Today I got a scam email purporting to be from Roy Welch, W0SL, asking for an emergency loan. If I got it, I suspect many others on amsat-bb got it too.
The originating IP address is in Nigeria. Where else?
I've seen this exact scam before. In those cases someone had stolen the password of the person they were pretending to be.
I don't think that happened here. The "From" address was his correct email account 'rdwelch@swbell.net' but the Reply-To: address was 'rdwelclh@yahoo.com'. Note the extra 'l'.
I think the scammers created this second account on Yahoo and used it to send the scam email, forging Roy's address in the from field. Any reply would, of course, go to the scammer's address on Yahoo and many people might not notice the subtle change.
swbell.net has no SPF (Sender Policy Framework) records in the Domain Name System to indicate to the rest of the Internet which IP addresses may legitimately originate email from that domain, so recipient systems cannot easily detect forgeries.
Thanks Phil. Yes, I'm not sure how it was done but the settings are correct in my PC. AT&T has helped me to assign a new password to my account to shut this down. They say it appears to have been hacked on the AT&T web mail site. We too noticed the Reply To address change. I suspected something when I had no incoming mail. It appears that any, not just replies to me were going to that hacked address. The only thing I can think of is that AT&T net mail was changing to a new setup. We were all notified that by June 30, all accounts would have to migrate to the new ATT.net/mail arrangement. Subsequently I received a message offering the opportunity to proceed with my migration. I did that and was surprised when they asked me to login again. Right there I gave someone my login info. They were then able to login to my web mail site and access the address book there. I am going to delete the address book there since I am not on the road much anymore. With the changed password, the hacker can no longer login into my account. My apologies to all who got that message. I have seen it before, coming from other people over the months.
73, Roy -- W0SL
R/D/Gd/Ggd
On 6/26/2013 11:05 PM, Phil Karn wrote:
Today I got a scam email purporting to be from Roy Welch, W0SL, asking for an emergency loan. If I got it, I suspect many others on amsat-bb got it too.
The originating IP address is in Nigeria. Where else?
I've seen this exact scam before. In those cases someone had stolen the password of the person they were pretending to be.
I don't think that happened here. The "From" address was his correct email account 'rdwelch@swbell.net' but the Reply-To: address was 'rdwelclh@yahoo.com'. Note the extra 'l'.
I think the scammers created this second account on Yahoo and used it to send the scam email, forging Roy's address in the from field. Any reply would, of course, go to the scammer's address on Yahoo and many people might not notice the subtle change.
swbell.net has no SPF (Sender Policy Framework) records in the Domain Name System to indicate to the rest of the Internet which IP addresses may legitimately originate email from that domain, so recipient systems cannot easily detect forgeries.
On 06/26/2013 03:31 PM, Roy wrote:
Thanks Phil. Yes, I'm not sure how it was done but the settings are correct in my PC. AT&T has helped me to assign a new password to my account to shut this down. They say it appears to have been hacked on the AT&T web mail site.
Interesting. I saw no actual evidence in the scam mail itself that your account had been hacked.
This particular message was sent through Yahoo's webmail service. Anyone could subscribe to the amsat-bb list and see who its contributors are, so they would know who to send the scam spam to.
(Wait -- does Yahoo provide service for swbell.net?)
Without cryptographic authentication it's easy to forge email from anyone; SPF helps somewhat but it's often not implemented and is frequently ignored even when it is. In this case I perused the headers myself and saw the IP address 41.71.175.195, which happens to be in Nigeria (look it up!)
It's somewhat trickier to intercept the replies. In this case they did it with a Reply-To: header to a fraudulent account (rdwelclh@yahoo.com) that'd be easy to miss if you weren't looking for it.
I had theorized that they did this because they hadn't actually gotten into your swbell.net account, but it's possible they did it anyway so that they'd still get any replies from victims after your account had been secured or shut down. It would take a little longer to get rdwelclh@yahoo.com shut down since it's at a different service provider.
IIRC, Yahoo! took over for most of the Bells. My Pacbell.net account is now managed by Yahoo!, and I had a similar event happen last year, as well as a friend of mine who had her account with another Baby Bell compromised.
Considering how much support is off-shored these days, it wouldn't surprise me if it was an "inside job".
