Spoofed Emails – Don’t Click That Link!

Over the last few years, SPAM email and virus authors have grown increasingly clever and are sending carefully-crafted spoof emails that appear to be from reputable sources.  These emails are often designed to trick recipients into:

1. Installing a program that in fact contains a virus
2. Signing into a fake login screen thereby revealing their passwords to a malicious third-party

These breaches can in turn result in identify or information theft, unauthorized access to your computer network, or loss of your files.

Prevention

Before we learn more about these threats, let’s begin by revealing the absolute easiest ways to help protect against them:

1. When in doubt, do NOT click on links in emails.  The email may not be from who it says it’s from and those links may not go where you expect them to go.  Instead, open a new browser window or tab and type in the address of the company the email claims it is from.
2. Do NOT run a program or installer attached to an email.  Doing so may result in a serious virus or other malware infection.
3. Keep your Antivirus software up-to-date and pay attention to any warning prompts it provides when installing or running a program.  Be careful because your Antivirus software won’t catch everything.  Important Note: There are fake Antivirus software programs out there too, so be careful to note the source of these warning prompts. You should not under any circumstances click on a warning prompt from a product or company you do not recognize!

Spoofing on the Rise

According to Russian firm Kaspersky’s report^[1], worldwide phishing attacks increased by 87% from 2012 to 2013.  According to a report by Symantec^[2], the percentage of email messages containing malware increased by more than 48% from 2012 to 2013.

At YTBE, Inc. we have seen a dramatic increase in these types of emails among our customers. New variants of these messages are emerging daily, and even the most powerful Antispam and Antivirus filters do an imperfect job at catching them all.

Spoofed Sender Examples

Some of the messages we’ve seen include the following spoofed senders:

1. FedEx
2. UPS
3. USPS
4. PayPal
5. Facebook
6. LinkedIn
7. Skype
8. American Express
9. MasterCard
10. Chase
11. E-ZPass

Spoofed Message Examples

We’ll conclude with some real-world examples of these emails.  Along the way we’ll provide an analysis and more advanced clues that you can use to differentiate these messages from legitimate ones.  Of course if you are unsure, you can always fall back on the simple tips listed under “Prevention” above.

Example 1: Spoofed Skype Message

The following is an example of an actual message received by one of our users.  Names were changed to protect the identity of our customers and malicious links have been removed:

 

Message:
From: Administrator [mailto:docs6@yourcompany.com]

Sent: Monday, January 27, 2014 9:51 AM

To: youremailaddress@yourcompany.com
Subject: Skype Missed voice message

Skype Missed voice message

Skype system:

You have received a voice mail message.

Date 01/27/2014

Message length is 00:01:34.

You can listen to the message by running the attached file

————————————————————————————-
Attachments: Skype-message.zip

 

Analysis:

Note that the message pretends to be from Skype and indicates that you have received a voicemail message.  There are however several clues here that this message is bogus:

1. Zip Attachment – Skype would NEVER send you a zip file.  Voicemail messages are typically delivered as .WAV or .MP3 file attachments.
2. Capitalization – Notice the unusual choice of capitalization. Why is the word “Missed” capitalized and the words “voice” and “message” lowercase?  For that matter, why is the word “voicemail” split apart into two words?  This is usually a clue that the message was constructed by someone who may speak English as a second language and the message may have originated from overseas.
3. From Address – The FROM address that appears is one from within your own company, not Skype.  This is a big clue!  Note however that there are many instances of spoofed e-mails that include FROM addresses that DO appear to be from Skype or another legitimate organization, so you cannot always rely upon this as an indicator.

There are other advanced clues that appear in the detailed headers of the message (not shown here).  For a technician, or advanced user, message headers can yield a wealth of information that can help identify a message as fraudulent.

 

Example 2: Spoofed American Express Message

The following is an example of an actual message received by one of our users.  Names were changed to protect the identity of our customers and malicious links have been removed:

 

Message:
From: American Express [mailto:fraud@aexp.com]

Sent: Wednesday, December 04, 2013 10:47 AM

To: youremailaddress@yourcompany.com, misspelledemailaddress@yourcompany.com, nonexistentaddress@yourcompany.com

Subject: Fraud Alert : Irregular Card Activity

Irregular Card Activity

<<American Express Logo Appeared Here>>

________________________________

Dear Customer,

We detected irregular card activity on your American Express

Check Card on 04th December, 2013.

