Online Identity Theft

Spoof Email Hoax scams and Fake Web Pages or Sites

Part Three

How do I recognise a Spoof Email?

This means that if...
the email has any kind of form (see examples) that requires you to enter your User ID,
password, credit/debit card or banking details (and sometimes Social Security
and card PIN Numbers)
then...
it is NOT a genuine email, it is a spoof.
HOWEVER...

This sounds like a simple enough rule, but in reality, the best spoof, forged, bogus or hoax email would not do that anyway. The problem is that any email could merely offer you a link to a web page for any reason, and the most convincing spoofs may refer you to a spoof web page where the user information is gleaned from you later instead (see an example of this). This problem is further exacerbated by the fact that users will often receive genuine eBay and Paypal emails offering links to their site for various purposes, it is therefore not the case that they will never ask you to click on a link. It would be better for us if there were never any links in eBay or Paypal emails, but many of us rely on those links to interact with their sites for various reasons. Having said that, a recent email from eBay included 38 separate links, only one of which was a link to http://www.ebay.co.uk!

Please, therefore, do not believe the email to be genuine just because it does not ask
for your private information alone.

So how can you really determine if it is a spoof?

This is made difficult by three distinct factors.....

1. the ease with which almost anyone can forge an email and almost all its header information due to a security loophole in the set up of SMPT mail servers (POP3). It is a certain fact with any email that the sender, as shown in your mail program's inbox, is absolutely no guarantee of its true origin,

2. by the way in which URLs (links) can be disguised so that the true destination is concealed,

3. the ease with which genuine web site text and graphics can be used in an email or web page just by including the relevant standard html code.

Email Headers

You'll hear plenty around the internet about email headers and in many cases they do show that the sender is not who they say they are (see a comparison between a spoof and genuine spoof here), but it isn't a definite way of identifying a spoof email. It is possible to forge almost all of an email's header information or remove the parts that may indicate its origin.

The spoof report departments of genuine sites (eBay, Paypal, etc.) place a lot of emphasis on their need for the full email with header in a report of a spoof, but this will not necessarily tell them its true origin. They will most likely have to communicate with the ISP(s) and servers that handled the email as it travelled around the internet, and who may be able to trace its origin by viewing their detailed server logs.

This is not to say for certain that the scammers would have been clever enough to spoof the whole email header, sometimes there are clear indications that the email has not come from where it should have (as the example shows). However, the email header is the first useful indication of whether the email is genuine or not (quite simply, if it does not indicate that it has passed from eBay's servers, for example, then it is a hoax).

Links in an email and URL CLOAKING

Please note that Microsoft issued a cumulative Critical Update to address some of the issues disgussed below on the 2nd February 2004. For more information see here and to ensure that you are up to date, please run windows update and install all Critical Updates.

 

There are a variety of ways that can be employed to disguise the true location of any web page that a link points to. One or more of these will be used by scammers to add a sense of authenticity to any scam that they may face you with. These methods vary from the simple HTML link through to the very serious spoofing vulnerability that presently exists in most web browsers. We'll look at each of these methods and provide some solutions to checking the validity of those links or pages...

In a text only email, such a disguised link could be constructed thus.....

the link to the spoof web page is preceded with the first part of the genuine site's URL, such as 'https://www.paypal.com' or 'http://www.ebay.co.uk'
followed by
almost any string of characters of almost any length
and then
the '@' character
followed by
the true URL of page that you will at

.....such a link would instruct your browser to open the forged page and would NOT send you to, or through, the genuine site. The following is a good example of this kind of spoof link ...

http://www.ebay.com-SECURITYCHECKw8grHGAkdj>jd7788<Account
Maintenace-4957725-s5982ut-aw-ebayconfirm-secure-
23985225howf8shfMHHIUBd889yK@MIllerSMILes.Co.Uk

...which would actually take you to our home page (its been disabled though and will not work).

