Forensic Essay On Spoofed Email Case Of XYZ Corporation.

Write a Forensics report on the spoofed email case of XYZ Corporation's, a software firm providing web services and solutions.

The report is a Forensics report on the spoofed e-mail case of XYZ Corporations, a software firm providing web services and solutions. XYZ Corporations were a victim of E-mail spoofing and had to pay a huge toll on its reputation in the market and the reliability in the eyes of its customers. The company has its primary domain as Finance and also deals in commercial and healthcare domains. With the name of XYZ Corporations, hoax e-mails were sent to hundreds of its clients demanding for money in the name of shares and profits. Some of the clients were trapped in trick of the attackers and sent their hard earned money in fraudulent hands.

Digital Forensics is the branch of science that works in the area of electronic crimes by keeping the base as the digital evidences such as PCs, laptops, mobile devices, tablets and likewise ("Digital Evidence and Forensics | National Institute of Justice", 2016).  With the increase in the electronic crimes, the law enforcement agencies are incorporating the use of digital forensics and evidences in their infrastructure to minimize such happenings.

Questions Asked Relevant to the Case

As the Digital Forensics Examiner, the following sets of questions were asked from the team of XYZ Corporations to understand the case in a better way.

• What is the e-mail address that was used for spoofing?
• Was there any involvement of the internal network of the company in sending or replying to the mails?
• Which employees have the admin rights in the company?
• What are the different administrators and their privileges?
• What are the user privileges and user types in every department?
• What was demanded from the clients in the spoofed e-mail?
• Was there a particular group of clients who were targeted? ("Example of An Expert Witness Digital forensics Report", 2016)

Why was the e-mail address spoofed?

The email address was spoofed from the internal network of the company that is XYZ Corporations. Hence, the reason behind the same was malicious insider attack. An employee from the company gained unauthenticated privileges and impersonated using a false e-mail ID to trick the clients and acquire money from them. A handsome amount was demanded from each and every client by tempting them to invest an initial sum and gain a good share of the company’s assets and profits (The Huffington Post, 2015).

How was the e-mail address spoofed?


Spoofing of email address is not a complicated task. The basic requirements of spoofing an e-mail address are an SMTP (Simple Mail Transfer Protocol) server and applicable e-mail software. The website hosting service of XYZ Corporations provides an SMTP server in the hosting package itself. The port that is utilized by SMTP is 25 and most of the ISPs block the same.

An attacker made use of an SMTP server to show a different “from” address than the actual registered address of the company. However, to the clients, it looked like it actually came from the specified address. When an SMTP email is sent, the initial connection provides two pieces of address information:

MAIL FROM: It is usually present as the return path to the receiver. It is the header which is normally visible to the end user. By default, there are no validations or checks that are installed to verify that the sending system is authorized and authenticated to send across such information.

Analysis

RCPT TO: This is the recipient address that is the address of the designated delivery. It may or may not be visible to the end user and is present in the header section.

Every time an attacker sent an email message, the receiving server of the clients compared the IP of the origin for the message and the one that was listed in the SPF record for the host that is the @xyz.com part (Lifehacker.com, 2016).

The attacker made sure that the two IP addresses match each other and could pass through as a success for the recipient. However, if the IP addresses would not have matched, the same mail would have been sent to the spam or would have been rejected. It was the receiving server that did not have the mechanism to protect it from the e-mail spoofing.

Original Address v/s Spoofed Address

A comparison was made between the original e-mail address of XYZ Corporations and the e-mail address that was used for spoofing. The attacker made sure that the IP addresses of the two matched at the site of the recipient and made very minor changes in the address name which would normally go unnoticed ("Example of An Expert Witness Digital forensics Report", 2016).

Search and Seizer and Transport of Evidence

A warrant was issued for the search and seizer of the devices and the network that was utilized for sending and receiving the mails. The devices under suspicion were to be analyzed to have stronger evidences. The materials that were acquired from XYZ Corporations were carefully packages and a chain of custody was efficiently established; so to ensure the integrity of the evidence.

