How to detect an “Impersonation Attack” against your email
Last Updated on Tuesday, 8 November 2011 03:46 Written by jsconners Wednesday, 2 November 2011 10:44
An “Impersonation Attack” (a.k.a. “Joe Job”) is a clever social engineering trick often used by spammers and in phishing scams. Here are the basic elements:
- Create a spam or phishing email message
- Get a list of email accounts that are related
- Pick an address from the list and send a faked email “from” (required) that address “reply to” that address (optional)
- Wait for recipients to do whatever it was you intended them to do (click link in message, open attachment, call a number, etc.)
- Social Link: List members share some common social thread such as friends, family, co-worker, sport teams, etc.
- Implicit Trust: Members on the list may have received email from that person before so they “trust” them.
- Lack of Reporting: Recipients either hit “reply” to tell the sender about the weird email or don’t contact the sender via alternate method to let them know.
- Check the obvious first: See if there are any matching emails in your “Sent” folder. This would be the smoking gun evidence of account intrusion not impersonation.
- Have a recipient send you a copy of the email’s Internet headers. Reading up from the the bottom of the headers, look for the first “Received:” line with this format:
Received: from choi002a2e59bf.tbroad ([218.10X.25X.XX]) by COL0-MC2-F38.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900); Wed, 2 Nov 2011 02:51:42 -0700
- The numbers in red between the “([...])” (obscured with “x” in the example for privacy) potentially represent the IP address of the sender. In this case the sender was in Korea (or using a proxy server there) connecting through Hotmail using a Microsoft SMTP (email) client
- Copy and paste this number (example 18.104.22.168) into the WHOIS search at www.domaintools.com. If the WHOIS record returns something other than your your email service provider’s network (say Google for Gmail) or your local Internet Service Provider then the message was most likely faked.