Spoofed Email Address Scam

The following is based on an actual case, and shows you how scammers work. In this case not very successfully, but I will come on to that in a moment.

Scam Plot

A message arrives in your inbox which appears to have come from your account. So it is from you to you. That implies someone may have access to your email account. Something that is likely to generate a panic response, which is exactly what they are hoping for. See below for an example. Click on the image to see a larger version of it.

For most of you though you will not see this message

Why? If your email is hosted with me, or with Outlook.com, then you will never see this message because of something called SPF (Server Policy Framework). It is a list of legitimate sending servers which is located in your DNS settings. It is there so that any email system receiving a message from your email sending server can verify that the message actually came from your server and not from somewhere else. It is a basic test, and if it fails the email is discarded. It is handled on the receiving server.

If you do not have an SPF policy set up, then you will see the message as intended by the sender.

What the Spammer Scammer did

In this case there was a trail of evidence, because the actual message that arrived was a bounce back message, and then a reply from the actual server it came from.

It appears that the individual behind this, took over a server in a Canadian hosting company. Either used a special program to do this or wrote a script to do this. The script probably had a list of target email addresses scraped from websites. It formatted the email and populated the sending email address and the destination email address as the same address and then sent out 625 of them. We know it was 625 because the following happened.

Email is received and then some automated tests are carried out
Email is rejected because it did not come from your sending server, there was not a match, therefore it is a “spoofed email”.
A message is sent back to the actual sending server. At this point no email has appeared in your inbox, or in junk mail, this is all happening automatically.
The message arrives at the originating server, but there is no corresponding email account at the sending server, and the server replies with an error message back to your inbox.
Because it is an error message you get the error message and original payload. This is called a Bounceback message, it is sent to warn you of problems with email.

The bounceback message

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

info@xxxxxxxxxxxxxxxx.org.uk
Domain tidunglagoon.com has exceeded the max emails per hour (625/500 (125%)) allowed. Message discarded.

Reporting-MTA: dns; sng123.hawkhost.com

Action: failed

Here we can see where it originated from, a mail server for tidunglagoon.com. We can also see from the message that 625 emails have been sent, so this was not the only one.

The Email Header

Not shown here, but viewed by me is the email header. All emails include a header which is not normally visible. But it is present on all emails. It contains information about the source of the email and the destination. It also contains information about any tests that have been subjected to the message, particularly around spam scores.

This is the first place to look if you get a dodgy email. It is also important if you need to share the email with a third party for analysis.

There will always be a link or something traceable

In all of the various spoofed emails and scams there will always be a link to something. In this case there is a reference to a digital wallet so the person can receive a bit coin. I do not think you can trace that to an individual, so it is a great way of hiding. Sometimes there is an email address, or a hidden link to a website. While not impossible, those are fairly easy to hide behind too.

What if you receive something like this?

Firstly do not panic. The sender wants you to panic, that is why these emails are constructed like this. The first task is to move the email to a special folder and leave it there. Do not click on anything in the email or send any reply. Also do not download any hidden images in the email because this confirms someone has read it.

Calmly read through it and check to see if it is generic (could be applied to anyone) or specific to you. Chances are it is generic. If you are not sure about it, contact me and tell me about it, but do not send it to me. It is highly likely if you send it to me on my usual email address it will be detected and sent straight to my junk mail folder, so just let me know you have a problem you need me to check.

What I will want to look at is the header in the email as well as the email contents, which is why you should park it somewhere safe and not delete it.

← The take out more domains scam...... I send spam (Subject Line) →

Self directing spam to a spam folder!

We are all subject to spam messages, and sometimes they can be a real pain. There are various mechanisms for reducing it, the more sophisticated methods I use require a match between some text and an image.

However if a human is behind sending spam, then they can defeat these systems and send it anyway.

During an idle moment, I started think about it a bit more.

If it is a human sending spam messages, then it is likely that they do not get paid much, and probably do not pay too much attention to what they are sending. I can tell this by looking at some of the messages that come in which have letters for example where telephone numbers should be. Or perhaps the systems are automated and have a human standing by when a problem occurs.

Either way, I have also noted that if a choice is already made in a form, then the default choice is often used. So what happens if the default selection is “I send Spam“? So I tried it.

In the image you can see that there is now a selection for the subject line of the message. The default setting is “I send spam”. If a bot or bored human sends a message they will not change that setting. Anyone genuinely wishing to contact the website will make a selection other than “I send spam”

… And here is the first candidate through this form. It is a spam message and they have not changed the subject line. So if this theory holds up I can now create a filter in my email box, that redirects the suspect message into a folder for messages that have “I send spam” in the subject line.

The filter above will detect any messages coming into this mail box which contains the precise text “I send spam” on the subject line, and redirect it to a special folder called Spam Suspects.

About this approach

It is experimental, but looking promising.

Pros:

It should trap spammers who are either bots, human, bots supported by humans, people that are not paying attention.
With the default subject line the message can be accurately detected and sent to a special folder.
The inbox should be more clear of spam than it was before.

Cons:

A real enquirer not paying attention might also fall for it.
You still have to check the spam suspects folder and clear it out from time to time in case there is something important in there.

← Your Website has been hacked..... send bit coins. The take out more domains scam...... →

Your Website has been hacked….. send bit coins.

There is a well documented scam going around where you will receive a message which tells you your website has been hacked and they have all of your data, and data from your clients and they are going to contact everyone and sell the data and cause you a load of grief. (I have paraphrased that to keep it short). If you get anything like that please do the following:

1). Don’t panic

2). Send a copy of it to me

3). Wait until you hear back from me

Do not pay anyone anything, or engage in a conversation. The language including grammatical errors are recorded in multiple places on the web. It is a well known scam. Another one which is designed to instil panic in the recipient.

While I am on the subject there is a second one which claims to have taken over the camera on your computer and has images of you in compromising situations (I will leave that to your imagination!), that one is another scam. I have not seen it recently, but what goes around comes around eventually.

Both messages will come from a non traceable source, and both are asking you to deposit bit coins in an account.

← Fake 20i.com invoices Self directing spam to a spam folder! →

Fake 20i.com invoices

There have been several instances (around 15 of them) where an invoice has been sent to an organisation claiming to come from 20i.com and stating that their domain name has expired or is about to expire.

The information relating to your domain name is available to view on the Nominet website: Registration Data Lookup by Nominet Just enter your domain name and other information will be presented.

Someone, or some group have been trawling through this data and identifying websites that are hosted by 20i.com. I have a reseller account at 20i.com and deal directly with them. You have no relationship with them. Invoices from 20i.com are not sent to you, they are sent to me, and I look after them for you. The people behind the scam do not know that.

If you receive anything about your website, or your domain name and you are not sure, send it to me and I will confirm whether it is a scam or not. It stands to reason that if you do not have a relationship with 20i.com then you would not expect to receive an invoice from them.

20i.com are aware that this is happening, no doubt other hosting companies are being targeted too.

← Refresher Training Your Website has been hacked..... send bit coins. →

Beware of Phishing

Over the past year I have become aware of many instances of phishing, it is much more prevalent than it was 2 years ago. It is also becoming increasingly sophisticated, especially if one person in a group that regularly communicate is compromised, his/ her contacts might be next.

Your regular email address is critically important

Phishing will try to target your email address, and get you to enter your password and email address into a box, believing that you can download something allegedly from a colleague. It may appear as an email in your inbox, or you may at some point be directed to a page with a form on it asking you to enter your credentials.

These attacks will frequently occur on a Friday afternoon, or just before a bank holiday weekend, just because it will be more difficult to independently check to see if something is legitimate or not.

I am aware of several cases where organisations have been caught out by this, it works in the following way:

Jane receives an email from a colleague asking her to download a document from say Sharepoint. Jane knows her colleague and while the email may have been short and to the point, she does not suspect anything. She clicks on a form in her email, and is then taken to the form on a website. She enters her email address and password anticipating this will allow her to download a document.

