Email Headers – A Cybersecurity Perspective!

email

Spam can be thought of as unsolicited email or emails that are sent to out to users. Many times these spam mails are actually phishing, which is a process used to defraud the recipient by masquerading as a legitimate entity or organization that may be familiar to the recipient. Phishing emails are typically used to gather personal financial information from the victim. Phishers often use social engineering tactics and e-mail schemes to trick their victims into clicking on links that are actually malware.

The following email header was taken directly from an email in my inbox. The items marked in red are of particular interest and will be used to determine the validity as well as the origins of the email. The email was sent advertising the use of a special muscle building vitamins to be used as part of a physical fitness program. At first glance, the email looked very suspicious. An investigation is in order here.

E-Mail Header:

Received: from impactgroup-biz01e.bennerbodysculpting.com ([162.254.38.5]) by customermail.myemail.com with MailEnable ESMTP; Fri, 27 Feb 2015 07:47:01 -0800
Date: Fri, 27 Feb 2015 07:47:01 -0800
From: Destroy One Pound Day <Doyle@bennerbodysculpting.com>
Reply-to: <Doyle@bennerbodysculpting.com>
Message-ID: <555320150227070580108.394242405600635.5A06x1E2l30YNNGfkqanoiqHdc@impactgroup-biz01e.bennerbodysculpting.com>
To: <myemail@email.org>
Subject: It's true we investigated...
Content-Type: multipart/alternative;boundary="===============4981059843407325151=="
MIME-Version: 1.0

As seen in figure 1, the host IP from the domain bennerbodysculpting.com with host address 185.53.177.7 doesn’t match the IP from the header of 162.254.38.5. Since the host IP of 162.254.38.5 is not found, a reverse DNS lookup is out of the question here.

1

figure 1

As can be seen in the whois output in figure 2 below, The “OrgName” is ColoCrossing.com. This doesn’t match with the “bennerbodysculpting.com” domain as seen in the senders email header. This is the first indication that this email is potentially a fraud. Figure 2 shows the registered name as ColoCrossing.com, which is totally different from bennerbodysculpting.com.

2

figure 2

Digging a little deeper, a search was performed using the actual domain mane of bennerbodysculpting.com, which returned the results as seen in figure 3. Since the actual website for the domain as indicated by the senders email doesn’t exist, it has been determined that the email is a fake. NOTE: “Inquire about this domain” means that the domain name bennerbodysculpting.com is available for registration.

3

figure 3

During the final analysis, it was observed that the registrants name didn’t match with the domain name and the IPs associated with the domain and the e-mail header did not match either. Figure 4 below is the actual website of the registrant listed for bennerbodysculpting.com.

4

figure 4

Phishing methods are on the rise and with each passing day they are becoming more sophisticated and convincing. It is critical for users to educate themselves on the dangers of phishing, how to identify them, and how to avoid becoming a victim of them. Many popular websites are spoofed with some of the most common being PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. The very concept of phishing can be thought of as a lure used to bait and hook its victim in hopes of financial gain. The FTC warns users to be on the lookout for any suspicious looking e-mails. In the unfortunate case a phishing email is encountered, “DO NOT” click on any links referenced inside the email and manually search them outside of the e-mail with a browser. With a little consumer education users can avoid becoming the next socially engineered e-mail phishing victim.

Citations:

Messier, R. (2014, April). E-Mail Forensics. Retrieved July 2015, from Security Kilroy: http://securitykilroy.blogspot.com/2014/04/e-mail-forensics.html

Rouse, M. (2007, May). phishing. Retrieved July 2015, from TechTarget Search Security: http://searchsecurity.techtarget.com/definition/phishing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s