Phishing Scams Without Borders - From Germany With Love

Okay, I know I've already blogged about email phishing scams, but this one was close to home, so I thought I’d share. I received an email this morning, supposedly from ScotiaBank… NOT. Let’s review…

  1. banks NEVER send requests for confidential information by email; and
  2. banks aren’t going to make spelling and grammar mistakes on professional communications to clients.

So, here’s what the email looked like, marked up with the appropriate comments:

scotiabank-phishing-01


And how did this phishing scam of an email find yours truly? It took 6 jumps:

  1. it originated in Germany
  2. made a short visit to France
  3. then to another server in France
  4. it hopped across the Atlantic landing in Boston, Massachusetts
  5. it scooted up to Burlington, Massachusetts
  6. zipped from the east coast over to the west landing in one of Apple's servers in Cupertino, California
  7. and finally was delivered to my Apple iCloud account from which my mail program pulled it down.

It's trip took only a couple of minutes start to finish.

scotiabank-phishing-02

I'm going to split into two directions now: for those that don't want to know how I traced this back, stop here and take with you five things:

  1. if you receive an email from someone you don't recognize, DON'T OPEN IT, instead delete it
  2. if you open an email and it's asking you to click a link... READ the email... did you order the product or service it's about? If not, delete it
  3. if an email is asking you to click a link... hover over - DON'T CLICK - the click and check the URL in the yellow tool tip against what is displayed - if they aren't the same or at least look like they're going to take you to the intended website... you guessed it, delete it
  4. governments, banks, cell phone companies, and pretty much EVERYONE doesn't use email to verify personal/private/confidential information because email is largely UNENCRYPTED and NOT SECURE - if you get an email asking ANYTHING to do with personal/private/confidential information, delete it
  5. if you want to report the phishing attempt to the organization the attacker's email is pretending to be from, check the organization's website or call them since most have an abuse@ or phishing@ email address that you can forward the email to and they'll attempt to track the source and take appropriate action 


How did I trace the source of this email phishing scam?

If you've hung on to this point, then you want to know how I traced this email to its origin, so here we go. Every email has a header... the part at the top that contains the "From", "To", "Subject", "Date", information. What you don't realize is that there's WAY more in the header than just what we normally see.

Our email programs are set to display the "friendly" headers we are used to seeing. In fact, the header of each email contains its routing information that accumulates as the email travels from its origin to its destination. Spammers and scammers rely on the fact that most people don't know about the routing info in the headers, how to access it and how to use that information to trace the origin of their phishing emails.

Let's pick apart the detailed header of this email so you can see how I traced the path of this Geschenk (gift):

scotiabank-phishing-03


The only extra step was in #4... 10.20.15.2 and 10.20.13.1 are internal network IP addresses, so I had to look up the external IP address of the eigbox.net domain. This is where the link from my info@ address to my @me.com address took place.

To look up the IP addresses I used WhatIsMyIPAddress.com and for looking up the hostname to get the IP address in step #4, I used the hostname to IP address lookup page from the same website. This website also has a page that will attempt to trace the source of an email automatically by allowing you to paste the full header of the offending email into their webpage - what I did the long way - but in my case it wasn't able to figure out the route. You may want to try this before you roll up your sleeves and do it my way.


How do you display the full header information on your email program?

To set your own email program to display the full email headers, follow the instructions for your program by checking your help file. Here are the instructions for some of the more popular email programs borrowed from the Google Email Support Page:

Gmail

  1. Log in to your Gmail account.
  2. Open the message you'd like to view headers for.
  3. Click the down arrow next to Reply, at the top of the message pane.
  4. Select Show Original.

The full headers will appear in a new window.

Hotmail

Yahoo! Mail

Apple Mail

Mozilla

Outlook

Outlook Express


Until next time!
Bob


Comment on this blog item.

Home   |   About Us   |   Testimonials   |   Services   |   Hero Blog   |   Sense of Humour   |   Contact Us   |   help@digitalhero.ca   |   905-717-5498
Privacy Policy: All services are rendered with the strictest of confidence. Your personal and or business information will never be shared with, or sold to, any third party.
Terms and Conditions: Prices may change without notice. Shipping, additional costs as a result of client-requested changes and taxes are extra.

© Bob Kyriakides 2017