But nothing happens

Well, nothing obvious happened, so I will just assume it was broken……

What has actually happened is Jane’s email address and password has been passed to a 3rd party. The form was not legitimate. The hacker can now access Jane’s email. In Jane’s email accounts are year’s of correspondence and messages that reveal whom Jane has been talking to, which other accounts she has access to, bank accounts, websites, Credit Cards etc. But Jane does not know someone is looking at her email. The hacker could independently copy everything now and study it more carefully, and then contact one of Jane’s colleagues and do the same thing.

I received one of these messages last year, as did my wife. In both cases our security recognised that the website we were being directed to was not legitimate.

Being Paranoid

Please be especially sensitive to anything that looks vaguely odd. These messages when they occur, are often very short, with no context, or a very limited context such as an invoice or payment has been made, or not been made. Many of them are also designed to shock you into acting quickly. They also arrive at the end of a day or just prior to a weekend.

Take a breath – is it real?

Find an independent route to check in with this person to make sure it was really sent and genuine if you are suspicious. Don’t ever think it won’t happen to me. Complacency is one of the factors of success. Remember that if your main email address is compromised, it compromises everything that you have used your main email address for. Plus your main email address will be used for password recovery too.

In a case where I responded back to the person that was asking me to click on something, I was suspicious, but the person was known to me; I replied. I immediately got a reply back saying it was all quite innocent and not a phishing email…. So I clicked on it, and my security system immediately flagged up that it was a phishing site before I could enter anything. In this case, the hacker was also sitting on the person’s email account and answering emails. The email account owner was unaware that this was happening. This is why it is better to find a phone number and call them, or call a colleague to check first. In my case I used the same communications channel to ask if it was legitimate or not, and the hacker was waiting.

Remember if it goes wrong….

You are going to have to change all of your passwords starting with your email account, and then all of the accounts tied to your email account. It will take a long time to change everything, and you have to remember to cover everything. So it is worth being careful and more sensitive than “normal” whatever normal means these days!

It can be worse if you are using a free email account….

If you are using gmail, yahoo or hotmail, then the hacker can completely take over your account. You will find it quite challenging to regain control. There is no support desk with live people you can converse with on these free email accounts. So do take care, and make sure you have 2 Factor Authentication set up with any free accounts. That will help to protect you.

← Client Data on Websites Complex Forms are now Available →

Client Data on Websites

GDPR and your website

When you created your GDPR conformance policy, you should have given consideration to where data is located in your organisation. If you do not know where it is located, you cannot really claim to control it.

The websites I have created over the last 5 years do not contain a lot of user data by design. The data in the site, other than what is visible to the public is generally limited to the administrators and editors on the site, things such as email addresses and where subscriber lists are present there may be subscriber names and email addresses held in the site. But not much else.

This means if a hacker gets into a site, there is not really very much there which might be of value to them.

I am aware of some sites though that contain copies of forms being submitted through the site. This can occur if someone else has added a form manager that does this, or a database extension to collect and store user submitted information.

There is no value in keeping copies within the website if the email function is working and all user submitted data is sent to your organisation for processing. In fact retaining copies of previously submitted forms will likely contain sensitive information which could represent a data breach if the data fell into the wrong hands.

Check your website

It is worth checking your website to make sure there are no records of previous form data being retained in the website. If you find something and you know this data has been submitted to the organisation through an email account, you do not need copies on your website. So delete them all. It is worth considering whether it is possible to stop copies being retained, or if you cannot stop copies being retained, make a note to revisit your site and delete them regularly. A form manager that does not retain copies might ultimately be a better choice for the future.

← Plugin is crashing sites (11th July 2022) Beware of Phishing →

Page Redirect crashing some websites

On most websites I use a plugin which redirects a user to a Thank You page after they complete a form. This is a trivial function, and not one you might think could bring a website down. I have had six cases over the past week where sites have stopped working due to an upgrade of this plugin. It appears that the authors have substantially rewritten it, and there is probably a bug in there somewhere causing the problem. Can you all check your websites and let me know if you have a message about a critical error has occurred.

