[this page is a mirror of this original]

Don't Get Spoofed
by
Carl Bussjaeger

A correspondent recently brought a peculiar email to my attention. And I thought it important enough to share with you.

This email purported to be from E-Gold, a financial service used by many people who wish to protect their privacy, and who simply prefer cold, hard cash. This email attempts to spoof the recipient into logging into what he believes to be E-Gold and giving his account number and password.

The Warning

This is not legitimate!

The message you might receive looks like this:

From: Service EG
To: e-gold customer
Sent: 15. November 2002 11:31 PM
Subject: [e-gold-service] We have set a value limit on your e-gold account

Dear e-gold customer,

This is a due diligence request.

We have set a value limit on your e-gold account (For security purposes, your e-gold account number is not specified in this email.) of US $500 in accordance with Right of Association provisions of the e-gold Account User Agreement:

http://www.e-gold.com/unsecure/e-g-agree.htm

If we detect that multiple e-gold accounts are being used to circumvent this value limit, we will set the value limit on all related accounts to zero without further notice in accordance with e-gold Ltd.'s Right of Association Policy located in the e-gold Account User Agreement (see Refusal Without Cause).

We require the following immediate action:

1. Review point of contact and User information via the applicable form from the e-gold Account Manager:

https://www.e-gold.com/acct/manager.htm

We may verify the accuracy of this information (see item 3 below); therefore, it is imperative that this information be complete and correct. Promptly make any necessary changes via the web interface.

If verification efforts demonstrate any information to be incorrect, we will set the value limit on your e-gold account to zero without further notice.

2. Mail (or preferably, use a courier service such as Fed Ex or DHL) original notarized copies of all of the following information:

a) A signed and notarized affidavit listing: Names, addresses, and telephone numbers of the principal owners of e-gold account.

b) Copy of a telephone or utility bill that has the same address stated in item A.

c) Notarized copies of Passport or Driver's license of each principal owner.

[Other requirements added dependent on situation]

addressed to:

G&SR 175 East Nasa Blvd.
Suite 300
Melbourne, FL 32901
Attn: Due Diligence Unit

If all requested information is not received within fourteen (14) business days, the value limit on your e-gold account will be set to zero without further notice.

If all requested information is received within the allotted response interval, the value limit on your e-gold account will be removed.

3. We will verify physical address of record (see item 1) via postal mail. If we are unable to verify physical address, we will set the value limit on your e-gold account to zero without further notice.

Sincerely,

Due Diligence Unit
www.e-gold.com

The text appears to be real. The links appear to be real. They are not. Disregard this message. Do not click the links. The real E-Gold site has a notice to report possible spoofing to them at: ddu@e-gold.com.

The Details

This spoof exploits email clients which display HTML code. The visible text of the hyperlinks is correct for E-Gold, but the underlying HTML code actually links to a different site. Specifically, clicking the links in an HTML-enabled email program will direct you to www.e-gold.cc versus the correct E-Gold site which is www.e-gold.com. If you use MS Outlook, float your mouse pointer over hyperlinks without clicking; you'll get a pop-up flag that will display the actual coded URL. If it doesn't match the text, you have problems.

I highly recommend that you disable HTML in your email program. It makes you vulnerable to this type of spoofing, and also allows hostile scripts and programs to execute automatically; this is how the Klez worm propagates, for instance. (Make sure you have a good anti-virus program, too.)

It's a pain in the rear, but I also will not normally open an HTML message while on-line. Aside from the above-mentioned hazards, doing so can violate your privacy. Just like a hit counter on a website, HTML messages can have embedded code that lets the sender know when you read the message. That also validates your email address for spammers who are blindly sending out mails to entire domains. Once you've opened that message and rung their chime, they know yours is a real address, and they'll hit you with more spam.

This spoof report also relates to web browsers. When I investigated the fraudulent site, using Opera 6.01, my browser detected a flaw in the site's certificate chain. My correspondent reported that MS Internet Explorer 6, with all updates, did not alert him.

Protecting Yourself

So how do you avoid these problems?

Email

    Don't use MS Outlook in any of its incarnations.
    Whatever client you use, disable HTML.
    Be suspicious whenever someone wants personal data, especially if it involves passwords and/or money.

It also wouldn't hurt to be aware of email headers. The spoof email appeared to be from E-Gold. That's what the From: field said. But...

Here's a message that appeared in my In-Box as I prepared this article:

Date: 11/17/02 8:49 PM
From: George Dubya Bush
To: someone@somewhere.net
Copy:
Subject: Resignation

Due to a new-found respect for the US Constitution, I have decided to resign my office, effective immediately.

