Thursday, August 11, 2005

Forging Email Headers


Picture credit: Amazon
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIn a previous post, I described some methods for detecting and fighting phishers. Phishers, if you're unfamiliar with the term, is a crook who sends spam messages purporting to be from a reputable financial institution or company. The message exhorts the recipient (I mean, victim) to logon to the web site to update their personal information, check their account, or otherwise provide user-name and password. However, the site pointed by the email is bogus (a "false storefront") and any information you enter is sent to the crook, who can then use it for his own malicious purposes.

In any event, here's the from-address and subject of the latest phishing email I received:

From: Paypal Security
Subject: New Security Requirements

Note the ploy: the mail implies that PayPal has instituted some new security requirements for account-holders... and now I'll probably be required to logon and update my account. If you've been following along, this should raise more suspicion than your teenage daughter asking for the car keys at two in the morning. The hair should be standing up on the back of your neck.

Using the "show original message" or the "view headers" option, let's take a look at the actual email headers:

Received: from ti500710a080-5794.bb.online.no ([85.167.150.162])
by worldnet.att.net (mtiwmxc17) with SMTP
id <20050806123026017008lj1oe>; Sat, 6 Aug 2005 12:30:28 +0000
X-Originating-IP: [85.167.150.162]
Received: from web13.nix.paypal.com (web53.nix.paypal.com [10.192.2.49]) by smtp-outbound.nix.paypal.com (Postfix) with SMTP id 387NB1CC614 for ; Sat, 06 Aug 2005 05:26:53 -0800
Received: (qmail 77110 invoked by uid 54); Sat, 06 Aug 2005 05:26:53 -0800
Message-ID: 0473723941.59830@paypal.com
From: "Paypal Security"
Reply-To: "Paypal Security"
Subject: New Security Requirements
X-Email-Type-Id: PP%RND_DIGI%RND_DIGI%RND_DIGI
Date: Sat, 06 Aug 2005 05:26:53 -0800
X-MaxCode-Template: email-transaction-counterparty
X-XPT-XSL-Name: /en_US/transaction/seller/TransactionCounterparty.xsl
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--56153267030793470423"


This is a pretty good scam message. Note the bolded header fields "Received" and "Message-ID". They've been spoofed in some way to resemble a real PayPal message. It almost looks legit.

But note the area I've highlighted in red. Our email server (in this case, the att.net server) actually got the email from a *.online.no server. That just doesn't smell right. Why would we get an email from PayPal routed through Norway?

Furthermore, as we look down the source of the email, the hyperlink directing us to authenticate (login) looks like this:

http://paypal.serv04.com/cgi-bin/webscr.html?cmd=3D_login-run


Note the domain name: serv04.com. You can ignore the sub-domain name of paypal. The domain name is all that counts. And it doesn't look like anything you want to visit in the near future.

Bottom line: don't ever logon at the behest of an email. Visit the site by typing in the URL yourself.

No comments: