Topic: A public service announcement: spotting phishing emails (Read 1545 times)
I got my first dodgy bitcoin related email yesterday claiming to be from 'coin base'... I've never even used it -_-
Wow. OTT much?
If you think that's over the top, you're in denial.It's probably not even close to being sufficient, given the completely broken state of PC security.
I've stopped using my desktop PC as one for all practical purposes.
My desktop PC is now a virtualization host, and every task actually takes place in one of nine VMs.
One VM runs Thunderbird, and nothing else. It's firewalled such that it can't do anything at all except access one designated SMTP/IMAP server.
My desktop PC is now a virtualization host, and every task actually takes place in one of nine VMs.
One VM runs Thunderbird, and nothing else. It's firewalled such that it can't do anything at all except access one designated SMTP/IMAP server.
Wow. OTT much?
I've stopped using my desktop PC as one for all practical purposes.
My desktop PC is now a virtualization host, and every task actually takes place in one of nine VMs.
One VM runs Thunderbird, and nothing else. It's firewalled such that it can't do anything at all except access one designated SMTP/IMAP server.
My desktop PC is now a virtualization host, and every task actually takes place in one of nine VMs.
One VM runs Thunderbird, and nothing else. It's firewalled such that it can't do anything at all except access one designated SMTP/IMAP server.
I no longer open emails from any coin related sites that I use. The subject lines are usually detailed enough that if I deem it important I will just navigate to the site directly myself.
THAT is vigilance!
I no longer open emails from any coin related sites that I use. The subject lines are usually detailed enough that if I deem it important I will just navigate to the site directly myself.
D&T, I got my first phishing email into my gmail account since I can't remember. It appears to ask me to login to my blockchain.info but actually redirects to blockschain.info
Careful everyone the wolves are out to play!
FF
PS. I'm going to rebuild my Linux dev box and thunderbird the details into a separate thread.
PPS. keep up the vigilance!
Careful everyone the wolves are out to play!
FF
PS. I'm going to rebuild my Linux dev box and thunderbird the details into a separate thread.
PPS. keep up the vigilance!
I got this email today and here is how it shows up in gmail
One thing to look for is this
what this is saying is the email was sent indicating it was sent from btc-e.com however it actually came from smtp.com. Now that this isn't that uncommon many sites move their email off their domain however there is a way of authenticating these off email domains and it wasn't done.
So any time you see a "via" in gmail be wary. There is a high chance it is a phishing attempt. It could be an uneducated operator or some misconfiguration but your phishing radar should be going off when you see a redirected email.
Looking at the source
A couple of things in here. The first is that the sent from and reply to emails are simply lines of text. There is absolutely no security. You can send email with a from email address of [email protected] as easily as you can type the letters. So never rely on those.
This show where the email actually originated from
now as I said before it isn't that uncommon for email to originate off domain however this is the warning sign
In simple terms it is saying btc-e has not approved the originating server to send email on its behalf. Google should really make these types of "soft" failures more pronounced with scary warnings but they don't.
Lastly the actual originator is a commercial service. They provided this information in the header
If your email client gives you the option to report as phishing (not just report as spam) be sure to do so. Most will forward this back to in this case to [email protected].
You can also manually forward it to [email protected] and report it is phishing.
Quote
BTC-E [email protected] via smtp.com 5:58 AM (5 hours ago)
to me
Hello!
We inform you that you scan the downloaded document # 14327223 http://ge.tt/... can not be verified for the following reason:
-Specified in the certificate data in a language other than the language passport data
Please provide a new file to check.
Sincerely,
Representative Director
BTC-E Co., Ltd.
Shibuya-ku, Tokyo
to me
Hello!
We inform you that you scan the downloaded document # 14327223 http://ge.tt/...
-Specified in the certificate data in a language other than the language passport data
Please provide a new file to check.
Sincerely,
Representative Director
BTC-E Co., Ltd.
Shibuya-ku, Tokyo
One thing to look for is this
Quote
BTC-E [email protected] via smtp.com
what this is saying is the email was sent indicating it was sent from btc-e.com however it actually came from smtp.com. Now that this isn't that uncommon many sites move their email off their domain however there is a way of authenticating these off email domains and it wasn't done.
So any time you see a "via" in gmail be wary. There is a high chance it is a phishing attempt. It could be an uneducated operator or some misconfiguration but your phishing radar should be going off when you see a redirected email.
