Buy Today!
Book Cover
The Music Video
You've got to see it to believe it: Check out the "Mister Spam Man" video at YouTube.
Search Dispatches
Archives
May 2019
March 2019
August 2018
July 2018
June 2018
May 2018
April 2018
December 2017
November 2017
September 2017
August 2017
July 2017
February 2017
March 2016
January 2016
November 2015
May 2015
April 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
April 2013
February 2013
January 2013
December 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
Dispatches RSS Feed
Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« How Low Will They Go? This Low! | Main | Buzzword Phishing for Email Credentials »

November 06, 2014

Jeez It's Dangerous in Your Inbox

I have long advocated being suspicious of every email message arriving in your inbox until you can absolutely confirm a legitimate-looking message is, in fact, legit. Almost everything in an email message, including all but one component of the usually hidden header information, can be forged. With a well-crafted message, it can be hard to tell a real message from one that can lead to serious trouble.

Imagine you have a friend named Joe Blow. You and Joe have been business friends for well over 25 years, and you have exchanged sporadic emails through the years. You trust Joe as a truly honest person. Then one day, the following message shows up on your smartphone while you are out and about:

From: Joe Blow
Subject: Joe Blow


News: http://bbhealth.[removed]365online.com/marriage/told.php

Joe Blow
Sent from my iPhone

Ever since you've known him, Joe has been a smart guy who would only send you an email about something important. From the URL in the message, is he making some kind of wedding announcement for himself or one of his kids? Is the linked article something important enough for Joe to alert you about from his own iPhone?

Unfortunately, it requires a bit of digging to get to the bottom of this message, made all the more difficult if you receive this on a smartphone. By tapping on the sender's name, you might be able to drill down into the sender's email address to see that it's a name different than Joe's and from a domain you don't recognize. The other details are buried in the message's header, which is rarely accessible in smartphone email clients. There you'd discover the message originated in a country where Joe doesn't live or work.

Unfortunately, when you are tapping your way through reams of email on your smartphone, you don't take the time to scrutinize messages for their legitimacy. And that can get you into all kinds of trouble. The full link in the message "from Joe" leads to a page in China that redirects to yet another domain. At that point, any kind of malware—including a zero-day infection for which there is no protection—could be on its way to your computer or device.

And how did the Bad Guy get Joe's name to paste into the From: field in the first place? Joe's computers can be as clean as a fresh snowfall, but all it takes is an email message he sent (even years ago) to someone whose computer is now infected with malware. Such malware will search the hard disk for email addresses and names associated therewith. If you are on the Internet and communicate with other people in any way, your name and email address are exposed and will likely show up in the From: field of spam or malware delivery messages at one time or another (and it's certainly how your address found its way into the To: field of the ones you receive). By mere chance, such messages will end up in the inboxes of people you know, and they'll think you're sending them an important email alert, so they'll click on the link.

It's the Circle of Death.

Did I get tricked by this message, which initially came into my iPhone's inbox from a long-time colleague? Fortunately not. I must say that the overall look of the message body, especially the "Sent from my iPhone" tagline, was tempting. Yet some things just didn't feel right about the message, such as the lack of context and strange URL domain. As a rule, I avoid clicking on links to domains I don't recognize (and I tap-and-hold on my smartphone to inspect the actual link URL). Any message that asks for you to act by clicking/tapping should be suspect. In this case, I didn't click right away, and waited until I could check out the message on a computer where I could more easily inspect the header and check out the various domains. That's when the message's legitimacy fell apart.

If you're not completely paranoid about your inbox, you are potentially doomed.

Posted on November 06, 2014 at 11:25 AM