73, Jim KQ6EA
On 06/29/2013 08:42 AM, Phil Karn wrote:
On 06/26/2013 03:31 PM, Roy wrote:
Thanks Phil. Yes, I'm not sure how it was done but the settings are correct in my PC. AT&T has helped me to assign a new password to my account to shut this down. They say it appears to have been hacked on the AT&T web mail site.
Interesting. I saw no actual evidence in the scam mail itself that your account had been hacked.
This particular message was sent through Yahoo's webmail service. Anyone could subscribe to the amsat-bb list and see who its contributors are, so they would know who to send the scam spam to.
(Wait -- does Yahoo provide service for swbell.net?)
Without cryptographic authentication it's easy to forge email from anyone; SPF helps somewhat but it's often not implemented and is frequently ignored even when it is. In this case I perused the headers myself and saw the IP address 41.71.175.195, which happens to be in Nigeria (look it up!)
It's somewhat trickier to intercept the replies. In this case they did it with a Reply-To: header to a fraudulent account (rdwelclh@yahoo.com) that'd be easy to miss if you weren't looking for it.
I had theorized that they did this because they hadn't actually gotten into your swbell.net account, but it's possible they did it anyway so that they'd still get any replies from victims after your account had been secured or shut down. It would take a little longer to get rdwelclh@yahoo.com shut down since it's at a different service provider.
Sent via AMSAT-BB@amsat.org. Opinions expressed are those of the author. Not an AMSAT-NA member? Join now to support the amateur satellite program! Subscription settings: http://amsat.org/mailman/listinfo/amsat-bb
Okay folks, look around you at the history of things. For more than 2 decades now, Microsoft's software products have been at the top of the list of software having security problems in CERT ( goto http://en.wikipedia.org/wiki/CERT_Coordination_Center and search for Microsoft) alerts. Viruses have, for the past two decades, routinely infected peoples computers, obtained complete lists of people email "friends", visited web sites, contents of files on your disk, trashed your disks, and otherwise wrecked havoc repeatedly.
Anyone on this list, who has participated in mail to and from this list, would provide such viruses access to email addresses which are supposed to be "restricted" to this list's members. There is no such thing as "security" when Microsoft's software is involved, and as soon as you are on a network, security becomes even more difficult to achieve.
"Guessing" that it might be an inside job is a little bit silly when there are countless ways that people on this list have exposed the list members by their use of insecure software systems and the downloading of virus laden content from the internet.
Accounts are being hacked, but as Phil notes, the "From:" headers of an email message tell you all you need to know to understand where it "did not" originate from. The last secure SMTP sever will have recorded in a "From:" header, the location the "last" insecure server to have been involved in transmitting an email message.
Look over how the SMTP protocol works. Authentication of "sending" email was not happening in the original design, and only recently, has that been "used" by ISPs and hosting companies interested in "not" supporting spam and other abuses of the email systems. This means that certain "open" systems or "insecure" systems, can provide a link from the world of "spam" if they can be accessed.
That's what you need to focus on to understand whether your account was compromised.
SMTP allows email to be from anyone, and to anyone, if the servers don't authenticate the origination and secure the transmission of the content. Until that happens, we will always have this kind of stuff going on…
Gregg Wonderly W5GGW
On Jun 29, 2013, at 8:40 AM, Jim Jerzycke kq6ea@verizon.net wrote:
IIRC, Yahoo! took over for most of the Bells. My Pacbell.net account is now managed by Yahoo!, and I had a similar event happen last year, as well as a friend of mine who had her account with another Baby Bell compromised.
Considering how much support is off-shored these days, it wouldn't surprise me if it was an "inside job".
73, Jim KQ6EA
On 06/29/2013 08:42 AM, Phil Karn wrote:
On 06/26/2013 03:31 PM, Roy wrote:
Thanks Phil. Yes, I'm not sure how it was done but the settings are correct in my PC. AT&T has helped me to assign a new password to my account to shut this down. They say it appears to have been hacked on the AT&T web mail site.
Interesting. I saw no actual evidence in the scam mail itself that your account had been hacked.
This particular message was sent through Yahoo's webmail service. Anyone could subscribe to the amsat-bb list and see who its contributors are, so they would know who to send the scam spam to.
