WE TEND TO THINK EVERYTHING IS MORE AND MORE SECURE WITH TIME BUT LET’S BE REAL, IT’S NOT
This is most likely because of 2 reasons:
- Systems are more and more complex and designed to answer very specific needs, so “classic security” is never enough.
- Attackers are targeting employees and users using sophisticated social engineering attacks to target the “weakest” point of the chain, in other words, us.
Attackers are always one step ahead and will never stop trying to hack, however we can follow their techniques to learn from it and teach people to not fall into these traps.
Security has to be taken at every level and can be improved by combining awareness for users and employees and regular security audits.
WHAT HAPPENS IF YOUR DOMAIN IS NOT PROTECTED WELL
➡️ CANTINA has released a very complete Guide To Prevent DNS Hijacking For Web3, I recommend you to check that out.
I decided to write down this article because it’s a matter of fact, I keep being surprised about how many companies (even Security Firms) do not protect properly their domain properly.
Let’s highlight the main vulnerabilities that could be exploited from a weak DNS Security / Configuration.
- Domain takeover
- Subdomain takeover
- Domain Spoofing / Phishing
But what are the impacts?
Attackers probably have more imagination that you and me together, and their goal might differ, but as I focus on Web3 Security their ultimate goal is to steal private keys to steal money. How do they achieve it? By doing social engineering.
THE 2 BIGGEST IMPACTS THAT MIGHT BE GONE AND LOOSE FOREVER ARE MONEY AND IMAGE, EITHER YOU ARE A USER OR A COMPANY
Today X and Telegram are full of scams, and probably your email inbox too.
I want to show you one example on how attackers can create a more successful phishing campaign when they Spoof a domain.
DNS records are used to define different functionalities and properties of a domain name. Here are the common DNS record types used for domains:
TXT Records
- SPF (Sender Policy Framework): Specifies authorized email senders.
- DKIM (DomainKeys Identified Mail): Verifies email authenticity using cryptographic signatures.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Defines email policies and reporting for SPF and DKIM.
CNAME Record
- Maps a domain to another domain (e.g., www.example.com → example.com).
When such records are not properly configured (Dmarc with SPF) it can take just a few minutes to Spoof your domain.
HOW ATTACKERS SPOOF YOUR DOMAIN
Do you have a domain registered?
You must know that ANYONE can check your Dmarc record with such tools: https://easydmarc.com/tools/dmarc-lookup
To make it clearer, anyone can know within 2 minutes and 2 clicks if they can Spoof your domain.
Domain Spoofing involves forging the “From” field in email headers to make it appear as if emails are sent from another domain, without authorization. From my PERSONAL ETHICAL EXPERIENCE as a Security Researcher, I can tell it increases significantly the ratio of a successful phishing campaign.
Why? Just because at first and second sight, the email seems legit.
Emails from: mycryptowebsite.com won’t be from mycriptowebsite.com but will use the EXACT SAME DOMAIN.
Proof of Concept
I own the domain web3audits.xyz and I want to show you what’s possible. I will set back my domain with its default configuration.
Here is how it looks, there is no Domain Policy and here is how it is dangerous.
I have previously installed and configured Postfix on my mac.
The requirements for this Proof of Concept are to have Postfix installed and own a legit domain.
Once you have started Postfix, go and edit your Postfix configuration.
sudo nano /etc/postfix/main.cf
Set YOUR domain mail server used to send emails in ‘INTERNET HOST AND DOMAIN NAMES’.
Then set the domain that will be Spoofed and displayed in the From section in ‘SENDING MAIL’.
Now reload your Postfix configuration.
sudo postfix reload
Then send the email from your terminal.
echo -e "From: souilos-whitehat@web3audits.xyz\nTo: louis@op3sec.io\nSubject: Spoofed Email PoC\n\nThis Proof Of Concept shows that emails can be sent from \"anything\"@web3audits.xyz " | sendmail -v ADDRESSTORECEIVETHEEMAIL(louis@example.com)
What you should know
This was not a sophisticated Proof of Concept but just a quick one to show you what’s possible within a few clicks.
As you can see, GMAIL detected my email as External with a yellow label although I got it in the main mailbox (not in the spams).
Today attackers are very good at this and can make emails WAY MORE REAL than this one. Let’s imagine another scenario: I have a verified X profile with the blue tag, we have been talking for a few days and I ask you your email to send you a job offer “check your spam folders it might be there”. You will have gained enough trust to at LEAST check that email and maybe CLICK on a malicious link, who knows? The email is sent From a legit sender, isn’t it?
What you MUST do
If you have any doubt in an email, OPEN THE HEADERS to see all details.
On Google you go to the vertical ‘…’ and click on ‘Show Original’.
You will see all the details and who is the real sender. It can help you to further investigate on another domain or an IP for example.
WHAT YOU MUST DO TO PREVENT YOUR DOMAIN FROM SPOOFING
Here are my recommendations, take into consideration that for every business this must be different according to your flaw, needs and security design.
Create or edit your ‘_dmarc’ ‘TXT’ record and add secure parameters.
v=DMARC1; p=reject; adkim=s; aspf=r
In my case here:
- p=reject: Defines the policy to reject emails failing DMARC authentication.
- adkim=s: Enforces strict alignment for DKIM, meaning the domain in DKIM must exactly match the “From” domain.
- aspf=r: Allows relaxed alignment for SPF, meaning the domain in SPF can be a subdomain of the “From” domain.
Here are other parameters to extend protection on subdomains and provide visibility into how your domain is being used or abused:
- sp=reject: Applies the same DMARC policy (in this case, “reject”) to emails sent from subdomains, ensuring they are also protected.
- rua=mailto:dmarc-reports@example.com: Specifies the email address where aggregate DMARC reports (summary of authentication results) are sent.
- ruf=mailto:dmarc-failures@example.com: Specifies the email address where forensic DMARC reports (detailed reports about specific email failures) are sent.
FULLY PROTECT YOUR DOMAIN
To fully protect your domain and subdomain you must ensure a whole different security settings and practices. Make sure to check the Playbook from CANTINA.
Recommendations:
Educate your team and users to identify phishing schemes. Perform regular Web2 security assessments.
Verify that your websites implement SSL/TLS encryption.
Use dedicated email accounts exclusively for domain management.
Enable 2FA for all domain administrators, preferably with hardware security keys or passkeys.
Keep track of any updates to your DNS records.
Choose a trusted domain registrar and enable domain locking (Cloudflare).
Invest in advanced DNS protection services, such as Cloudflare Premium.
And have good security practices 😊.
Thanks for reading, Souilos.
