validity of e-mail addresses and fraud

Z

Zapata

Newcomer
I received [ what is in all probability a criminal e-mail ] purporting to come from a major high street bank seeking my bank account details, which I obviously did not provide. What I found interesting is that on my e-mail Yahoo account the sender appeared to be an accurate e-mail address for the real bank. Really I do not want to do criminals' work for them, so do not go in to exact detail how it can be done but rather give the general way of doing it, but is it possible to fake an e-mail address and if so how, eg would the criminals need hackers to get in to the real bank's mail system and hijack it to send the e-mail or for example a current dishonest employee of the bank could send the e-mail or [and this is an issue I would be particularly interested in, because if it basically not possible to independently fake an e-mail address then they probably had to go through the Banks e-mail system ( by hacking or a dishonest employee ) and if it is possible to independently fake an e-mail address it means one would never know if one gets an e-mail it is actually from the ( legitimate ) address one thinks it is from rather than impostor ] is it possible to just independently fake an e-mail address.

NB since the request was not to reply back to the e-mail address but to a website, such an e-mail address does not have to be able to receive back e-mails in respect of those engaging in such a scam just provide a "legitimate" sender e-mail address.

Best and Warm Regards
Zapata
 
Easy. You can make the From: address be anything you want in your mail client. There's no sort of authentication that happens to prove that you are who you say you are, so you can call yourself anything you like.

If you're a professional scammer/phisher, your mass-mailing software probably has a great deal of support for such things.

For the most part you need to look at the raw headers and look at the paths the email took to get to you, where those machines are, and even then the emails were probably routed through compromised zombie machines.
 
So if I have got you right Bouncing Zabaglione Bros.it is perfectly easy for a malicious / criminal individual to make it look as if the e-mail has originated from a trusted and legitimate e-mail address by the malicious / criminal individual merely knowing the full text of the e-mail address they wish to impersonate and there is no need to gain authority e.g. by hacking to use the legitimate e-mail address.

Best regards
Adrian Wainer
 
Last edited by a moderator:
Standard SMTP email has no authentication on the senders address, as he stated. Systems like Microsoft Exchange do verification of sender as your exchange account is part of your active directory account. You can't send as another person in that type of environment without permissions given by a network admin.

Whats worse is that because they are HTML emails, they create a link which has href of their own front-end to capture your details whilst the text of the href link is a http address of the real banks frontend. Most users don't check the actual link (not that banks will send these kinds of emails anyway....)
 
Kalbaz said:
Whats worse is that because they are HTML emails, they create a link which has href of their own front-end to capture your details whilst the text of the href link is a http address of the real banks frontend. Most users don't check the actual link (not that banks will send these kinds of emails anyway....)
Click to expand...

That's exactly what these guys did in the e-mail it was appearing as the Banks http in the e-mail text but it was actually linking to a totally differant web address.

Thanx Appreciated
Zapata
 
Zapata said:
So if I have got you right Bouncing Zabaglione Bros.it is perfectly easy for a malicious / criminal individual to make it look as if the e-mail has originated from a trusted and legitimate e-mail address by the malicious / criminal individual merely knowing the full text of the e-mail address they wish to impersonate and there is no need to gain authority e.g. by hacking to use the legitimate e-mail address.

Best regards
Adrian Wainer
Click to expand...

That's correct. You can only tell by the looking at the paths.

However, it's also a giveaway because your bank will tell you that they will never write to you and ask you for your details, and that you should always access your account by going directly to their site via the URL, not by clicking on a link in an email.

If you're referring to phishing scams where fake links are left in HTML emails, then there are some measures being taken in newer browsers (such as Firefox and IE7) to implement anti-phishing technologies, and some of the newer virus scanners with web protection can deal with this sort of issue.

It's the open nature of email communication and delivery, along with the multimedia aspects of HTML email that allow this sort of thing to be possible.
 
Zapata said:
So if I have got you right Bouncing Zabaglione Bros.it is perfectly easy for a malicious / criminal individual to make it look as if the e-mail has originated from a trusted and legitimate e-mail address by the malicious / criminal individual merely knowing the full text of the e-mail address they wish to impersonate and there is no need to gain authority e.g. by hacking to use the legitimate e-mail address.

Best regards
Adrian Wainer
Click to expand...



As a little anecdote I've even gotton spam that supposedly originated from the email address I received it at!
 
Standard SMTP email has no authentication on the senders address
Click to expand...
This is totally true & utterly ridiculous.
SMTP desperately needs a mandatory update where the sender/reply to address must be okayed by the domain host before an email can be sent.

A vast amount of phishing/spam could be busted by that.
 
The Baron said:
If you have your own SMTP server, you can spoof whatever you want.
Click to expand...

You don't even need your own SMTP server -- any SMTP server that you can gain access to is fine. I use a tool called BMAIL to bounce things off my company's internal SMTP server to myself for automation purposes, even though I don't actually have security access to or an account on that SMTP box.
 
Zapata said:
I received [ what is in all probability a criminal e-mail ] purporting to come from a major high street bank seeking my bank account details, which I obviously did not provide.
Click to expand...

It's called phishing, and I'm surprised you're surprised. It's not very new at this point. Tho many times they are painfully obvious (errr, I don't even *have* an account at that bank!), the law of averages says they eventually hit some people who do and might be fooled.
 
I just 'view source' where you can see the spoof and the real site.

got some from 'paypal' that were actually from a mexico 'zombie' sight (i think).

sent the info to real paypal. never heard about it again. now i just ignore unsolicited emails. pretty easy to recognize. (the ones i get).
 
You must log in or register to reply here.

Similar threads

orangpelupa
terminal bash command question, how to monitor grep and repeat command infinitely?
Replies
3
Views
854
Davros
D
green.pixel
/e/ OS
Replies
4
Views
2K
idsn6
I
S
Discussion about lighting (usage of lighting techniques).
2
Replies
21
Views
1K
Frenetic Pony
F
Rys
  • Sticky
Hello again
3 4 5
Replies
91
Views
10K
homerdog
homerdog
Cyan
Broken Sword - Shadow of the Templars: Reforged (PS5, PC, Switch, Xbox). The original BS at native 4K & enhancements. Recent Kickstarter, so succesful
Replies
2
Views
760
Cyan
Cyan
Back
Top