Friday, February 27, 2009

The Devil's in the E-Mails

Some befuddling e-mails have been making the rounds to Queen's University e-mail accounts, claiming to be from such reputable e-card vendors as Hallmark and American Greetings.

My spider-sense started tingling at the broken formatting, suspicious "" attachment, and lack of sender identification. None of these indicators, however, were unfathomable. It is not unheard of for Outlook to mangle legitimate e-mails by passing them through its often stringent security protocols, and thus content that was meant to appear in the body might well be relegated to an attachment.

What did throw me off kilter, however, was the legitimate looking domain - I am used to my spam coming from authentic looking addresses that collapse under the eye of scrutiny (e.g. or blatantly illegitimate addresses (e.g. john- In other words, I'm used to having spam addresses come with a tell, not look like the real thing.

I refrained from opening the attachment, however. Later that night, Evey informed me that the Queen's administration had sent out an e-mail notification about the aforementioned faux e-cards, warning that the attachments conveyed a viral infection that was challenging to remove. I'd like to note that Queen's didn't feel the need to pass the same information on to me, having likely excised me from all pertinent mailing lists in preparation for the termination of my barcode-like1 e-mail account.

This e-mail account will be removed on March 4, 2009, as university records show you are no longer a current student. All e-mail, forwarding, web pages, and files stored under this account will then be erased. Please retrieve and copy any e-mail and files you wish to retain, before that date.

I suppose I could consider the would-be infection a parting gift.

A quick Google search of the offending e-mail revealed the following information:

As with most spammers nowadays, you can tell that they went to some great lengths to ensure that the email looks as legitimate as possible.

In many previous e-card variants all of the links within the email would point directly to the malware hosting site. This trend has recently been shifting and this new Hallmark E-Card tactic improves upon that by only pointing the "here" link above to the malicious web site. All of the other links like Customer Service, Store Locator, etc actually point to the same locations that the real site point to. So, if a suspicious recipient of one of these messages clicks on any link in the email other than the malware download link they may be tricked into believing the message is legitimate since it will direct them to the Hallmark site. Seeing this, they may be more apt to click on the download link and become infected.

I have to admit, I was rather shocked at how sophisticated some of these spam letters are becoming. Certainly, I hadn't opened the attachment, but faced with the same circumstances, would my parents have been able to detect the scam? A likely answer is no.

(On the other hand, I have often been pleasantly surprised how easy it is to detect spam - I mean, is it really that difficult to run a spell check...? Maybe obvious signs of being fake are part of some Hackers' Code of Ethics.)

I was mostly curious as to how the domain had been synthesized. Was it a hacked Hallmark account? An inside job? I began to search for "how to send a viral e-mail from a legitimate domain", and Google immediately offered some likely suggestions:

Apparently, the most common "how do" questions out there include "how do you know if a girl likes you?", "how do you know if your you're pregnant?" (Ack! I hate misspelled homonyms!), and (for the pre-pubertal): "how do you get pregnant?"

But I digress. Deferring to Wikipedia (otherwise known as the all-source), I located a much more satisfactory answer:

Others engage in spoofing of e-mail addresses (much easier than IP address spoofing). The e-mail protocol (SMTP) has no authentication by default, so the spammer can pretend to originate a message apparently from any e-mail address. To prevent this, some ISPs and domains require the use of SMTP-AUTH, allowing positive identification of the specific account from which an e-mail originates.

In other fraudulent news, my friend Brutus recently encountered what is essentially a telephone scam originating from a US company targeting Canadian automobile owners.

The digital age is clearly a fortuitous time to be a cheating bastard.


1Queen's assigns e-mail addresses with a two to three letter combination of your initials, prefixed by your entry year, and suffixed by additional digits depending on the frequency of your initials. For instance Joe Smith, entering in 2004 might have the e-mail address (15 because of the commonality of the initials JS). Based on the unattractiveness of these addresses (rather than the typical, one might expect them to function forever (since their barcode like structure should, in theory, reduce the need to recycle them). This is not so.


sandlot said...

I also received this! At first it seemed suspect, but then again, my birthday is coming up, so i ended up downloading it.

However, thanks to Firefox (?), the file was sent to my downloads folder and remained unopened. Then i wised up and realized it probably was a virus since no one in their right mind would send me an e-card 12 days before my bday.

So i deleted.

Virus averted!

a_ndy said...

Dodged the bullet there. Score one for Firefox.

Jerry said...

I just wanted to say hi and good luck studying! Try not to watch too much X-Men this weekend! Let's just say that if I were you, I would probably want to "study" the demise of Apocalypse more than the demise of sodium in our urine.

Talk to ya later!