How to detect an “Impersonation Attack” against your email

Last Updated on Tuesday, 8 November 2011 03:46 Written by jsconners Wednesday, 2 November 2011 10:44

Bookmark and Share

An “Impersonation Attack” (a.k.a. “Joe Job”) is a clever social engineering trick often used by spammers and in phishing scams. Here are the basic elements:

  • Create a spam or phishing email message
  • Get a list of email accounts that are related
  • Pick an address from the list and send a faked email “from” (required) that address “reply to” that address (optional)
  • Wait for recipients to do whatever it was you intended them to do (click link in message, open attachment, call a number, etc.)
This attack has proven very effective because of the following reasons:
  1. Social Link: List members share some common social thread such as friends, family, co-worker, sport teams,  etc.
  2. Implicit Trust: Members on the list may have received email from that person before so they “trust” them.
  3. Lack of Reporting: Recipients either hit “reply” to tell the sender about the weird email or don’t contact the sender via alternate method to let them know.
The following tips (using a bit of “kentucky windage” as they say) will give you an idea if you are being impersonated or had an account intrusion (someone got your password)
  • Check the obvious first: See if there are any matching emails in your “Sent” folder. This would be the smoking gun evidence of account intrusion not impersonation.
  • Have a recipient send you a copy of the email’s Internet headers. Reading up from the the bottom of the headers,  look for the first “Received:” line with this format:
Received: from choi002a2e59bf.tbroad ([218.10X.25X.XX]) by COL0-MC2-F38.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
	 Wed, 2 Nov 2011 02:51:42 -0700
  • The numbers in red between the “([...])” (obscured with “x” in the example for privacy) potentially represent the IP address of the sender. In this case the sender was in Korea (or using a proxy server there) connecting through Hotmail using a Microsoft SMTP (email) client
  • Copy and paste this number (example 218.255.255.255) into the WHOIS search at www.domaintools.com. If the WHOIS record returns something other than your your email service provider’s network (say Google for Gmail) or your local Internet Service Provider then the message was most likely faked.
The main goal is “elimination“, if you can prove that it didn’t relay through your email service provider then your account probably wasn’t compromised (hacked). If it did come through your service provider as specified in the WHOIS search then you may have an actual account instrusion.
For more information check out our eBook its filled with great tips
Tags: , , ,

This entry was posted on Wednesday, November 2nd, 2011 at 10:44 am and is filed under Email, Online Account Recovery. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

1 Comment

  1. Gfx Trade   |  Saturday, 03 March 2012 at 10:15 pm

    Gfx Trade…

    [...]how to detect an impersonation attack against your email | hackedlab[...]…

Leave a Reply