• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Spoofing Close to Home

June 18, 2018 By Trevor Collins

An email hit my inbox about one family member, Samantha, asking another family member to transfer money.  My mother’s credit card is denied for some reason. She needs money for a surprise present. This scam was obvious and my family knew it. But there was still an issue of how they got access to Samantha’s email.

The steps taken to perform this were sophisticated. These emails look like they are coming from the real email account but were from a similar account. This is what the email From and To field look like. I have changed the names for privacy.

Sent: Thursday, September 28, 2017 at 5:20 PM
From: “Samantha Collins” < [email protected]>
To: “Mark Collins” < [email protected]>
Subject: Re: Surprise Package

Samantha thought her email was hacked. Luckily, they had yours truly. I looked at the email headers. Email headers contain the routing information and sometimes details on how the email was handled by the server and firewall. I saw Gmail reviewed the email and the sender was a “permitted sender.”

ARC-Authentication-Results: i=1; mx.google.com;

       spf=pass (google.com: domain of [email protected] designates 74.208.4.201 as permitted sender) smtp.mailfrom= [email protected]

Return-Path: [email protected]

After a closer look, the email was not the same email. Notice @mail.com verses @Gmail.com. So how could the From field be @gmail.com and the headers show @mail.com. This was done by manually editing the email after the first replay so that if Mark were to look over the email he sees that it comes from  [email protected]. If Mark were to go back to the original replies he would see that it comes from @mail.com.

A variation of this email spoofing caused another email user to lose thousands of dollars. Unfortunately, this wasn’t identified until after the money was sent. A malicious user had access to the email chain. They used the email chain to add legitimacy to their email. The spoofer sent the banking details of their own account with the email chain from [email protected] to the victim when the victim was expecting an email from [email protected]. The victim didn’t review the domain name and sent the money to the spoofer’s account.

When receiving emails, it is important to check the sending address closely. If the name and domain don’t match exactly what you expect then it’s best to review previous replies and make changes as necessary. –Trevor Collins

Share This:

Related

Filed Under: Editorial Articles Tagged With: Hacking

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • Naming APTs

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use