On Jul 15, 2021 Raimunda Weir wrote:
I received the following email, can someone please explain if this is a phishing email, or is the website in fact left open for any hacker to take advantage of? They are asking for a reward in finding the issue too ?
I tried to set up SPF, and have put v=spf1 mx -all under value, but my test email went to spam. Can I please have assistance with fixing the SPF.
Do I really need DKIM and DMARC too?
Below is the email. I did not clik on any of the links.
Hello Team ,
I am an ethical hacker, bug bounty hunter and security researcher, I identify bugs in websites and provide vulnerability assessment of the identified issues. I have found an email spoofing issue in your website which can allow anyone to send emails from "firstname.lastname@example.org" to any other users. Please find the details of the bug below. I am hoping to receive a bug bounty reward for the responsible disclosure of this issue and hope to report further bugs once this is pursued and remediated.
Vulnerability: No DMARC Record Found
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities. DMARC Record contains the policy which determines how to handle unauthenticated/forged emails. Its lack can allow attacker to abuse the domain name.
I was able to send a forged email to my email address that appears to originate from "email@example.com". I was able to do this because of the following DMARC record:
DMARC record lookup and validation for: "choicecactus.com.au" "No DMARC Record found"
i) ScreenShot of the affected DMARC record
ii) ScreenShot of the forged/spoofed email
ii) ScreenShot of the example DMARC record (fixed)
iii) ScreenShot of POC php code that can be used to send forged emails
1) Publish your SPF and DKIM record if you haven't already. (DMARC record make use of the SPF and DKIM records to either quarantine spoofed emails to SPAM folder or Reject them based on the DMARC enabled policy and SPF pass/fail status) Note: Your SPF and DMARC records needs to align with each other before the DMARC record can properly work
2)Publish DMARC Record.
3)Enable DMARC Quarantine/Reject policy
4)Use the following syntax in the DMARC TXT record: · v=DMARC1; p=none; fo=1; rua=mailto:enter your email address; ruf=enter your email address · For example: · v=DMARC1; p=none; fo=1; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com · Be sure to enter your email addresses after "mailto:". These addresses are where the reports are sent. · If you are working with an ESP or other third party who will receive the DMARC reports on your behalf, ask your account representative which email addresses you should use.
POC: This can be done using any php mailer tool like this image.png You can check your DMARC record form here : https://mxtoolbox.com/DMARC.aspx References: 1) https://blog.redsift.com/email/the-resurgence-of-email-marketing-how-to-run-impactful-and-secure-campaigns-in-light-of-covid-19/ 2) https://easydmarc.com/blog/how-to-fix-no-dmarc-record-found/ Impact: This is useful in phishing.
The attacker can send forged emails from your domain granting him the ability to pose as the company's official and send scam emails to your website user asking them for money or credentials.
A study shows why DMARC and SPF are crucial:
1) $1.6 million on average is what one single spear phishing attack costs for organizations
2) $500 million every year is scammed by phishing attacks
3) Just 3% of all users will report phishing email to their management
4) More than 400 businesses are targeted by BEC scams every day
5) 76% of organizations have reported that they have been victim of a phishing attack.
6) 1 in 3 companies have been victims of CEO fraud emails
7) 70% of all global emails is malicious
8) Fake invoice messages are the #1 type of phishing lure
Let me know if you need furthermore assistance required, or if you have any other questions.