My wife thinks she was hacked. I’m not so sure.

JOhnH

Touchdown! Greaser!
Joined
May 20, 2009
Messages
14,452
Location
Florida
Display Name

Display name:
Right Seater
My wife is President of her club. She sends emails to the group.

Today she was notified by several members of that group email that they received an obvious Phishing email from someone using her name but from a gmail account that was similar to hers, but a different domain.

Her email is “wife”@att.net
The phishing email was sent from “wife9898”@gmail.com.

If she had been hacked, wouldn’t the email been from her account?

We are out of town celebrating our 33rd anniversary and she doesn’t have her computer with her. And I don’t have a lot of time to spend on this. We are headed out to dinner right now at a place that is waaaaay too expensive.
 
Likely somebody in the group was hacked, not necessarily your wife, in fact probably not. A common method is the virus on an infected computer reads the address book or email history. It picks one address as a spoofed "from" and sends the virus email to everybody else on the list.
 
They can actually spoof your wife's actual email address by manipulating the headers. This is a classic Phishing scam. Don't click on any links and warn your friends. If this is a work related email account, see your CIS administrator, as this could be a sign of the company's LAN being penetrated.
 
They can actually spoof your wife's actual email address by manipulating the headers.
That's not what happened. They used the wife's name as a basis for a different email address. Manipulating the headers was not necessary.
 
My wife is President of her club. She sends emails to the group.

Did she send the email thru a club scheduling system or did use her own email client / browser and just CC everyone?

Don’t need to get hacked to send the email you describe. That’s just simple trickery to get to folks that didn’t notice the difference in the email addresses.
 
Email addresses can easily be spoofed, unfortunately.

another issue is use of capital letters

WIFE@att.net
WLFE@att.net (but where L is lower case L, can not tell the difference)
 
...another issue is use of capital letters...
Tangentially related, scammers register 800 #s slightly off of legit numbers. My wife miss-dialed when activating a credit card and unfortunately divulged personal information before realizing she wasn't talking to who she thought she dialed.
 
This has happened with our EAA chapter recently, and repeatedly. People get emails bearing the name of our chapter president, saying he's out of town and needs them to do something for him (which invariably turns out to be "Go buy some gift cards for donations to this worthy cause and send them all the info, I'll reimburse you"). The email address, if you dig deep enough to find it, is some random throwaway Gmail address. Not even remotely close to his actual email address.

This is possible because most or all email programs now just display the "display name" the email is received from, not the actual email address. Some, like Apple Mail, make you go through extra steps to see the email address and make the scammers' jobs much easier. No need for fake email headers or anything; your email client does all the hard work for them and just shows you what they want you to see.

I manage the IT infrastructure for my company, which includes email. You'd be amazed at the sheer volume of these attacks we see daily. Go buy gift cards, change my payroll direct deposit to this Nigerian bank account, open this HTML attachment, and so on. Fortunately nearly all of them end up dropped into email quarantine. We've got pretty advanced tools to intercept this stuff, and it's not 100% effective. The average person has very little standing between them and the low-life scum sucking thieves.
 
This has happened with our EAA chapter recently, and repeatedly. People get emails bearing the name of our chapter president, saying he's out of town and needs them to do something for him (which invariably turns out to be "Go buy some gift cards for donations to this worthy cause and send them all the info, I'll reimburse you"). The email address, if you dig deep enough to find it, is some random throwaway Gmail address. Not even remotely close to his actual email address.

This is possible because most or all email programs now just display the "display name" the email is received from, not the actual email address. Some, like Apple Mail, make you go through extra steps to see the email address and make the scammers' jobs much easier. No need for fake email headers or anything; your email client does all the hard work for them and just shows you what they want you to see.

I manage the IT infrastructure for my company, which includes email. You'd be amazed at the sheer volume of these attacks we see daily. Go buy gift cards, change my payroll direct deposit to this Nigerian bank account, open this HTML attachment, and so on. Fortunately nearly all of them end up dropped into email quarantine. We've got pretty advanced tools to intercept this stuff, and it's not 100% effective. The average person has very little standing between them and the low-life scum sucking thieves.
One of the things I like about Windows is that, at least on the email providers I use, doing a mouse-over of the sender's name shows the email address.
 
