Checking your email for SPOOFING

Email frequently comes in that is intended to SPOOF, SPAM and PHISH for information. Often times the people that send these emails go to a great deal of trouble to make them look 'legitimate' to fool you. Below is an example of an email received that looks like a 'legitimate' email from a legitimate company, Hallmark.

The intention of the sender of this sort of email can be one or more of a number of things:

• Phishing - an attempt to gain more information about you - such as verify the email address they sent to is an actual mailbox, btain your personal information such as address, telephone number, credit card number or any number of things.
• Attack - by lulling you into a false sense of security by using a known and trusted company name, they can use the link to launch an attack on your computer by running or installing malware after you follow the link.
• Increasing traffic on a given website.
• For more information about this type of spoofing, refer to: http://en.wikipedia.org/wiki/Spoofing_attack

We will use this actual email as an example - here is what it looks like in the Prieview or Reading Pane of the email client:

Q: Is this 'legitimate'. How can you check it out?

A: It shows to be from Hallmark.com - but beware - the 'from' address can be altered to show anything.

Q: How can I tell where a link in the email will go?

A: Hold your cursor over the LINK.

Firs, let's look at the link, "send one"
Hold your mouse cursor over the link - you may have to wait a second or two - here is what shows up:

OK - the above still looks legitimate enough - after all, that is the "Hallmark.com" website domain - can't be bad, right?
A: That is correct! If you click that link (I did not - just in case) it will probably take you to the Hallmark.com website - that was put in there as 'bait' - just to make the recipient feel more secure and to give the appearance that everything is 'ok' and above-board.

NOW - move the cursor and hover over the link "here" - in the line, "To see it, click here " - this is what they are hoping you will click - after all, they hope you want to see the nice card that someone sent to you.

Let's take a look at what we get (below):

In the above, notice that the LINK at 'here' does NOT go to the Hallmark website domain (hallmark.com)! Instead, it is linked to an I.P. address -

So we need a little information about an IP Address - which is a series of numbers- in this case, 200.87.106.186
NOTE: Domain Name and IP addresses ARE synonyms - or the 'same thing as' a website domain - more properly known as the Domain Name - which is part of the URL, or 'address' of that website (and page).

When you enter a domain name or other URL into the Address field(URL Field) of your browser, it is turned into an IP addres by the browser - but you do not see this. An IP address is simply a number similar to that shown above. The reason that names are generally used to represent IP address numbers is that us humans can remember the names much better.

Q: So why didn't the sender of this email use the Domain Name (or URL) in the "here" link in the above email rather than using an IP address?
A: because they are hiding something from you - namely, they do NOT want you to know their actual NAME - that might give it all away. You would see right away that it is not anything to do with 'Hallmark' at all.

Q: Is this dangerous?
A: most likely - but I'm not going to take a chance to find out!

But, let's try a little experiment - let's do a "Who is Search" on that IP address (200.87.106.186) -

Here is what we get:

200.87.106.186
Record Type: IP Address

OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Rambla Republica de Mexico 6125
City: Montevideo
StateProv:
PostalCode: 11400
Country: UY

ReferralServer: whois://whois.lacnic.net

NetRange: 200.0.0.0 - 200.255.255.255
CIDR: 200.0.0.0/8
NetName: LACNIC-200
NetHandle: NET-200-0-0-0-1
Parent:
NetType: Allocated to LACNIC
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: SEC3.APNIC.NET
NameServer: NS2.DNS.BR
NameServer: NS3.AFRINIC.NET
Comment: This IP address range is under LACNIC responsibility for further
Comment: allocations to users in LACNIC region.
Comment: Please see http://www.lacnic.net/ for further details, or check the
Comment: WHOIS server located at http://whois.lacnic.net
RegDate: 2002-07-27
Updated: 2007-12-17

OrgTechHandle: LACNIC-ARIN
OrgTechName: LACNIC Whois Info
OrgTechPhone:
OrgTechEmail: whois-contact@lacnic.net

As you can see, this is NOT Hallmark (surprise, surprise!) - rather, it is some entity in Montevideo, Mexico. Now how about that...

There is no telling what might or could happen by clicking on that link. And I'm not going to find out

NOTE: the above step is not necessary to do - we did it just to illustrate the point. In practice, if you see an IP Number rather than a NAME - or if the NAME is NOT what you are expecting (something with Hallmark in it, in this case) DO NOT CLICK the Link!

ALSO BEWARE - some spammers send email such as this and DO have an expected name in the LINK. In this case, it COULD look something like: hallmark.200.87.106.186 - or possibly hallmark.lacnic.net - or other such thing. This is still NOT a Hallmark domain - it is a sub-domain of another domain, either the IP address in the first example, or the domain"lacnic.net" in the second example. Beware! They use all kinds of 'tricks' to try to fool us! (NOTE that the two link addres, hallmark.200.87.106.186 and hallmark.lacnic.net are in actuality identical, since '200.87.2106.186 IS the IP address for lacnic.net.)

Another Example

Below is an example of ANOTHER spam or phishing attempt I received after the initial writing of this article. In this example, you can see the "here" link is something elese - a SUB-domain of the Domain 3utilities.com - also notice that a sub-domain does NOT use the "www" prefix. This is normal for any subdomain, legitimate or otherwise.

I am not sure what the reason for this is or what might happen by following the link. What I am sure, it is NOT going to a Hallmark domain or sub-domain and someone is trying to fool me - either for a phishing attempt or possibley to install malicious software on my computer. Again, this example shows the "perpetrator" used "Hallmark" in their spoof hoping it would catch me offguard since it is such a trusted name.

In fact, as an added note - this whole "Hallmark" spoof attempt is an interesting and elaborate one - as far as I can tell, ALL the OTHER links on this email are 'legitimate' Hallmark links EXCEPT for the one they want you to click to see the supposed card you just received.

Even all the other TABS will open legitimate Hallmark links on other tab-pages...

Summary

The LESSON here is simple:

1. unscrupulous people send email DISGUISED as 'legitimate' and even add legitimate links in them to put the recipients off guard. In the above example, the sender wanted you to think the email really did come from Hallmark, which it did not.
   
   
2. the spammers can even alter the 'from' address to make it look more legitimate.
   
   
3. you can determine where a link will take you without actually clicking on that link; you simply hold your mouse cursor over the link, which is called 'hovering' - but be careful - hover, but do not click!
   
   
4. in order to HIDE their true DOMAIN name, 'perpetrators' may use either:
   
   • an IP address (number), rather than their Domain Name
   • a sub-domain name - such as Hallmark.xxxxxx.com - hoping you will see only the "Hallmark" (or other 'legitmate' name) and not notice the rest.
   • a domain name they registered that is similar to the one they want you to think it is.

• In any case, they are trying to 'hide' or disguise the actual domain (website) and are hoping you will not notice!
  
  

In these "Hallmark" examples, you see that the link was NOT taking you to the Hallmark website. This should definitely be considered 'unsafe'!

Does this mean you should avoid any website with "Hallmark" in the name?
Absolutely not.  A  URL such as" Hallmark.com" would be perfectly legitimate.