages the identity markers, infrastructure, and many of the behavioral characteristics of legitimate messages from that identity.
While the various forms of identity deception attacks may differ in prevalence and sophistication, they have some similarities. First, they manipulate the perception of the recipient, convincing them that the message was sent by an identity with which they are familiar. Second, they exploit the trust that the recipient has in that identity, convincing the recipient to take some action or disclose some information that they assume is safe. Security awareness and phishing training can help a recipient detect some of these attacks, but the burden of detection can’t fall to the individual as the quality and volume of identity deception increases. Instead, these attacks have to be detected and blocked by the next
- Michael Howard, Praerit Garg Loren M. Kohnfelder, RAPID APPLICATION SECURITY THREAT ANALYSIS US Patent 7,243,374 B2 (2007-07-12) Abstract
The following Subject matter provides for modeling an application's potential security threats at a logical component level early in the design phase of the application. Specifically, in a computer system, multiple model components are defined to represent respective logical elements of the application. Each model component includes a corresponding set of security threats that could potentially be of import not only to the component but also to the application as a whole in its physical implementation. The model components are interconnected to form a logical model of the application. One or more potential security threats are then analyzed in terms of the model components in the logical model.