[Part 5 of an occasional series, updating a blog series I ran in early 2009 to reflect changes in the threat landscape. This series will also be available shortly as a white paper.]
Trust People, Not Addresses
Don’t trust unsolicited files or embedded links, even from friends.
It’s easy to spoof email addresses, for instance, so that email appears to come from someone other than the real sender (who/which may in any case be a spam tool rather than a human being). Basic SMTP (Simple Mail Transfer Protocol) doesn’t validate the sender’s address in the "From" field, though well-secured mail services do often include such functionality.
I remember years ago one of my colleagues at a medical research charity in the UK sent email as a joke using someone else’s address, a trick that’s easily performed using telnet and an unsecured mail-server, especially when you’re on the same network. On that occasion, I was able to identify the real sender immediately by his IP address (much to his surprise), but the nature of the 21st century Internet means that there are many ways of concealing such information, if you really want to stay hidden.
It’s also possible for mail to be sent from your account, without your knowledge, by malware, though malware that works in this way is far rarer than it used to be. It’s far more effective for a spammer to hire the services of a botherder, nowadays, and malware that manages to infect your system doesn’t have to use your mail account or client software to send spam, scams and malware on to other victims.
There are also many ways to disguise a harmful link so that it looks like something quite different, whether it’s in email, chat or whatever. The disguising of malicious links in phishing emails so that they appear to go to a legitimate site has obliged developers to re-engineer browsers to make it easier to spot such spoofing.
However, too many people forget to make use of elementary precautions such as passing the mouse cursor over the link so that the real link shows up. In any case, it’s not always easy to tell a genuine or fake site just from the URL, even if the URL is rendered correctly. (Early phishing emails tended to rely on exploiting bugs in popular browsers to hide the real target link.) DNS cache poisoning, for instance, allows an attacker to redirect a web query to an IP address under his control.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, We Live Security