[Zapata]

I received [ what is in all probability a criminal e-mail ] purporting to come from a major high street bank seeking my bank account details, which I obviously did not provide. What I found interesting is that on my e-mail Yahoo account the sender appeared to be an accurate e-mail address for the real bank. Really I do not want to do criminals' work for them, so do not go in to exact detail how it can be done but rather give the general way of doing it, but is it possible to fake an e-mail address and if so how, eg would the criminals need hackers to get in to the real bank's mail system and hijack it to send the e-mail or for example a current dishonest employee of the bank could send the e-mail or [and this is an issue I would be particularly interested in, because if it basically not possible to independently fake an e-mail address then they probably had to go through the Banks e-mail system ( by hacking or a dishonest employee ) and if it is possible to independently fake an e-mail address it means one would never know if one gets an e-mail it is actually from the ( legitimate ) address one thinks it is from rather than impostor ] is it possible to just independently fake an e-mail address.

NB since the request was not to reply back to the e-mail address but to a website, such an e-mail address does not have to be able to receive back e-mails in respect of those engaging in such a scam just provide a "legitimate" sender e-mail address.

Best and Warm Regards
Zapata

[Bouncing Zabaglione Bros.]

Easy. You can make the From: address be anything you want in your mail client. There's no sort of authentication that happens to prove that you are who you say you are, so you can call yourself anything you like.

If you're a professional scammer/phisher, your mass-mailing software probably has a great deal of support for such things.

For the most part you need to look at the raw headers and look at the paths the email took to get to you, where those machines are, and even then the emails were probably routed through compromised zombie machines.

[Zapata]

So if I have got you right Bouncing Zabaglione Bros.it is perfectly easy for a malicious / criminal individual to make it look as if the e-mail has originated from a trusted and legitimate e-mail address by the malicious / criminal individual merely knowing the full text of the e-mail address they wish to impersonate and there is no need to gain authority e.g. by hacking to use the legitimate e-mail address.

Best regards
Adrian Wainer

[Malo]

Standard SMTP email has no authentication on the senders address, as he stated. Systems like Microsoft Exchange do verification of sender as your exchange account is part of your active directory account. You can't send as another person in that type of environment without permissions given by a network admin.

Whats worse is that because they are HTML emails, they create a link which has href of their own front-end to capture your details whilst the text of the href link is a http address of the real banks frontend. Most users don't check the actual link (not that banks will send these kinds of emails anyway....)

[Zapata]

Quote:

Originally Posted by Kalbaz

Whats worse is that because they are HTML emails, they create a link which has href of their own front-end to capture your details whilst the text of the href link is a http address of the real banks frontend. Most users don't check the actual link (not that banks will send these kinds of emails anyway....)

That's exactly what these guys did in the e-mail it was appearing as the Banks http in the e-mail text but it was actually linking to a totally differant web address.

Thanx Appreciated
Zapata

[Tim Murray]

If you have your own SMTP server, you can spoof whatever you want.

[Bouncing Zabaglione Bros.]

Quote:

Originally Posted by Zapata

So if I have got you right Bouncing Zabaglione Bros.it is perfectly easy for a malicious / criminal individual to make it look as if the e-mail has originated from a trusted and legitimate e-mail address by the malicious / criminal individual merely knowing the full text of the e-mail address they wish to impersonate and there is no need to gain authority e.g. by hacking to use the legitimate e-mail address.

Best regards
Adrian Wainer

That's correct. You can only tell by the looking at the paths.

However, it's also a giveaway because your bank will tell you that they will never write to you and ask you for your details, and that you should always access your account by going directly to their site via the URL, not by clicking on a link in an email.

If you're referring to phishing scams where fake links are left in HTML emails, then there are some measures being taken in newer browsers (such as Firefox and IE7) to implement anti-phishing technologies, and some of the newer virus scanners with web protection can deal with this sort of issue.

It's the open nature of email communication and delivery, along with the multimedia aspects of HTML email that allow this sort of thing to be possible.

[Killer-Kris]

Quote:

Originally Posted by Zapata

So if I have got you right Bouncing Zabaglione Bros.it is perfectly easy for a malicious / criminal individual to make it look as if the e-mail has originated from a trusted and legitimate e-mail address by the malicious / criminal individual merely knowing the full text of the e-mail address they wish to impersonate and there is no need to gain authority e.g. by hacking to use the legitimate e-mail address.

Best regards
Adrian Wainer

As a little anecdote I've even gotton spam that supposedly originated from the email address I received it at!

[JacksBleedingEyes]

Quote:

Originally Posted by Killer-Kris

As a little anecdote I've even gotton spam that supposedly originated from the email address I received it at!

Yeh thats scary especially since I am the kind of person who will email himself files or other peices of info. Gmail does a pretty good job of filtering though.

[hoom]

Quote:

Standard SMTP email has no authentication on the senders address

This is totally true & utterly ridiculous.
SMTP desperately needs a mandatory update where the sender/reply to address must be okayed by the domain host before an email can be sent.

A vast amount of phishing/spam could be busted by that.

[Albuquerque]

Quote:

Originally Posted by The Baron

If you have your own SMTP server, you can spoof whatever you want.

You don't even need your own SMTP server -- any SMTP server that you can gain access to is fine. I use a tool called BMAIL to bounce things off my company's internal SMTP server to myself for automation purposes, even though I don't actually have security access to or an account on that SMTP box.

[Geo]

Quote:

Originally Posted by Zapata

I received [ what is in all probability a criminal e-mail ] purporting to come from a major high street bank seeking my bank account details, which I obviously did not provide.

It's called phishing, and I'm surprised you're surprised. It's not very new at this point. Tho many times they are painfully obvious (errr, I don't even *have* an account at that bank!), the law of averages says they eventually hit some people who do and might be fooled.

[Cartoon Corpse]

I just 'view source' where you can see the spoof and the real site.

got some from 'paypal' that were actually from a mexico 'zombie' sight (i think).

sent the info to real paypal. never heard about it again. now i just ignore unsolicited emails. pretty easy to recognize. (the ones i get).