|
A correspondent recently brought a peculiar email to my attention. And I thought it important enough to share with you.
This email purported to be from E-Gold, a financial service used by many people who wish to protect their privacy, and who simply prefer cold, hard cash. This email attempts to spoof the recipient into logging into what he believes to be E-Gold and giving his account number and password.
The Warning
This is not legitimate!
The message you might receive looks like this:
From: Service EG
To: e-gold customer
Sent: 15. November 2002 11:31 PM
Subject: [e-gold-service] We have set a value limit on your e-gold account
Dear e-gold customer,
This is a due diligence request.
We have set a value limit on your e-gold account
(For security purposes, your e-gold account number
is not specified in this email.) of US $500 in
accordance with Right of Association provisions of
the e-gold Account User Agreement:
http://www.e-gold.com/unsecure/e-g-agree.htm
If we detect that multiple e-gold accounts are being
used to circumvent this value limit, we will set the
value limit on all related accounts to zero without
further notice in accordance with e-gold Ltd.'s
Right of Association Policy located in the e-gold
Account User Agreement (see Refusal Without Cause).
We require the following immediate action:
1. Review point of contact and User information via
the applicable form from the e-gold Account Manager:
https://www.e-gold.com/acct/manager.htm
We may verify the accuracy of this information (see
item 3 below); therefore, it is imperative that this
information be complete and correct. Promptly make
any necessary changes via the web interface.
If verification efforts demonstrate any information
to be incorrect, we will set the value limit on your
e-gold account to zero without further notice.
2. Mail (or preferably, use a courier service such
as Fed Ex or DHL) original notarized copies of all
of the following information:
a) A signed and notarized affidavit listing: Names,
addresses, and telephone numbers of the principal
owners of e-gold account.
b) Copy of a telephone or utility bill that has the
same address stated in item A.
c) Notarized copies of Passport or Driver's license
of each principal owner.
[Other requirements added dependent on situation]
addressed to:
G&SR
175 East Nasa Blvd.
Suite 300
Melbourne, FL 32901
Attn: Due Diligence Unit
If all requested information is not received within
fourteen (14) business days, the value limit on your
e-gold account will be set to zero without further
notice.
If all requested information is received within the
allotted response interval, the value limit on your
e-gold account will be removed.
3. We will verify physical address of record (see
item 1) via postal mail. If we are unable to verify
physical address, we will set the value limit on
your e-gold account to zero without further notice.
Sincerely,
Due Diligence Unit
www.e-gold.com
|
The text appears to be real. The links appear to be real. They are not. Disregard this message. Do not click the links. The real E-Gold site has a notice to report possible spoofing to them at: ddu@e-gold.com.
The Details
This spoof exploits email clients which display HTML code. The visible text of the hyperlinks is correct for E-Gold, but the underlying HTML code actually links to a different site. Specifically, clicking the links in an HTML-enabled email program will direct you to www.e-gold.cc versus the correct E-Gold site which is www.e-gold.com. If you use MS Outlook, float your mouse pointer over hyperlinks without clicking; you'll get a pop-up flag that will display the actual coded URL. If it doesn't match the text, you have problems.
I highly recommend that you disable HTML in your email program. It makes you vulnerable to this type of spoofing, and also allows hostile scripts and programs to execute automatically; this is how the Klez worm propagates, for instance. (Make sure you have a good anti-virus program, too.)
|
It's a pain in the rear, but I also will not normally open an HTML message while on-line. Aside from the above-mentioned hazards, doing so can violate your privacy. Just like a hit counter on a website, HTML messages can have embedded code that lets the sender know when you read the message. That also validates your email address for spammers who are blindly sending out mails to entire domains. Once you've opened that message and rung their chime, they know yours is a real address, and they'll hit you with more spam.
|
This spoof report also relates to web browsers. When I investigated the fraudulent site, using Opera 6.01, my browser detected a flaw in the site's certificate chain. My correspondent reported that MS Internet Explorer 6, with all updates, did not alert him.
Protecting Yourself
So how do you avoid these problems?
Email
Don't use MS Outlook in any of its incarnations.
Whatever client you use, disable HTML.
Be suspicious whenever someone wants personal data, especially if it involves passwords and/or money.
It also wouldn't hurt to be aware of email headers. The spoof email appeared to be from E-Gold. That's what the From: field said. But...