List of Criminal Offence

Cyber crimes refer to the crimes that make use of computer system as a primary means of commission ("What is cybercrime? - Definition from WhatIs.com", 2016). There has been a serious loss to the information of XYZ Corporations along with tarnishing of the image of the company in the eyes of customer. The information that has been exposed in an unauthenticated and unauthorized manner is as listed below.

• Sensitive: It consists of the pieces of information that are critical to the organization and demand a supremely high degree of protection. For instance, the information associated with the client details of XYZ Corporations that was acquired comes under this category (University, 2016).
• Confidential: This one is the classification of information that consists of those pieces that are of high importance to a particular organization along with its associated parties such as business partners, end users, stakeholders and likewise.
• Private: These are the information that is personal for an employee such as his or her details and the exposure of the same may result in loss of privacy.
• Public: The information that is fit to be shared with the public falls under this category ("Information Security - Province of British Columbia", 2016).

• Turn up the spam filters, and use of tools like Priority Inbox.

It is necessary to set the span filters in a little stronger manner to protect and prevent from such attacks. It would help in landing of the spam email in the spam box rather than the inbox on the basis of the SPF checks. Priority inbox sets the priority for the frequent senders and thus allows them an edge above the others. If any of these contacts is spoofed, then it would be easier to detect the attack.

• Learn to read message headers, and trace IP addresses.

Findings

It is a good skill to possess if the user knows the details of how to track the source of a spam. In case of an attack, the user would be able to open up the header and match the one from the original sender and the one that has been spoofed. The comparison between the two would provide clear results and no scope would be left for an attack to take place.

• Never click unfamiliar links or download unfamiliar attachments.

It is commonly seen that the users click on the links that just by a glance look fishy and unreliable. The attachments and links from unfamiliar sources should be completely avoided looking at the increased occurrence of events such as spoofing and phishing.

• Audit the e-mail to see how it responds to SPF and DMARC records.

It is advisable to check the junk e-mail folders and request the web hosts on the change in the configuration of SMTP server.

• If there is a self domain, file DMARC records for it.

DMARC records should be filed for every single domain name to prevent the attackers from attacking it with spoofed e-mails and unwanted attachments to trick people. 

Conclusions

XYZ Corporations is software firm that deals with proving finance related services and solutions. It had become a victim of e-mail spoofing and the same was done with the use of an internal network by a malicious insider. The report has analyzed all the aspects of the case and the process begun with questioning from the employees and performing a root cause analysis as to how and why the attack was done. The findings include the device details and the network details that were used during the attack and the list of offences have also been reported.

E-mail spoofing is not rocket science and can easily be done and executed. All it required is a SMTP server and appropriate software. It is recommended to make use of measures such as stronger SPF and DMARC records, frequent checks and not relying on the unfamiliar links to prevent such attacks from taking place. 

References

(2016). Forensic Focus. Retrieved 20 May 2016.

adfmedia.org,. (2016). Retrieved 20 May 2016.

arxiv.org,. (2016). Retrieved 20 May 2016.

Cybercrime / Cybercrime / Crime areas / Internet / Home - INTERPOL. (2016). Interpol.int. Retrieved 20 May 2016.

Digital Evidence and Forensics | National Institute of Justice. (2016). National Institute of Justice. R.

Example of An Expert Witness Digital forensics Report. (2016). Academia.edu. Retrieved 20 May 2016.

Information Security - Province of British Columbia. (2016). Cio.gov.bc.ca. Retrieved 20 May 2016.

Lifehacker.com,. (2016). Lifehacker.com. Retrieved 20 May 2016.

Shinder, D. (2004). Understanding E-mail Spoofing. WindowSecurity.com. Retrieved 20 May 2016.

The Huffington Post,. (2015). The Huffington Post. Retrieved 20 May 2016.

University, C. (2016). Guidelines for Data Classification-Computing Services ISO - Carnegie Mellon University. Cmu.edu. Retrieved 20 May 2016.