As the Primary Contact, you must verify your account activity before you can

continue using your card, and upon verification, we will remove any restrictions

placed on your account.

To review your account as soon as possible please.

Please click on the link below to verify your information with us:

https://www.americanexpress.com/

If you account information is not updated within 24 hours then your ability

to access your account will be restricted.

We appreciate your prompt attention to this important matter.

________________________________

(c) 2013 American Express Company. All rights reserved.   AMEX Fraud Department

 

Analysis:

There are several tricks in this message that help it to appear legitimate:

1. From Address – The sender’s email address looks like it might be a valid American Express email address.
2. Logo – The logo included in this message (but not displayed above) even originates from American Express’s website.
3. Attachments – There aren’t any.  No problem there.

So what did they do wrong?:

1. Hyperlink – Although the URL displayed on the screen is https://www.americanexpress.com/, the link does NOT in fact go there.  If you mouse over the link in the above example you’ll see that it in fact points to “http://www.someboguswebsitethatposesarisk.com” (a non-existent address we made up for purposes of example).  Many users never bother to verify links by first mousing-over them before they click; many users also do not bother to look in their browser’s address bar after clicking on a link to verify where they wound up where they expected.
2. To Addresses – One of the e-mail addresses the message was sent to is correct, the others were misspelled or non-existent.
3. Grammar – There are several incomplete sentences and grammatical errors. This is usually a clue that the message was constructed by someone who may speak English as a second language and the message may have originated from overseas.
4. Not an American Express Customer – In this case, the user who received this did not even have an American Express card.  This is of course a HUGE clue!

There are other advanced clues that appear in the detailed headers of the message (not shown here).  For a technician, or advanced user, message headers can yield a wealth of information that can help identify a message as fraudulent.

 

Example 3: Spoofed E-ZPass Message

The following is an example of an actual message received by one of our users.  Names were changed to protect the identity of our customers and malicious links have been removed:

 

Message:
From: E-ZPass Service Center [mailto:refund@somecompany.be]

Sent: Wednesday, July 9, 2014 8:32 AM

To: youremailaddress@yourcompany.com
Subject:Payment for driving on toll road

<<E-ZPass Logo/Header Appeared Here>

_____________________________

Dear customer,

You have not paid for driving on a toll road. This invoice is sent repeatedly,

please service your debt in the shortest possible time.

The invoice can be downloaded here.

________________________________
<<E-ZPass Footer Appeared Here>>

 

Analysis:

There are several tricks in this message that help it to appear legitimate:

1. From Address – The sender’s email address looks like it might be from E-ZPass
2. Logo/Letterhead – The logo included in this message (but not displayed above) is a copy of E-ZPass’s actual logo.  The letterhead (header and footer) appear authentic as well.
3. Attachments – There aren’t any.  No problem there.

There are however several clues here that this message is bogus:

1. From Address – While the friendly address says “E-ZPass Service Center” the actual e-mail address behind that name (refund@somecompany.be) does not originate from E-ZPass at all.  The domain name for this e-mail address ends in .BE, which is Belgian in origin, and is of course in NO way affiliated with E-ZPass.
2. Grammar – Note the poorly constructed sentence “This invoice is sent repeatedly” instead of “This invoice has been sent repeatedly”.  Usually legitimate e-mails, especially ones from large organizations, are written with more care.
3. Content – E-ZPass works by automatically billing your credit card as your tag runs short on funds.  They would never invoice you in this manner.
4. Hyperlink – The link does NOT actually go to an E-ZPass website.  If you mouse over the link in the above example you’ll see that it in fact points to “http://www.someboguswebsitethatposesarisk.com” (a non-existent address we made up for purposes of example).  Many users never bother to verify links by first mousing-over them before they click; many users also do not bother to look in their browser’s address bar after clicking on a link to verify where they wound up where they expected.

 

There are other advanced clues that appear in the detailed headers of the message (not shown here).  For a technician, or advanced user, message headers can yield of wealth of information that can help identify a message as fraudulent.

 

---

^[1] Kaspersky Lab ZAO.The evolution of phishing attacks 2011-2013.

^[2] Symantec Corporation. 2014 Internet Security Threat Report. Volume 19. p. 15.