Email Phishing
While cleaning out my phishing email address, I came across several emails that were apparently from the FBI.
While they all appear to be from the same user, a robertmueller at fbi.gov, one of these emails came from someone on the Villanova campus. Apparently the sender forgot to modify one of the fields in their bulk email spamming software.
Anyway, I'm not supposed to reply directly to Robert, but instead to Paul Smith at paulsmith4@gala.net. I guess the user wanted me to believe that Paul Smith didn't qualify for an account on the FBI network. So he had to use his home account at gala.net.
We've all seen at least a few messages like this, regardless if the message is from someone at the FBI, Western Union, UPS or Ebay and they all have pretty much the same format. Someone claiming to be from a large, well known company sends you an email from a web email account and requests that you send your personal information to yet another, different web email account. No matter which company it claims to be from, it all smells like phishing.
Avoid Being Hooked By A Phishing Scam. Check Your Email Headers
We looked at full email headers in the last post and determined that you probably won't be able to definitively identify who the sender is or where they are sending from. However, we can pretty much determine if the message is from who it says that it's from. And in a phishing email, this can be pretty helpful.
In this case, looking at the headers and looking at the IP addresses, I pretty much know that these emails are not from the FBI, even if they are identified as such. And while Robert Mueller may or may not be a real person and this may or may not be a valid email address, I think I can safely say that Robert didn't send this email out.
[see the post Identify Phishing and Spam Email Easily and Quickly and Phishing With Chase As the Lure]
Resources To Spot Email Phishing
I'm including some useful links here to peek at the particulars of the IP address embedded in the full header. Using these applications you can determine the geographic location of the mail servers that were exploited to get the message to you.
Yeah, most of these mail servers are victims, too. They are just doing their job getting messages to their final destination. The more circuitous the message route, the more servers need to be exploited in order to get the phishing message to the end user.
Ip-Whois-Lookup (http://ip-whois-lookup.com) is a clean, bare bones, ip geolocator. Pull the IP address from your header, throw it in the searchbox, hit the lookup button and you are good to go. Provides you with a lot of registered information about the ISP, the Hostname, Country, Region and City if available. Gives you a broadstroke idea if the email that you got should have anything to do with the servers on the list. Emails from the FBI should have no reason to use servers in Switzerland or France, for example.
Project Honeypot (http://www.projecthoneypot.org) is a distributed system set up to capture and track rogue spammers, spam bots, and phishing email. Putting a suspected email address in their IP lookup box will reveal the type of server is associated with the ip address and will give you a small history of the type of emails if the system is a mail server. For example, the server tied to this IP address has sent suspect email out in the past. It's also listed at the source of dictionary attacks.
WhatIsMyIPAddress.com (http://whatismyipaddress.com) provides a series of comprehensive checks on an IP address. Not only does it gives you the ability to find a geographic location for an IP address and to see if it is blacklisted:
But you can also run a check on the full email header. It will pull out the important pieces of the header and provide you with a best guess, first order approximation of the location of the sender. Simply copy the full header and past it into the text box, hit the “get source” button, an dyou are off to the races.
If you are looking at an email and you don't have a lot of time or patience to sort through all of the arcane looking information in the header, this could be the tool for you.
Remember that although these apps will provide you with a location where the email originated, chances are that this location won't be an accurate reflection of the actual location as spammers and phishers can make some modifications and use proxy servers to mask where the email is really coming from.
However, it does tell us when emails don't originate from where they are supposed to. It's an indication that whoever is sending the email is not who they say they are and a clear give away that private information should not be given away.
Stay safe. Watch your six.
No comments:
Post a Comment