One of the things I like about Windows is that, at least on the email providers I use, doing a mouse-over of the sender's name shows the email address.
Yeah, I like that too. Sometimes it doesn't show an email address, in which case I immediately dispatch it to junk.
 
"doing a mouse-over of the sender's name shows the email address"

I do that too but I worry that even that is not safe. I don't know, but I worry:)

I recently skimmed (or even less) something about specially crafted files causing your Windows password (somewhat encrypted) to be sent to a remote site just by mousing over the file name in Explorer.

Very briefly, 'cos I only know a brief bit. Windows helpfully sends credentials when your machine attempts to access certain remote resources - just in case it might help. Something in these files point to a remote resource (maybe to get an icon?) and BINGO!

Something similar can happen with one pixel (or any other size) image files in web documents. The URL can be crafted to look like a remote windows resource and your user ID and password (somewhat encrypted) get sent. Now for a home user this might not matter much but for a corporate user (say a system admin) it can get very serious. Hence two factor authentication is now essentially mandatory.
 
I do that too but I worry that even that is not safe. I don't know, but I worry:)

It can be spoofed. Mail is still sent via the Simple Mail Transport Protocol (SMTP) written in the early 80s, written by (no kidding) Jon Postel and Suzanne Sluizer. It is literal text exchanged between the client and the server

A sample session might look like this, using C: for client commands and S: for server responses:

C: HELO client.com
S: 240-HELO server.com greets client.com
C: mail from "president@whitehouse.gov"
S: 250 OK
C: RCPT-TO "sucker@client.com"
S: 250 OK
C: DATA
C: From: POTUS <president@whitehouse.gov>
C: Subject: April 1st
C: Hi. Check the Date
C: .
S: 250 OK

There's been a little sophistication put into it since it was first written and this might not be a perfect protocol, but this how easy it is (used to be) to spoof.

BTW, do NOT spoof emails from POTUS. It's...errr...not a good idea.
 
Advantage of being a unix/linux sysadmin....I read headers....ALL the headers...the one's that 99.99% of the masses don't even know exist.
 
Advantage of being a unix/linux sysadmin....I read headers....ALL the headers...the one's that 99.99% of the masses don't even know exist.
Note to self: Next April 1st, send Murphy an email from a corporate laptop buried under a pile of Exchange servers. Watch Murphy disappear for a month reading email headers.

The fun part is playing “spot the fake header info” in email. I don’t get to play that as much now. Between greylisting, blacklists, and blocking most new top level domains along with huge swaths of IP space covering most of Asia and Eastern Europe, the spam making it into our little family SMTP server is comparatively rare. And the work stuff I just note in passing and move on. Almost none makes it to the users.
 
Note to self: Next April 1st, send Murphy an email from a corporate laptop buried under a pile of Exchange servers. Watch Murphy disappear for a month reading email headers.

The fun part is playing “spot the fake header info” in email. I don’t get to play that as much now. Between greylisting, blacklists, and blocking most new top level domains along with huge swaths of IP space covering most of Asia and Eastern Europe, the spam making it into our little family SMTP server is comparatively rare. And the work stuff I just note in passing and move on. Almost none makes it to the users.
lookin forward to it!
 
I am an administrator of a Google Group and occasionally see these type of attacks. First step I do is to retrieve the email header and try to see what happened. You can identify all the servers that were used and determine if any are known spam sites. I then look at all the email addresses. Most of these are just alterations of the legitimate email address. They are designed so that if anyone replies to the email, that email is sent to the spoofer and not the real member. A few of these claim that the email is from one of our members, that they lost all their money and IDs overseas, and need a gift card of some sort to get back home. When I see one of these, I warn our members just to ignore it.
 
"Go buy some gift cards for donations to this worthy cause and send them all the info, I'll reimburse you").

One of the employees got one of those. The people said he could pay his cable bill in advance using target or amazon gift cards. Then they hit up the gullible fool again claiming they can save him more by prepaying a year. They hooked him for 1500.00
 
Back
Top