That is the symptom. It is easy for me to fix and will take a few moments to do so, but right now I have not been through all of the websites. You can help me to help you.

Normally this type of incident is very rare, and it is clear that not all sites are affected either, so it is probably a combination of things. Around a year ago WordPress made some changes to error monitoring, where a site may have continued to work in the past with some issues, they seem to stop working now.

You may occasionally see a 500 error on your website, these are transient and indicate that the server cannot respond. They will clear themselves. You should never see CRITICAL ERROR. If you see that flag it to me immediately and I will sort it out for you.

← Another Phishing Scam - You may be targeted Home-Start Resources Page →

Another Phishing Scam – You may be targeted

It has just been brought to my attention that there is a phishing scam going on where people who have websites at 20i.com (I have your a reseller account here) are being sent phishing emails. It works like this:

The hacker has done some research based on name servers and then identified the websites that are hosted at a data centre. They then visit the website and scrape an email from it. They then take a screen shot of a legitimate page from the parent hosting company and attach that into the body of a an email.

Fortunately none of you receive any emails from 20i.com directly, so hopefully your suspicions will be raised immediately. However it would be possible for me to automate the accounting side of my reseller package and you would receive emails like this. I have just never bothered to set it up.

In the image below I shown the email which someone had kindly detected and flagged to me. I recognised it immediately as a 20i message. You would never receive one of these unless you had your own account with them.

I have also placed my cursor over the image so you can see where the link goes to. You can see immediately it does not go to 20i.com, it goes to a server in Spain.

This is a classic Phishing Scam. What they are after is maybe payment, or a username and password to log into the system. Either way it is a criminal act.

Ways to detect these types of scams

When you look at the image above, it does look genuine on first glancing at it and not looking closely. It is actually based on a real message that they send out, but I am the only one that might get one, not you.

There is a glaring error on the first line where they have adapted the message. “…. will expire within the next days.” The actual number of days is missing. That is so they can create a reusable block of text for anyone. There are also special characters embedded in it which do not display correctly and if you look at the punctuation it is incorrectly spaced as well.

Bottom line

If you receive a message and it does not look right, it probably is not right. The general give away is not much context and a link, or a lot of credible context, but the link is through an image. You can always find where a link goes to in most mail programs by placing your cursor on top of the link but not clicking. In this case you would be passing information to a hacked server at http://……clinicapodologiabarcelona.es (I suspect a foot clinic in Barcelona).

Invoices relating to your services

You will only ever receive a message directly from me, it will not contain any links for you to login somewhere else. You would never receive a message from the hosting provider I use directly unless you had an account with them.

Please remain vigilant, and drop me a line if you are unsure about anything, I would rather spend time replying than see anyone caught out, there is a lot of this going on right now.

← Phishing Case 3 - What happened? Page Redirect crashing some websites →

Phishing Case 3 – What happened?

The following is something else that happened to me, I spotted it, and still clicked on a link! Here is what happened.

One of my clients I am moderately regularly in contact with sent me a message. I have copied it below. What is unusual about this message is other than the graphic, it contains no context. Most communications where you need someone to do something, you provide some context on what you want to them to do, when you want them to do it and why. An email with not much more in it than a link is always suspicious. Even though I know the person sending it.

On receiving this I sent back the following message:

“Is this from you? What is it for?”

“I would never open an attachment without a message accompanying it. Spam often looks like this and carries malicious links.”

Mark

I immediately got a reply back:

With that assurance, although there were still questions in my head, I took it at face value and clicked on the link. Note the link is obfuscated, which means you have no idea where it will go. But I trusted the sender. The only legitimate reason for obfuscating a link is to make a long link shorter.

When I clicked on the link this happened:

I use ESET Smart Security Premium on my systems for this very reason. My computer detected that the website was suspect before I got there. So no damage was done. ESET Smart Security Premium manages the connections in and out of your computer as well as checking what is happening on any web accesses and performing virus checking. So more comprehensive than your normal AV program.

