Recognizing and responding to spoof email messages
David Piscitello, Core Competence, Inc.
Even the best of antispam measures may not be enough to protect you from spoof email messages. By spoof email, I mean a message that appears to be from a party you know - most commonly, an ecommerce site, financial institution, even your IT department - but in fact, is a bogus message, with a malicious intent.
A spoof email message is an all too common example of social engineering, and one frequently used in identity theft. The attacker composes an email that claims to come from a server or user the user normally trusts: for example, you may receive a message from
- your bank, requesting that you update your personal information;
- your IT department, requesting that you change your password before it expires.
- an online retailer, requesting that you verify your credit card information;
- an online auction site, claiming that someone has used your account to make fake bids
Such attacks, also known as phishing, carding, and brand spoofing, fool users into visiting a URL that looks like a legitimate site, but is actually the attacker's machine, where the attacker continues the spoof, possibly using web pages and forms to gather user accounts, passwords, credit card and other personal and sensitive information.
Here's an example of an eBay spoof email I recently received. I have stripped the malicious URL, so all you will see is the text message.
To the hasty and uninformed, the mail looks sufficiently "legit", so the attack succeeds frequently enough to be worth the phisher's while.
Here's a short list of things you can do to prevent falling victim to phishing:
- Don't be hasty. Even when email comes from a source you trust, think before you click on a hyperlink (URL) in an email message.
- Examine a URL before you visit it. In the example email, I was asked to visit http:// scgi.ebay.com/verify_id=ebay&fraud alert id code=00626654
- I did a DNS lookup on the hostname scgi.ebay.com: it resolves to 66.135.213.40. But the hyperlink embedded in this text actually visits an IP address, 202.164.32.6. Warning Will Robinson! You can also use WHOIS to look up the owner of the IP network: an IP address that is assigned by an ISP toresidential broadband services is a fairly good indicator that the sender is bogus.
- Don't play Crime Scene Investigator on your personal or company machine. If you suspect malice, report it. Reputable site operators publish specific guidelines for reporting spoofing: eBay, for example, asks you to send the entire email message, including headers, to spoof@ebay.com They'll confirm receipt with an email like this one. Notice there's an embedded link in eBay's confirm email. Examine this one, and you'll see the host name pages.ebay.com in both the text and embedded link. Resolve the name (practice makes perfect).
- Look for clues that the message is bogus. You can play coroner if not CSI: the (message) body always reveals the truth. If you suspect something's amiss, chances are, you are right. Re-read the message. If it's really an e-tailer or bank, or your IT department, chances are (1) they will often include a telephone number; (2) the grammar and punctuation will be proofed and correct; (3) the department that claims to author the email will exist; (4) a return email address will be provided; (5) if they ask you to take an action like change a password, they are less likely to give you a hyperlink to click-through. This last item should almost fall under the category of common sense: you usually access bank and etailer accounts using SSL, right? If the URL is not https:// you're probably being spoofed. But even if it is, you should be cautious and go directly to the secure (SSL) URL you normally use.
- Are the mail headers phishy?If you know a bit about email headers, you can look to see that the email originated from the purported sender's domain and mailbox. In the legitimate email from ebay.com, you'll see "Received: from outbound1.smf.ebay.com (HELO smf-klm-01.corp.ebay.com) (66.135.215.134)", whereas in the spoof email, you see, " Received: from nameservices.net (HELO garniernutrice.com) (216.117.142.207)...". My partner, Lisa Phifer, adds, "sender addresses can be forged, and mail can be relayed through insufficiently protected SMTP servers, so don't assumed 'Received from:' is always accurate. It might tell you something is phishy, but not necessarily tell you who really sent the email."
These are the measures I take. I've educated my family to do the same. You should educate your users and family as well.