You can see, in this example, that the actual URL that you'll arrive at is written after the '@' character. This link would fool most people, especially since it starts with "http://www.ebay.com" and has relevant statements like "securitycheck" and "aw-ebayconfirm" written into it. Also, because of the length of the URL, it would appear to be valid when you look at the text shown in the bottom of your browser frame (status bar) while your mouse is positioned over the link.

In an HTML email, or a web page, simple cloaking can be employed with the use of standard HTML code - the text of the link can show pretty much any thing, but the destination of the link is another issue. A good example of this kind of cloaking would be the following link ...

http:www.ebay.com/account verification

The URL of this link is exactly the same as the one above, and also sends you to our home page and is also constructed to appear to be genuine when viewing the status bar message.

The more serious form of link and URL cloaking uses the vulnerability that exists in Microsoft's Outlook, Outlook Express and Internet Explorer as well as some Mozilla browsers. This can allow a completely different URL to be shown in the status bar to the true address. In that case, you could construct a link that shows http://www.citibank.com/ in the status bar, while the link actually opens a page at http:www.fakepage.com/.

Also, and with Internet Explorer in particular, you can arrive at a web page which shows a completely different URL in the browser address bar than the true location of that page. For instance, a fake Ebay email may use this method with a link shown as www.ebay.com and that opens a web page with http://www.ebay.com/..... shown in the address bar, but with a forged Ebay page in the browser window which is located in completely different web space. The following URL cloaking bug check utility shows an example of this kind of disguised link or web page (if your browser IS vulnerable)...

If you see a link that you want to use, first check it for spoofing with our Link Checker, which is a utility which will tell you if any of these null or special characters exist in the link. Otherwise, it is really best that we NEVER click on a link contained in an email just to be sure - almost every site places links to thier pages within their emails and this is gives rise to the potential to fall victim. If there really is any genuine request from any of those sites to communicate information with them, you should enter the site manually (by entering the relevant URL directly into your browser address bar) and then log in and interact with the site by that approach alone. That really is the safest way of doing it, and any urgent request for information should be presented to you once logged in.

Graphics and text

It is very easy to construct a web page or HTML email using genuine graphics and text with fairly basic knowledge in web page design. These files are freely available from their own servers and can be linked to from within the spoof's code by fraudsters. Spoofed emails and web pages can therefore look extremely convincing (see an example of this).

In Conclusion

Despite eBay's and Paypal's half hearted attempts to reassure us with their policy on requests for information by email, it does not mean that any other email is genuine and it does not really make it more certain that we will not fall prey to the fraudsters. Fraudsters evolve and work will work with the loop holes that they come across. Instead take this more responsible approach...

First, look for spelling and gramatical errors (some main text in spoofs is written by non-english speaking persons, errors are common).

Second, if the email has a form to complete for any information (including your user name and password, bank details, credit card details, etc, etc.) then it is NOT from the genuine site. None of the genuine sites would do this.

Third, if we find that it requests us to confirm any login information (such as user name, password and any financial information like credit card details), it is most likely not a genuine email. If any site needs you to confirm details, simply type the known URL for that site into your browser, login and interact in that way alone, if there is any genuine need to verify any information, you will be asked to do so by some message when you log into the site.

Fourth, if the email advertises a competition, or tells you that you've been selected for some prize or accolade, don't believe it, and do NOT interact with anything within the email. You can confirm any of that by going to their genuine web site and logging in as described above. Perhaps the simplest way to protect us from the current form of spoof emails is for eBay and Paypal to just stop including any links at all in their own emails.

Fifth, change your notification preferences on sites like eBay and Paypal in order to reduce the amount of email that you receive from them. Keep it to essential information only.

Sixth, check the email header and look for anomolies as previously discussed.

If you are still uncertain and suspect that you have received a spoof, contact the support department of the appropriate site (in the case of eBay and Paypal, you forward the email to their spoof departments - spoof@ebay.com or spoof@paypal.com). You should copy and paste the full email with header into your query as well (but do not copy and paste for eBay or Paypal, instead you should use the 'forward' function of your mail program and send it without any comment added).

Next, we will look at how spoof emails work to commit fraud...