Recently, while I was away on a business trip, my wife received this email:
From: Leo A. Notenboom [mailto:********@yahoo.com.sg] Sent: Thursday, September 13, 2012 10:10 AM To: ****@*********.*** Subject: http://********.av.tr/cheeseblind/davidmiller24/?/b34a/
I’ve used asterisks to obfuscate a few things, but the essence is this:
- The From: line displayed my name
- However, the From: line also showed a completely random, unrelated email address that is most definitely not mine.
- The email was sent to my wife’s email address.
- The email message had no Subject line.
- The email message consisted of only a link.
Because we communicate a fair amount by email when I travel, she thought it was from me and clicked the link.
I’ve been getting lots of reports of this particular scenario lately.
I’ll describe what I did next and what this appears to be… and perhaps reassure you a little about what it is not.
What I did next
My wife, bless her heart, realized what had happened immediately. She indicated it was some kind of “get rich quick” thing. She immediately did the right thing: she closed the browser, instant-messaged me about what had happened, and stopped using the computer.
As soon as I had a chance, I connected remotely, using TeamViewer, and began a series of scans.
When all the scans failed to find anything wrong, I decided that we’d probably dodged a bullet, and told my wife to resume using her machine, but to keep an eye out for any odd behavior.
This is not the result of a virus, and not a hack
In this scenario, many people would immediately assume that someone’s computer is infected and that malware is to blame. In my case, they would think that either my computer or my wife’s would be infected, and that the email was sent as a result of that infection.
Almost all of the email-spoofing scenarios we see these days have nothing at all to do with malware, other than perhaps being a way to get it.
If you get spam from someone you know, it’s more likely that their email account has been hacked.
But that’s not the case here, either.
Regardless of the fact that my name was displayed, the email did not come from my email address, and thus it did not come from my email account.
There are no account hacks involved in the creation of this spam.
So, what is it?
It’s nothing more than spam
Hackers have one goal when they send you spam: to get you to open and act on the message. In this case, that means they wanted the recipient to click the link.
And that’s exactly what happened.
The technique they use is to make the spam look like it came from someone trusted. In this case, it looked like it came from me (at least by the name displayed), and thus my wife trusted it.
That’s all this is: spam. Misleading spam, crafted to evoke trust when none was warranted.
Spam. Plain and simple.
Connecting people who know each other
The thing that has everyone confused – myself included – about this current wave of spam is that they’re able to connect people who somehow know each other, without having access to things like email address books.
But only by name.
In other words, they were able to connect my name as being someone that my wife would know, and send that to her email address.
The only thing better would be if they had spoofed my email address as well, and not just my name. That tells me that they don’t have my email address, at least not as part of this particular approach to spam.
So how’d they do it?
I don’t know; at least, not for sure.
I have heard of a possible data leak – now supposedly fixed – relating to Facebook. And that makes a little sense, since my wife and I are friends on Facebook.
But that’s only a theory.
Bottom line: classifying the problem
Naturally, as spammers get more creative, things get more complex.
- If something that looks like it might be spam displays a From: name that you know, but an email address that you do not, it’s just spam. Mark it as such and move on.
- If something that looks like spam displays a From: name that you know and an email address that you recognize as belonging to that name, then it still may be plain old spam, but it’s more likely that this person’s email account has been hacked. You might want to let them know, ideally using something other than their hacked email account.