In May of this year, Curitiba councilor Renato Freitas (PT) received an email with racist content. The message was addressed to him, but also mentioned councilors Carol Dartora (PT) and Herivelto Oliveira (Citizenship). The sender, according to the address and header, was also councilor Sidnei Toaldo (PSD), who denied the authorship and registered a police report.
The Internal Affairs Department of the City Council then opened an investigation to investigate the crime. The conclusion was that the email had been forged and had not come from any official Casa email address. According to the report, the message had been sent from a domain in the Czech Republic.
The practice committed against councilors is done through a technique called spoofing, in which the criminal falsifies the address and sender of the email, pretending to be a person, entity or company.
Every day, more than 300 billion emails are sent worldwide and around 50% of them are identified as spam. In them are many spoofing messages.
This practice is used to commit various crimes, such as stealing data from users, who fill out registrations believing they are responding to official bodies, for example. And also, as happened in the Chamber of Curitiba, disseminating hate crimes such as racism.
However, the technique is not limited to a simple theft of e-mail and password. This is a crime of identity forgery. That’s what Altair Olivo Santin explains, professor of graduate studies in informatics at the Pontifical Catholic University of Paraná (PUCPR).
“Email has always allowed the sender to be changed. Sometimes, a person sends a message on behalf of an entity, for example, and does not want the answer to come to him (individual), but to the entity’s email address. , it is not necessary to use any attack, any sophisticated technique to change the sender, it is enough that the servers, both the one who sends it and the one who receives it, consider that message and sender as true.”
This is what happened in the case of the server that manages the emails of the City Council. Serpro (Data Processing Service) is managed by the federal government.
Santin says that it is up to servers to enforce certain security protocols that prevent false messages such as spoofing from being forwarded and/or received.
It is a set of tools called DKIM (domain key), among them, for example, is the SPF (sender policy framework), which allows the holder of a domain to specify which server is allowed to send messages and the subsequent verification by the server that receives it.
The SPF identifies to the email provider if the person sending that message is the real sender.
The Curitiba Chamber reported that the Serpro team identified a flaw in the filter system, which did not classify the email sent to Freitas as spam.
The message was eventually delivered, as it did not reach the minimum blocking criteria. The interruption happens when an email fails to pass through some filters that read the messages and try to identify some pattern and the blacklist, which includes IPs (Internet Protocol) of servers that send a lot of spam.
The failure occurred because the message with racist content was not blocked according to the rules that had been established for the domains that Serpro serves. According to the council’s advice, adjustments have already been made to prevent further occurrences.
Increase in occurrences
The case of Curitiba is investigated by Nuciber (Núcleo de Combate aos Cibercrimes), of the Civil Police of Paraná, which points to an increase in this type of crime in the state.
According to the chief delegate, José Barreto, threats and hate crimes are the most common crimes linked to spoofing.
“We see many threats and hate crimes being committed through this practice, including in the political environment”, he says.
However, there is not a closed number of occurrences, because this type of crime does not have a specific criminal classification, that is, when a spoofing practice occurs, the offense committed through it is recorded (threat, theft, misrepresentation).
In addition, says the delegate, spoofing is also used to steal personal data and happens, for example, when a user clicks on a link sent by a sender he considers to be trustworthy.
Santin, from PUCPR, says that to protect themselves it is important that the user uses servers that offer authentication services. This is what is called “end-to-end encryption”.
This is a data transmission method that allows only the sender and recipient to read messages.
Through it, the data is encrypted in the sender’s system. Only the intended recipient will be able to break the code. No one other than the two correspondents will be able to read the message or change it.
Which is? It consists of changing the address and sender of an email, allowing the criminal to impersonate a person, company, entity or government agency
how happens to falsification? Changing an email sender is not complex. In webmail, for example, it is not possible to rename the sender, but in services like Outlook, it is possible. In many cases, the sender is changed in order to facilitate the organization of email responses, such as when someone sends a message on behalf of an entity, for example, and does not want the response to come to him (individual), but to the entity’s address. However, the practice can be used for criminal purposes.
What kind of tools does a criminal use in practice? A server that does not perform authentication protocols. Anonymous servers accept and send emails that are not authenticated. These are server networks that do not use authentication protocols.
In addition, the criminal uses a VPN, a virtual private network that makes it possible to establish a secure network connection when using public networks. They encrypt internet traffic and disguise online identity
What is the main objective of those who use this practice? It is impersonating a person or entity. Through this practice, it is possible to camouflage the true sender and commit various types of crimes, including data theft, which happens, for example, when the user clicks on a link sent by an email that he/she judged to be safe. It is also used for the propagation of threats and hate crimes.
Is Spoofing considered a crime? Which? Yes, crimes such as ideological falsehood, provided for in article 299 of the Penal Code, can be committed; data theft, provided for in article 155; crime of threat, provided for in article 147, among others
Is it possible to identify a criminal who sends a spoofing email? There is the possibility of identifying the criminal, but it is a complex process. When someone uses a VPN, they always leave a trail, but the identification depends on accessing the logs of the server that sent the email.
How is a spoofing crime investigated? The police do not reveal the step-by-step of an investigation, but explain that the first is to analyze the source code of the email message to verify that the sender is really who he says he is. Then we try to identify the real sender
How to protect yourself from spoofing emails? Using servers that perform authentication protocols. Larger email services like Gmail, Outlook, ProtonMail, AOL, Zoho Mail, iCloud Mail and Yahoo! Mail, for example, offer this safety net. If a spoofing is sent and these servers do not recognize the origin server as safe, they send the message to the spam box.