How many times, lately, have you seen an email from a friend of yours (or someone on your contact) with just a single link? (btw DO NO CLICK IT!!!!), or some weird comment? Mail like “… hey dude, check out this site, I made some pretty good money there, or “…I just got back from a date with ____ tell me what you think”
If you are a gamer – (world warcraft for example) you have probably seen the many emails that your account has been compramised, you are caught selling your accoutn and a ton of other pieces of mail that just do not apply. What happened? They ALMOST sound real.
Lately that have gotten to REAL that you would SWEAR that it is from who they say it is. So how do you tell if it is really them, or spoof. Well as the old saying goes
An ounce of prevention is worth a pound of cure
Nothing said was truer.
OK – FIRST STEP
When in doubt – CHECK!
here is how you do this – I will use yahoo, as it is the most popular. If you need help with other email programs, post here and I will put up a tutorial.
here is a LIVE copy of an email i recieved: (all links work SO DO NOT CLICK THEM!!!!) I highlighted the email in red so there is no confusion – so don’t be stupid!
[Note: everything that says “fake” or “my_email” is something I changed to anonymize this example. Someone’s real email address and real company domains were used in the original.]
Battle.net Account Locked – Action Required
Due to suspicious activity, your Battle.net account has been locked. You tried to login your account too many times (403). We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you follow these steps:
Step 1: Secure Your Computer
In the event that your computer has been infected with malicious software such as a keylogger or trojan, simply changing your password may not deter future attacks without first ensuring that your computer is free from these programs. Please visit our Account Security website to learn how to secure your computer from unauthorized access.
Step 2: Secure Your E-mail Account
After you have secured your computer, check your e-mail filters and rules and look for any e-mail forwarding rules that you did not create. For more information on securing your e-mail account, visit our Support page.
Step 3: Restore access to Your account
We now provide a secure link for you to verify whether you have taken the appropriate steps to secure the account, your computer, and your email address. Please follow this site to restore the access to your account:
If you still have questions or concerns after following the steps above, feel free to contact Customer Support at http://us.blizzard.com/support/article.xml?locale=en_US&articleId=20606.
OK – If you notice all the links SEEM to be legit. BATTLE.Net looks good, and at the bottom links look good too – BUT, and some of you savvy people have already caught this – the “HTTP” IS WRONG. 90% of companies that send you links are httpS there is an “s” at the end because this is a secure site (we are dealing with accounts right?)
But maybe this is a “pre-site” that will take you into a protected site. so how can we be sure (note: in this case all you have to do is log into your game account and see that it is ok)
This next step applies to EVERYONE so adjust for your situations. what we will do next will seem a litle scary but it will tell you if it is real or not.
At the top of your letter, there is a button called “ACTIONS” click that and another drop down menu will appear – select: View full headers. a popup window will appear with what looksl ike garbage:
You are only interested in the top part:
From firstname.lastname@example.org Sun Apr 24 09:24:37 2011
X-Apparently-To: my_email via 126.96.36.199; Sun, 24 Apr 2011 02:24:37 -0700
Return-Path: <email@example.com> <– usually this is wrong, but whoever did this one, knows what they are doing so it is correct format for spoofing
Received-SPF: fail (mta1005.mail.sk1.yahoo.com: domain of firstname.lastname@example.org does not designate 188.8.131.52 as permitted sender)
What you want to look at is the RETURN-PATH almost ALWAYS in fake emils, this address will be different from what is showin in your “from” address. This one is not, so it looks good. But look what I highlighted – it failed. email@example.com is a legit email with ip assigned, however this one where it came from 184.108.40.206 does not match – This is an example of a very very very good spoof. Once that if you did not watch closely you would click it.
good news is that firefox and chrome catches it anyways and the site is actually blocked.
But what if everything looks good – is it still fake? Possibly. Below is a another real example (one you may encounter). this one had me stumped until I did a little digging. Note: due to the lack of information on my friends part and knowledge of spammers, spoofers, we have sadly become enemies, as I tried to tell her what happened, she insisted I infected her system because she “has soneone” working for her that says so, and also, since it was I who pointed it out (logic would dictate otherwise as a simple deduction would be, why would i infect myself) and none of her other “victims” did, it must have been me. anyways here is what we have.
From Jane Doe Thu Jun 2 02:39:43 2011
X-Apparently-To: my_email via 220.127.116.11; Thu, 02 Jun 2011 02:40:25 -0700
Received-SPF: pass (mta1140.mail.sk1.yahoo.com: domain of firstname.lastname@example.org designates 18.104.22.168 as permitted sender)
So far that looks correct. so it would seem that someone from her computer (or access to her email account sent out mail) The ip is USA. So to a beginner pc consultant your first instinct is that someone logged on under her name and send out the email to all her contacts.
However. looking further down the header, we find this:
Authentication-Results: mta1140.mail.sk1.yahoo.com from=aol.com; domainkeys=neutral (no sig); from=mx.aol.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO ims-d12.mx.aol.com) (22.214.171.124)
by mta1140.mail.sk1.yahoo.com with SMTP; Thu, 02 Jun 2011 02:40:25 -0700
Received: from oms-db02.r1000.mx.aol.com (oms-db02.r1000.mx.aol.com [126.96.36.199])
The highlighted IP address belongs to no one!! its fake
You got it, this email originated from a computer in limbo. All they did was spoof her email address to make it look like it came from her
Farther down it gets more interesting:
From:Jane Doe <email@example.com>
Content-Type: text/plain; charset=”us-ascii”; format=flowed
X-Mailer: AOL Webmail 33708-PHONE
Received: from 188.8.131.52 by webmail-m145.sysops.aol.com (184.108.40.206) with HTTP (WebMailUI); Thu, 02 Jun 2011 05:39:43 -0400
Couple things to note that verify this did not come from her USA account – or a computer. the X-Mailer tells us HOW it was sent – and as you can see it was done with a CELLPHONE. The 201.x.x.x ip again shows Venezuela again.
and the 149 is a USA address (routed via Venezuela). My guess is they did not have her home IP so they grabbed a USA one. I know her IP address from the ‘GOOD” emails that were sent.
So how did this get started? I am not sure of the originating issues since it is out side the USA. My guess is that last email she sent me asked if i could put an add on craigslist for her. Which I did. after that I forwarded whatever I go to her, since she did not have an account. I also put her email in the “body” of the ad so they would email her and not me since she is making the offer.
As you can see, it is imperitve that you DO NOT CLICK LINKS in your email. If it is from someone you know, take an extra step and email them back and say “.. Hey dude!! did you just send me a link to go somewhere” – EVEN IF THEY SAID THEY DID IN THE FIRST EMAIL – ask again. If they reply back and say yes – your good, if not, delete the email.
Now this is super advanced stuff, and what I do to help those that think someone “hacked” their system, when in fact what they more likely did was visit a site, aor clicked a “mis represented” link in their email. and poof! they are spoofed!
In my next blog, I will show just how to do this. Ya I know some moron will probably do it, but it is needed in order to understand how it works and why. The bad news is, its virtually impossible to catch anyone doing it. that is why it is wildly rampant and many peopole are using it to sell products. While most people will not click links in their emails regardless of where they came from
some idiot will – and that idiot just paid them a small commission. don’t be that idiot!