I didn’t send that e-mail, even though Gmail says I did.
It was sent by Eric Fiterman, a former FBI Special Agent and founder of Rogue Networks. He helped us show how easy it is to spoof an e-mail address.
To go phishing, first an attacker needs to get access to a virtual Linux server. Easy enough — you can do this for a 14-day free trial on cloudshare.com.
Then the attacker needs to set up the server to send mail using whatever e-mail address he or she wants to use. That’s as simple as entering that e-mail address into a field.
That’s the easy part. After that, phishing schemes can be very complex or incredibly simple. Simple schemes include sending e-mails to a user’s friends and family (easily found on Facebook), asking them to wire money, send their passwords, or give them their social security numbers.
Complex schemes involve setting up fake websites or coding keylogging malware into PDF files.
Take these for example…
Okay, so Eric was being funny and these aren’t the most convincing phishing e-mails (especially considering Pelosi is in the House, not the Senate). But with some more convincing language, you can see why someone might open the attachment.
So how do you know if it’s a phony?
It’s not always easy. If you look at the source code (achieved in Gmail by clicking the arrow next to the reply button and selecting “see original”), you’d see this:
Received: by 10.220.74.204 with SMTP id v12cs140747vcj; Thu, 2 Jun 2011 14:29:34 -0700 (PDT) Received: by 10.229.73.80 with SMTP id p16mr971468qcj.57.1307050174673; Thu, 02 Jun 2011 14:29:34 -0700 (PDT) Return-Path: <email@example.com> Received: from ericmethodvuecom.vpslink.com ([xx.xxx.x.xxx]) by mx.google.com with ESMTPS id d18si2139076qcs.32.2011.06.02.14.29.34 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 02 Jun 2011 14:29:34 -0700 (PDT) Received-SPF: neutral (google.com: xx.xxx.x.xxx is neither permitted nor denied by best guess record for domain of firstname.lastname@example.org) client-ip=xx.xxx.x.xxx;
So clearly this was sent from Eric, not Nancy or Ted. But that’s a level most people aren’t willing to go to. -David