Taking it all apart

There was a clue in the original email if you check it by scrolling back up. It was not sent to anyone. I missed that. It was sent to a lot of people who came from the person’s address book, they were all on the BCC line of the email.

The response I got back allegedly from the “manager” was actually the hacker who was in the email account and monitoring it at the time. The real manager played no role in this at all. Even though they were logged into email as well.

If you think about it, what was happening here was a hacker had got hold of someone’s email address and password. They silently logged in and were passively monitoring the inbox after the message went out. That is really what makes this, and other examples of it quite scary.

In the response back the graphic had changed to an obfuscated link. There would be no reason to hide where it was really going to.

What did I do next?

I tried to independently contact the manager, I was unsuccessful because the office was closed, that is twice this has happened on different occassions when the parent organisation was closed, was that a deliberate ploy? I then tried several other people and eventually made the organisation aware of what was going on. It turns out my wife, who handles my accounts under a different email address also got one of these messages, and several other people as well. So it does look like the hacker was working through an address list associated with the account.

What can you do?

This really is a very worrying example of a trend that is increasing at the moment. Most of us would not know if someone else was passively monitoring our email account. The fact that they had the address book as well is also of concern.

My advice is as follows:

Be super vigilant on any emails, text messages or anything else carrying a link, particularly if there is no message or context, even if it is someone you know. Don’t just assume it is ok.
Was the email addressed to you, or is the to line empty? If it is empty it is likely to not be legitimate, because the true addresses are hidden on the bcc line. It is a broadcast message.
If you are even 10% unsure, independently ring them up and check. I trusted email, and ended up being mislead by the hacker.
Be particularly vigilant if you are on Outlook.com, this was targeting Sharepoint users where you would need to login with your Outlook email address.
If you do go to a phishing site, they will generally look official and familiar. However check the website address. The example above was sending me to https://canyouheal.org. Which is probably an innocent site that a hacker has got into and placed a phishing page in there, unbeknown to the website owner.
Make sure your device is protected by a good quality (aka NOT FREE) Anti Virus AND Security product. If all else fails that will likely save you.
If it happens to you, first change your password to a strong password containing upper and lower case letters and numbers, and even symbols. Next run your anti virus application to make sure your machine is clean.
Communicate: If you have seen it, tell everyone to warn them. It is highly likely that others may be exposed as well.
Check your sent messages folder from time to time. A careless hacker may leave an evidence trail behind if he has intercepted some message threads.
If you are affected by a Phishing site (where you put your email address and password in and nothing happens), after you have recovered your password with a new one, bear in mind, you also need to change the passwords for any critical interfaces and websites you have access too. Especially if you use your email address to recover a password!

This is becoming a very dangerous trend over the past few months.

It is also wise to change your main email address password regularly as a precaution against this type of risk.

← Phishing Case 2 - What happened Another Phishing Scam - You may be targeted →

Phishing Case 2 – What happened

The following story came from a friend of mine, it is another example of what can happen when an email system is compromised.

A business owner is regularly in contact with their accountant. There are invoices which need to be paid, are regularly passed between the two parties. One day the accountant calls the business owner to check on an email they received which looked like a copy of another one. Both carried invoices. It was a sanity check.

It turns out that the second copy of the email carried a modified invoice with a different account on it. So someone had infiltrated an email system somewhere between the two parties and was now trying to commit fraud by inserting their bank account into the transactions between the two parties.

It was only through the vigilance of the accountant in this case was it spotted.

How is it done?

Very often it is simply achieved by tricking someone to click on a link in an email which takes them to a seemingly official website and inviting them to log in. If they log in with their email address and password, that information is passed to a third party. Now the third party can get into the person’s account. It is quite possible that if they do this passively the person who has their email account compromised may be unaware of it.

Change your passwords regularly.

← Phishing case 1 - what happened Phishing Case 3 - What happened? →