No one can outright argue that social engineering isn’t the biggest threat to companies like banks and credit unions when it comes to gaining access to internal systems. The reason being is no matter how tough your IT controls and security posture is, how good your vulnerability assessment is, it all becomes worthless when someone will easily hand over the keys just by asking. This is the reason why SPF records are so important.
SPF stands for sender policy framework. SPF records help to stop spam, email spoofing and thus social engineering attacks against employees. This is important because one of the ways that an attacker will try to social engineer employees is by spoofing someone else such as the IT Manager and asking for another employee’s credentials. This of course is done in a crafty manner like sending the employee to some fake credit union website that asks for the employee’s login information. If an email looks like it is originating from the IT Manager how can you ask employees to ignore it?
The great thing about SPF records is that it is very easy to tell if your records are set up right or not. From the command prompt:
Nslookup
Set ENGINE=txt
creditunionwebsite.com
At the end of the SPF record you should see –all to prevent spoofing. If you see a all, ~all or ?all that SPF record will most likely still allow spoofing.
If you need any help setting them up or want to check if you even have one, there is a great wizard to at Microsoft that will easily help you do that:
Microsoft Wizard
If you want to get a little more creative to see if your mail servers will allow you to spoof an employee’s email try the following from a telnet prompt after connecting to your SMTP mail server.
helo <your domain name here><click enter>
250 OK
mail from: <your email address you want to spoof here><click enter>
250 OK
rcpt to: <who you want the recipient to be><click enter>
250 OK
data <click enter>
354 Send data.
Subject: <enter subject field here><click enter>
<enter your text body here>
<click enter>
. <click enter and yes that is a decimal>
<click enter>
250 OK
quit<enter>
That does it and a long as those SPF records aren’t set up right you can appear to be anyone you want to be minus some great spam protection on the mail servers. Social engineering is such vulnerability that we need all the technical help we can get to help defeat it. This is just one simple fix that will help you get where you need to be.
Leave a Reply