General Security Concepts: Attacks • Chapter 2  73

                         Look for the MX entry with the lowest preference; in this case
                      mail.destinationdomain.com.
                         Now, go to Outlook Express, and go to Tools | Accounts and create a
                      new account. In the appropriate screens, enter e-mail
                      sam.carter@sgc.com, name Sam Carter, mail.destinationdomain.com as
                      the mail server, and anything in the username/password fields. Now
                      simply create a new e-mail to your victim, and he or she should receive
                      an e-mail from Dr. Sam Carter. The only way they could tell it is a fake e-
                      mail is by looking at the e-mail headers and verifying the IP address
                      used to send the e-mail—but that’s very hard to do for the average user.
                         Even more, if servers do not have spoof protection configured (so
                      that e-mail FROM a domain cannot also be sent TO a domain), it’s also
                      simple to send an e-mail to your victim posing as his boss. Simply enter
                      his bosses’ name and e-mail address in the account properties.
                         Several frameworks have been proposed to defend against e-mail
                      spoofing, but there’s not a single common adopted. The Sender Policy
                      Framework (SPF) is gaining traction, but it’s still a long way from being
                      a universal standard. In the meantime, users need to be educated on the
                      potential for e-mail spoofing and to use common sense before believing
                      and opening messages and attachments.




                 Web Site Spoofing

                 Web site spoofing occurs when an attacker creates a Web site very similar, if not
                 identical, to another site, usually an e-commerce, banking, or gambling destination.
                 The main purpose of Web site spoofing is to trick the visitors into thinking they
                 are using the original site, so they will enter their credentials (username, password,
                 PIN, and so forth), which will be captured by the owners of the spoofed site.When
                 attackers create a spoofed system, they often just recreate as much of the original as
                 necessary to create an illusion of the real thing.With this façade, they’ve managed
                 to build enough to establish their trick, but have avoided a lot of the complexities
                 that may have been involved with the original system.Armed with the real creden-
                 tials of a valid user, attackers can wreak all kinds of havoc on the victim’s account.
                 Phishing

                 Phishing is a combination of e-mail and Web site spoofing, and it’s one of the most
                 dangerous attacks currently active.The basic Phishing attack starts with a spammer




                                                                              www.syngress.com