Here's a message that appeared in my In-Box as I prepared this article:
Date: 11/17/02 8:49 PM
From: George Dubya Bush
To: someone@somewhere.net
Copy:
Subject: Resignation
Due to a new-found respect for the US Constitution,
I have decided to resign my office, effective
immediately.
While I have no power to enforce it, I also hope
that everyone else currently in the line of
succession to the Oval Office will also resign.
Face it, guys; we've been screwing up big time.
/s/
George W. Bush
ex-President
USA
|
Wheee! Sounds good, doesn't it? Too bad it isn't real; I sent it to myself, faking some of the header data, which most folks set their clients to ignore. Take a look at the headers on this bit of wishful thinking:
|
Return-Path:
Delivered-To: someone@somewhere.net
Received: from smtp.surfbest.net (1Cust81.tnt24.sjc4.da.uu.net [68.130.119.81]) by server10.safepages.com (Postfix) with SMTP id 44EC23C447 for ; Sun, 17 Nov 2002 20:49:41 +0000 (GMT)
X-Mailer: Ultrafunk Popcorn release 1.15 (14.Sep.2001)
X-URL: http://www.ultrafunk.com/products/popcorn
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=iso-8859-1
X-Priority: 3
Date: Sun, 17 Nov 2002 12:49:52 -0800 (Pacific Standard Time)
From: George Dubya Bush
To: someone@somewhere.net
Subject: Resignation
Reply-To: president@whitehouse.gov
Organization: White House
Message-Id: <20021117204941.44EC23C447@server10.safepages.com>
|
The return path and from fields still appear to be from ol' Dubya. But take a closer look at the Received field, third line down. Says there that this message originated from surfbest.net. How likely is it that the White House is using that commercial mail server?
Of course, spammers routinely spoof that field, too. You can generally spot that by looking at the IP address in brackets (in this case: [68.130.119.81]). If the field had been spoofed, you'd probably see something like this:
Received: from smtp.whitehouse.gov [unknown: 68.130.119.81]) ...
|
...which tells you that the domain name claimed didn't match up with the actual IP address. A definite warning signal. Some mail listservers use that as an indicator of spam, so it can be screened out automatically.
Generally speaking, if the address domain name doesn't match the SMTP domain name, you might want to be careful. But...
Many people, myself included, use an email redirect service. I use bussjaeger@free-market.net as my permanent address; mail coming in to that address gets redirected by the Free-Market server to whatever account In-Box I find convenient at the time. I can change ISPs and mail accounts at will without having to change my address. A mail from me will have a header of this sort:
Return-Path:
Delivered-To: someone@somewhere.net
Received: from grizzly (1Cust81.tnt24.sjc4.da.uu.net [68.130.119.81])
by server10.safepages.com (Postfix) with ESMTP id A30A73C42B for
; Sun, 17 Nov 2002 20:49:57 +0000 (GMT)
Message-ID: <200211171250120000.0A06129F@smtp.surfbest.net>
X-Mailer: Calypso Version 3.30.00.00 (3)
Date: Sun, 17 Nov 2002 12:50:12 -0800
Reply-To: bussjaeger@free-market.net
From: "Carl Bussjaeger"
To: someone@somewhere.net
Subject: test
Content-Type: text/plain; charset="us-ascii"
|
So mismatches aren't always nefarious. I could set my client to show the "real" address associated with that account, but when I was configuring the program, it was convenient to cut and paste the Free-Market address in both fields.
Web Browsers
Be aware of the URL displayed in your browser's address field. Is it showing what you expected? In this spoof, the .com was replaced with .cc; that makes a world of difference.
If you're visiting a site which should be secure, is it? Most browsers use a little padlock icon to indicate the security level. In Opera, floating your mouse pointer over the padlock will give you information on the certificate and encryption. In IE, right click on the web page, select properties, and click the Certificates button.
Common Sense
Most of all, to protect yourself, you just need to follow normal precautions. If someone called you on the phone claiming to be from your bank, you wouldn't give him your account number and debit card PIN. If you hopped into a taxi and asked to go to East Peach Street, you'd notice if the cabbie headed toward West Peach, right? Exercise the same kind of care on-line. You don't need to be paranoid, just be aware of oddities.
Don't get spoofed.
________________________________
Comment on this article
View all comments on this article
________________________________
Did you like this article?
Please consider rewarding the author's
hard work with a donation.
|