While I have no power to enforce it, I also hope that everyone else currently in the line of succession to the Oval Office will also resign.

Face it, guys; we've been screwing up big time.

/s/
George W. Bush
ex-President
USA

Wheee! Sounds good, doesn't it? Too bad it isn't real; I sent it to myself, faking some of the header data, which most folks set their clients to ignore. Take a look at the headers on this bit of wishful thinking:

Return-Path:
Delivered-To: someone@somewhere.net
Received: from smtp.surfbest.net (1Cust81.tnt24.sjc4.da.uu.net [68.130.119.81]) by server10.safepages.com (Postfix) with SMTP id 44EC23C447 for ; Sun, 17 Nov 2002 20:49:41 +0000 (GMT)
X-Mailer: Ultrafunk Popcorn release 1.15 (14.Sep.2001)
X-URL: http://www.ultrafunk.com/products/popcorn
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=iso-8859-1
X-Priority: 3
Date: Sun, 17 Nov 2002 12:49:52 -0800 (Pacific Standard Time)
From: George Dubya Bush
To: someone@somewhere.net
Subject: Resignation
Reply-To: president@whitehouse.gov
Organization: White House
Message-Id: <20021117204941.44EC23C447@server10.safepages.com>

The return path and from fields still appear to be from ol' Dubya. But take a closer look at the Received field, third line down. Says there that this message originated from surfbest.net. How likely is it that the White House is using that commercial mail server?

Of course, spammers routinely spoof that field, too. You can generally spot that by looking at the IP address in brackets (in this case: [68.130.119.81]). If the field had been spoofed, you'd probably see something like this:

Received: from smtp.whitehouse.gov [unknown: 68.130.119.81]) ...
...which tells you that the domain name claimed didn't match up with the actual IP address. A definite warning signal. Some mail listservers use that as an indicator of spam, so it can be screened out automatically.

Generally speaking, if the address domain name doesn't match the SMTP domain name, you might want to be careful. But...

Many people, myself included, use an email redirect service. I use bussjaeger@free-market.net as my permanent address; mail coming in to that address gets redirected by the Free-Market server to whatever account In-Box I find convenient at the time. I can change ISPs and mail accounts at will without having to change my address. A mail from me will have a header of this sort:

Return-Path:
Delivered-To: someone@somewhere.net
Received: from grizzly (1Cust81.tnt24.sjc4.da.uu.net [68.130.119.81]) by server10.safepages.com (Postfix) with ESMTP id A30A73C42B for ; Sun, 17 Nov 2002 20:49:57 +0000 (GMT) Message-ID: <200211171250120000.0A06129F@smtp.surfbest.net>
X-Mailer: Calypso Version 3.30.00.00 (3)
Date: Sun, 17 Nov 2002 12:50:12 -0800
Reply-To: bussjaeger@free-market.net
From: "Carl Bussjaeger"

To: someone@somewhere.net
Subject: test
Content-Type: text/plain; charset="us-ascii"

So mismatches aren't always nefarious. I could set my client to show the "real" address associated with that account, but when I was configuring the program, it was convenient to cut and paste the Free-Market address in both fields.

Web Browsers

    Be aware of the URL displayed in your browser's address field. Is it showing what you expected? In this spoof, the .com was replaced with .cc; that makes a world of difference.
    If you're visiting a site which should be secure, is it? Most browsers use a little padlock icon to indicate the security level. In Opera, floating your mouse pointer over the padlock will give you information on the certificate and encryption. In IE, right click on the web page, select properties, and click the Certificates button.

Common Sense

Most of all, to protect yourself, you just need to follow normal precautions. If someone called you on the phone claiming to be from your bank, you wouldn't give him your account number and debit card PIN. If you hopped into a taxi and asked to go to East Peach Street, you'd notice if the cabbie headed toward West Peach, right? Exercise the same kind of care on-line. You don't need to be paranoid, just be aware of oddities.

Don't get spoofed.

________________________________

Comment on this article
View all comments on this article

________________________________

Did you like this article?
Please consider rewarding the author's
hard work with a donation.


Don't have PayPal yet?

________________________________

Please rate this article! Knowing what you like will help us provide the content you want.

Bad Poor Average Good Excellent

If there's anything specific you'd like to say about this article, please do so here. Comments may be used in an upcoming Letters to the Editor.



Copyright © 2002 by Doing Freedom! magazine. All rights reserved.