Email security - part 2

Posted 19/10/2011 - 16:52 by ng

Is an email really from who it appears to be from?

Further to my older post on this topic, this post is to demonstrate further some risks in email communication. It's very easy for somebody to fake a from email address, and with a little bit of planning, trick unsuspecting users into sending personal information. The basic technique is the same as phishing.

If you're reading this via email, you probably won't see the images. View this page on the site instead.

Fake email

Firstly, I sent an email (to myself) making it look like that email was sent by Mike Fayle - this is the concern, that a nasty person somewhere might send you an email in this way. Would you notice that it's fake?

Here's how the received email looks when I read it in my email program:

email-received

The from address seems valid - it is, but the email was not actually sent from Mike Fayle. You might notice that the displayed reply-to address is not the same as the from address - but, not all email programs display the reply-to address at all.

Reply to fake email

So, the normal thing to do would be to just click reply ...

email-reply

The email program fills-in the destination address using the reply-to address given in the original message. Everything looks "normal". The issue is that the reply is going to go somewhere else - to whoever has registered the domain-name kpmg-iom.com.

In a similar way, the originator could have used an address like kpmg [dot] co [dot] im(?)gmail [dot] com (first registering that id as a Gmail account) and quite possibly you would think it was bona fide.

What to do?

You could, as described in my older post, check the message headers on the incoming email.

Interpreting this needs a good degree of technical knowledge - if you suspect you have received a fake email, either ignore it, or check with the supposed sender that it's genuine. You can safely send an email to the trusted email address - mfayle(?)kpmg [dot] co [dot] im in this case - the danger comes from replying to an untrusted email or web-address.

The relevant headers in the message look like this:

> Delivered-to: netgenius(?)mail [dot] netgenius [dot] co [dot] uk
Received: from assp.netgenius.co.uk (postfix.localhost [127.0.1.25]) by mail.netgenius.co.uk (Postfix) with ESMTPA id 35083CDD81B6 for ; Wed, 19 Oct 2011 16:32:08 +0000 (UTC)

> Received: from [192.168.1.128] ([95.16.95.242] helo=[192.168.1.128]) with IPv4:465 by assp.netgenius.co.uk; 19 Oct 2011 16:32:07 +0000

In this case there are only two headers, because the mail was sent from home, directly to my own mail server. The thing I might notice in the second header is the IP address 95.16.95.242 - In fact, that's the IP address of my internet connection at home - the one I used when I wrote and sent the message. Under other circumstances then, I might check that IP address, e.g. here at www.maxmind.com - and the results show me that the IP address is apparently located in Badajoz, Spain (correct!) and not in the IOM where I would have expected Mike Fayle to send email from.

Quickly on this subject - be aware that, in a similar way, anybody you send an email to can find out with reasonable accuracy where you are located because your IP address will almost invariably be included in your message.

Summary

You cannot safely assume that an email is necessarily from the named sender.

Be especially cautious if:

  • The email asks you to reply to a different address, or a different address is shown as the destination when you hit reply

  • The message asks you to provide any kind of information that might be useful to "nasty" people.

  • The messages asks you to go to any web-site to fill-in a form. The site-name displayed in the text of the message may not be the actual address of a site - e.g. this link http://www.facebook.com will actually take you to Google.

And finally - in my opinion, KPMG should not ask for sensitive information via email, but it seems they sometimes do.


Author's note: (AKA touting for business) - this stuff is my profession - if you run a business and need help with IT security, web-technology or other IT topics, please contact me via netgenius.co.uk

4.555555
Your rating: None Average: 4.6 (9 votes)
A minor addendum, just for

A minor addendum, just for completeness... Re-reading that post, where I said "You can safely send an email to the trusted email address...", I should perhaps have said relatively safely. There are ways that such an email could be intercepted or re-directed to another destination, but that's relatively unlikely, especially if you use a web-based major email provider such as gmail or hotmail. Such services are not immune to security vulnerabilities, but we can hopefully assume that those providers have adequate protection and detection systems in place.

If you use a local email program (Microsoft Outlook, Apple Mail, etc) then the risk is a little higher, but still small. These systems are potentially vulnerable to trojans and DNS spoofing, either of which could potentially intercept/redirect an outgoing email. But, if either of those situations exist on your computer, then you have much bigger problems to worry about than where your outgoing email is going to arrive!

Finally, for using the web in general, including web-based email services, you can increase your security by using a secure browser, and currently Google Chrome tops the charts - article here.

Most likely there's no cause for concern. Most likely your car won't get stolen, but it's probably a good idea to lock it anyway.

Posted by ng on Wed, 24/10/2012 - 18:35