Looking at the source
Quote
Delivered-To:
Received: by 10.170.132.70 with SMTP id y67csp158747ykb;
Tue, 11 Mar 2014 02:58:50 -0700 (PDT)
X-Received: by 10.66.162.74 with SMTP id xy10mr46827749pab.4.1394531930066;
Tue, 11 Mar 2014 02:58:50 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mailer134.gate183.sl.smtp.com (mailer134.gate183.sl.smtp.com. [192.40.183.134])
by mx.google.com with ESMTP id pi6si17253804pbb.10.2014.03.11.02.58.49
for <[email protected]>;
Tue, 11 Mar 2014 02:58:50 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 192.40.183.134 as permitted sender) client-ip=192.40.183.134;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning [email protected] does not designate 192.40.183.134 as permitted sender) [email protected];
dkim=pass [email protected]
Return-Path: <[email protected]>
X-MSFBL: Z2VyYWxkQHRhbmdpYmxlY3J5cHRvZ3JhcGh5LmNvbUAxOTJfNDBfMTgzXzEzNEBz
bXRwY29tXzExQA==
DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple;
q=dns/txt; [email protected]; t=1394531929;
h=From:Subject:To:Date:MIME-Version:Content-Type;
bh=EptpTsx18R734YExCd0CN520kmNgDylmBwR2r+Pyuqw=;
b=f2hvNXaJT9YyFXhXAYg7qRLTST5KlgacBGLJE/rQYLnlNXuiUMbLxMlOvgePe0Mc
lmS0HCW2hdDJ4BGdqwpVWMxdTIUR8JtiIz8XF4oSkXTYG80GoFz5SWxGfX7w4K9j
9gqnLIbogpkBa+DxB0xX7pENIlH6Pf/XkyQScWaf1bA=;
Received: from [216.55.179.130] ([216.55.179.130:61625] helo=216-55-179-130.dedicated.codero.net)
by sl-mta06.smtp.com (envelope-from <[email protected]>)
(ecelerity 3.5.5.39309 r(Platform:3.5.5.0)) with ESMTPSA (cipher=AES256-SHA)
id DD/65-01037-95EDE135; Tue, 11 Mar 2014 09:58:49 +0000
From: "BTC-E" <[email protected]>
Message-ID:
Subject: BTC-E Passport
To:
Content-Type: multipart/alternative; boundary="chnq7o2neA2=_nG4ebCT6XPRtS76K4DnFp"
MIME-Version: 1.0
Organization: BTC-E
Date: Tue, 11 Mar 2014 02:58:51 -0700
X-SMTPCOM-Tracking-Number: 755a5166-7a64-405b-9339-37db125228cb
X-SMTPCOM-Sender-ID: 24012
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to [email protected]
Received: by 10.170.132.70 with SMTP id y67csp158747ykb;
Tue, 11 Mar 2014 02:58:50 -0700 (PDT)
X-Received: by 10.66.162.74 with SMTP id xy10mr46827749pab.4.1394531930066;
Tue, 11 Mar 2014 02:58:50 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mailer134.gate183.sl.smtp.com (mailer134.gate183.sl.smtp.com. [192.40.183.134])
by mx.google.com with ESMTP id pi6si17253804pbb.10.2014.03.11.02.58.49
for <[email protected]>;
Tue, 11 Mar 2014 02:58:50 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 192.40.183.134 as permitted sender) client-ip=192.40.183.134;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning [email protected] does not designate 192.40.183.134 as permitted sender) [email protected];
dkim=pass [email protected]
Return-Path: <[email protected]>
X-MSFBL: Z2VyYWxkQHRhbmdpYmxlY3J5cHRvZ3JhcGh5LmNvbUAxOTJfNDBfMTgzXzEzNEBz
bXRwY29tXzExQA==
DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple;
q=dns/txt; [email protected]; t=1394531929;
h=From:Subject:To:Date:MIME-Version:Content-Type;
bh=EptpTsx18R734YExCd0CN520kmNgDylmBwR2r+Pyuqw=;
b=f2hvNXaJT9YyFXhXAYg7qRLTST5KlgacBGLJE/rQYLnlNXuiUMbLxMlOvgePe0Mc
lmS0HCW2hdDJ4BGdqwpVWMxdTIUR8JtiIz8XF4oSkXTYG80GoFz5SWxGfX7w4K9j
9gqnLIbogpkBa+DxB0xX7pENIlH6Pf/XkyQScWaf1bA=;
Received: from [216.55.179.130] ([216.55.179.130:61625] helo=216-55-179-130.dedicated.codero.net)
by sl-mta06.smtp.com (envelope-from <[email protected]>)
(ecelerity 3.5.5.39309 r(Platform:3.5.5.0)) with ESMTPSA (cipher=AES256-SHA)
id DD/65-01037-95EDE135; Tue, 11 Mar 2014 09:58:49 +0000
From: "BTC-E" <[email protected]>
Message-ID:
Subject: BTC-E Passport
To:
Content-Type: multipart/alternative; boundary="chnq7o2neA2=_nG4ebCT6XPRtS76K4DnFp"
MIME-Version: 1.0
Organization: BTC-E
Date: Tue, 11 Mar 2014 02:58:51 -0700
X-SMTPCOM-Tracking-Number: 755a5166-7a64-405b-9339-37db125228cb
X-SMTPCOM-Sender-ID: 24012
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to [email protected]
A couple of things in here. The first is that the sent from and reply to emails are simply lines of text. There is absolutely no security. You can send email with a from email address of [email protected] as easily as you can type the letters. So never rely on those.
This show where the email actually originated from
Quote
Received: from mailer134.gate183.sl.smtp.com (mailer134.gate183.sl.smtp.com. [192.40.183.134])
now as I said before it isn't that uncommon for email to originate off domain however this is the warning sign
Quote
spf=softfail (google.com: domain of transitioning [email protected] does not designate 192.40.183.134 as permitted sender) [email protected];
In simple terms it is saying btc-e has not approved the originating server to send email on its behalf. Google should really make these types of "soft" failures more pronounced with scary warnings but they don't.
Lastly the actual originator is a commercial service. They provided this information in the header
Quote
X-SMTPCOM-Tracking-Number: 755a5166-7a64-405b-9339-37db125228cb
X-SMTPCOM-Sender-ID: 24012
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to [email protected]
X-SMTPCOM-Sender-ID: 24012
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to [email protected]
If your email client gives you the option to report as phishing (not just report as spam) be sure to do so. Most will forward this back to in this case to [email protected].
You can also manually forward it to [email protected] and report it is phishing.
Jump to: