Tag Archives: phishing

Our ESP has been hacked!

I've been hacked
We recently had a customer come to us to say their account had been hacked, and spam email was being sent from our system. We immediately investigated but were unable to find any sign of problems. The customer insisted the emails they had received were coming from our system because the “From” address was their email marketing address. In fact, their account hadn’t been hacked at all. It was just another example of scammers taking advantage of the “Friendly From” name in an attempt to fool readers into thinking an email was from someone else.

We’ve all received those emails that claim to have been sent by WalMart, Chase Bank, FedEx, and others. They’re annoying enough already, but they become intolerable when the company being spoofed is your own.

Scammers will copy the identifying elements from a sender’s mailings, such as the design and logo, in an attempt to convince readers that the email came from the legitimate company. But how can you recognize this, and what can be done about it?

Prevention

When email was created in the early 1970s, the designers had no idea how popular it would become or the range of problems that could be introduced. They created a simple, flexible system that allowed email to become what it is today, but that flexibility also enables malicious people to abuse the system. Email allows you to assign the “from” address to anyone you want. This is useful, especially for marketers who want to use an ESP to send emails that appear to have come from their company, but it can also be used to prey on a good company’s reputation.

To help prevent this kind of abuse, you need to add the email authentication protocol SPF. This protocol tells the receiving mail server which mail servers are allowed to send email using the “from” domain, so should reject email that is being sent by some other entity. The use of this protocol will help prevent phishing emails (those pretending to be from eBay, Bank of America or other brands with good reputations) from landing in your inbox. It is important that your SPF specification end with a “-ALL”, rather than “~ALL” or other options. The dash indicates that the email should be rejected, which is what you want.1

DKIM (pronounced “dee-kim”) is also a popular email authentication protocol. DKIM uses encryption to verify that an email message was sent from an authorized mail server. A private domain key is added to the headers on messages sent from your domain. A matching public key is added to the Domain Name System (DNS) record for your domain. Email servers that get messages from your domain use the public key to decrypt message headers and verify the message source.

An email authentication protocol popular with high-profile, brand-driven companies is DMARC It was created by PayPal with the specific intention of preventing spoofing and phishing, and is most useful for companies that are often targets of these types of scams. For most businesses, SPF and DKIM should do the trick. DMARC only works if you’ve set up both SPF and DKIM.

Recognition

So what if someone contacts your organization saying they have an email from your company that is spam. How can you determine if your ESP has been hacked or if someone is sending email using your company name as a “from” address?

The content is seldom useful. Any decent ESP allows customization of the content, so any link could be sent and the unsubscribe information can be specific to you. These can be faked by the malicious entity.

In many cases, these attempts to trick readers into thinking an email comes from a legitimate source are easy to spot:

Phishing example

Although this appears, on the most casual glance, to have come from Chase Bank, there are giveaways that it did not. The most obvious one is that the actual email address is not from Chase, but from a free email service in Germany. Clearly, a major institution like Chase Bank is unlikely to use a free email address to send out information about a customer’s account status. Presumably, upon clicking the link, you’ll be taken to what looks like a sign-in page for Chase. They’re hoping you will continue believing the ruse and enter your login name and password.

If you want to find out where an email came from the email headers are your best source of information. Unfortunately, email clients don’t always make viewing the headers easy. The desktop version of Outlook, for instance, requires you to go to the File menu and choose Properties, then the headers appear in a small scrolling box that can’t be resized.

Yet, here too, though the headers are useful, they can be faked as well. Under the covers, headers are just part of the email content, and the malicious entity can provide any headers they want to the email. However, the standard rules for email are that the mail server that accepts and email should add some “received” headers. Your mail server knows the IP address of the mail server that is sending the email and should provide this information, as well as the name associated with that IP address, as part of the “received” header.

Often there will be multiple “received” headers. The email protocols were originally designed to be store-and-forward systems where an email might require passing through several mail servers before getting to the one that has the proper mailbox. In our modern environment multiple “received” headers often come as part of the sending process. Many ESPs and other senders will generate the email on one computer that relays it to another computer for actual delivery. This will result in multiple “received” headers that can be used to trace the path back to the original sending computer. The standard for “received” headers is to add from the top, so the data near the beginning of the headers data should be the data added by your mail server and can be trusted. Everything after that is suspect.

Understanding “received” headers can be a bit tricky, so you may need to ask your ESP or email expert for help. But simply scanning the data added by your mail server can often give you a clue of where the email came from. If the headers say “Received: from mail-ot1-f48.google.com ([209.85.210.48])” for example, it should mean that your mail server received an email from IP address 209.85.210.48, which, when looked up, inform us that it is a Google mail server. If the malicious email says it is coming “from” your brand, but the headers say: “Received: From h2hclan.com ([36.89.36.149])” you can feel confident it was not your ESP that sent this email.

Finding the Headers

If a client, co-worker, neighbor, or whoever forwards you an email that claims to be “from” you, the important headers will be lost. A forward is actually a new email message, with a new set of headers, and the content copied from the source email. This email will not show you the interesting header information. To get that you need a copy of the email as it was received. With most email clients, if you create a new email message and include the problem email as an attachment, the headers will be retained. The trick is getting that person who received the malicious email to send you the email as an attachment.

Conclusion

If you have a popular brand, and especially if you have good email deliverability, malicious people will eventually decide to try and take advantage of all your hard work to deliver their junk. The only thing you can do about this is to have the proper SPF records in place, which will limit the damage. Being able to recognize when an email has been sent faking your domain is important so you can quickly determine if someone has gotten into your email server or ESP, or if it is the more likely case of someone attempting to abuse your good reputation with an email pretending to be “from” your company.


1. Fortunately, our customer had the proper SPF records in place, so the damage was minimal. It seems that more North American mail servers pay attention to SPF records, and not so much in China and Asian countries where this particular abuse-email was targeted.

© Goolara, LLC, 2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Goolara, LLC and the Goolara Blog with appropriate and specific directions (i.e., links) to the original content.

Watch Out For Typos!

Email typos
Here at Goolara we’ve been seeing a recent rise in a peculiar method of gathering and hijacking information. The basic mechanism isn’t new, but the fact that it’s being used with clickthroughs appears to be a new twist. It is based on exploiting mistyped email addresses by purchasing domain names that are either misspelled or have letters added or removed. You might, for instance, intend to send an email to someone at a Gmail address, but because you typed too quickly, it’s going to “gmial.com” instead; or maybe your finger hit two keys at once, and the mailing is sent to “gmailk.com.” In both cases, the domains are registered and your mail is actually being processed by these sites. To put it another way: That mail you accidentally sent to the wrong address is being received by someone who has intentionally chosen their domain name to take advantage of this mistake. Is that someone you really want to have any of your email data?

This technique, called typosquatting, has long been used to trick people into visiting sites (called domain doppelgangers) that look a lot like the sites they are imitating.1 Most of it disappeared after laws were passed and some successful lawsuits were filed against these pretenders, but the legislation didn’t address the other part of the equation. The law can prevent them from mimicking an existing website, but anyone who has registered one of these domains still has the ability to receive any email sent to it. While a website could be construed as attempted fraud, simply receiving misaddressed email falls into a very gray area. Even this isn’t that new. These fakes sites have always accepted email. The new twist is that they are now apparently clicking on the links in the email they receive.

The Man-in-the-MailBox

It’s hard to know the reasons for these clickthroughs. It’s possible that they are intended to keep the address active and defray suspicion. Or it might be part of more complex scheme, such as the “Man-in-the-MailBox” scam detailed in a report on domain doppelgangers put out in 2011 by Peter Kim and Garret Gee of the Godai Group. In that report, Kim and Gee explained how they set up set up 30 doppelganger accounts for various firms and received 120,000 e-mails in the six-month testing period. Acting as middlemen, they would pass on data to the correct address and then send the information back to the intended recipient. In this way, they accrued 20 GBs of data that included everything from trade secrets to individual passwords.

It is also a method of verifying the links, which can be useful for ascertaining the value of each email address. This may seem like an inefficient way to collect addresses, but the evidence suggests that the processes here are handled primarily by bots, so minimal manpower is required. Like an army of ants, they achieve their goals methodically over time. If you intended, for instance, to send something to a specific address at Gmail, the typosquatter can now figure out the correct address without much difficulty and add it to their list. With the amount of email data passing through the Internet every hour, it is possible to build up a substantial list of names in no time.

Why It’s Important

You might be tempted to ask why this is important? After all, it’s only a few addresses here and there, but there are costs involved. Keep in mind that you’re paying for those addresses, and you’re paying for sending to those addresses. If you’re using an automated system to relay leads to your sales department, then clickthroughs from these sources can cause your sales staff to waste valuable time chasing down these imaginary leads and doing follow-ups that go nowhere.

It is also possible that some of these people are up to things far worse than merely collecting addresses. While many companies don’t accept email responses, some set up their mailings so that they send email replies to specific staff members. You don’t want to put your sales team in a situation where clicking on links from these sources—either accidentally or absentmindedly—lead to bigger problems. It is also worth remembering that these address mistakes simultaneous keep those subscribers from receiving your intended email while opening them up to receive email from these questionable sources.

Protecting Yourself

As you might imagine, protecting yourself against this problem can be tricky. Checking for typos only goes so far, and when your mailing list includes thousands of names, it’s almost impossible to catch them all. In Symphonie, we’ve added logic to the process that identifies and blocks these domains when we encounter them, so you don’t have to worry about the most commonly mistyped addresses. This doesn’t mean you shouldn’t stay on your guard, though. Like rust, these scammers never sleep and they are coming up with new naming variations all the time. Catching these people in that act is a responsibility we all share.

Requiring a double opt-in will help somewhat. Since, in most cases, the email address is initially entered by the subscriber, getting them to verify it will eliminate a lot of the potential for typos. It won’t keep you from accidentally sending the verification email to an incorrect address, but it will help keep that address off your recipient list. The mistyped address still has the potential to end up on scammer’s list, but at least you won’t be sending wasting your time and money sending mailings to them.


1. Technically, there is difference between typosquatting and domain doppelgangers. Typosquatting means a domain that is similar to the intended domain, but is misspelled, while a domain doppelganger will appear almost the same, but with periods either added, removed or misplaced (for instance yourcompanyc.om instead of yourcompany.com).