(Wait -- does Yahoo provide service for swbell.net?)
Without cryptographic authentication it's easy to forge email from anyone; SPF helps somewhat but it's often not implemented and is frequently ignored even when it is. In this case I perused the headers myself and saw the IP address 41.71.175.195, which happens to be in Nigeria (look it up!)
It's somewhat trickier to intercept the replies. In this case they did it with a Reply-To: header to a fraudulent account (rdwelclh@yahoo.com) that'd be easy to miss if you weren't looking for it.
I had theorized that they did this because they hadn't actually gotten into your swbell.net account, but it's possible they did it anyway so that they'd still get any replies from victims after your account had been secured or shut down. It would take a little longer to get rdwelclh@yahoo.com shut down since it's at a different service provider.
Sent via AMSAT-BB@amsat.org. Opinions expressed are those of the author. Not an AMSAT-NA member? Join now to support the amateur satellite program! Subscription settings: http://amsat.org/mailman/listinfo/amsat-bb
Sent via AMSAT-BB@amsat.org. Opinions expressed are those of the author. Not an AMSAT-NA member? Join now to support the amateur satellite program! Subscription settings: http://amsat.org/mailman/listinfo/amsat-bb
I didn't say I was "guessing", I said it wouldn't surprise me.
And I've been running Linux since I got on the Internet, so the hack didn't occur on my end.....
Jim
On 06/29/2013 10:35 PM, Gregg Wonderly wrote:
Okay folks, look around you at the history of things. For more than 2 decades now, Microsoft's software products have been at the top of the list of software having security problems in CERT ( goto http://en.wikipedia.org/wiki/CERT_Coordination_Center and search for Microsoft) alerts. Viruses have, for the past two decades, routinely infected peoples computers, obtained complete lists of people email "friends", visited web sites, contents of files on your disk, trashed your disks, and otherwise wrecked havoc repeatedly.
Anyone on this list, who has participated in mail to and from this list, would provide such viruses access to email addresses which are supposed to be "restricted" to this list's members. There is no such thing as "security" when Microsoft's software is involved, and as soon as you are on a network, security becomes even more difficult to achieve.
"Guessing" that it might be an inside job is a little bit silly when there are countless ways that people on this list have exposed the list members by their use of insecure software systems and the downloading of virus laden content from the internet.
Accounts are being hacked, but as Phil notes, the "From:" headers of an email message tell you all you need to know to understand where it "did not" originate from. The last secure SMTP sever will have recorded in a "From:" header, the location the "last" insecure server to have been involved in transmitting an email message.
Look over how the SMTP protocol works. Authentication of "sending" email was not happening in the original design, and only recently, has that been "used" by ISPs and hosting companies interested in "not" supporting spam and other abuses of the email systems. This means that certain "open" systems or "insecure" systems, can provide a link from the world of "spam" if they can be accessed.
That's what you need to focus on to understand whether your account was compromised.
SMTP allows email to be from anyone, and to anyone, if the servers don't authenticate the origination and secure the transmission of the content. Until that happens, we will always have this kind of stuff going on…
Gregg Wonderly W5GGW
On Jun 29, 2013, at 8:40 AM, Jim Jerzycke kq6ea@verizon.net wrote:
IIRC, Yahoo! took over for most of the Bells. My Pacbell.net account is now managed by Yahoo!, and I had a similar event happen last year, as well as a friend of mine who had her account with another Baby Bell compromised.
Considering how much support is off-shored these days, it wouldn't surprise me if it was an "inside job".
73, Jim KQ6EA
On 06/29/2013 08:42 AM, Phil Karn wrote:
On 06/26/2013 03:31 PM, Roy wrote:
Thanks Phil. Yes, I'm not sure how it was done but the settings are correct in my PC. AT&T has helped me to assign a new password to my account to shut this down. They say it appears to have been hacked on the AT&T web mail site.
Interesting. I saw no actual evidence in the scam mail itself that your account had been hacked.
This particular message was sent through Yahoo's webmail service. Anyone could subscribe to the amsat-bb list and see who its contributors are, so they would know who to send the scam spam to.
(Wait -- does Yahoo provide service for swbell.net?)
Without cryptographic authentication it's easy to forge email from anyone; SPF helps somewhat but it's often not implemented and is frequently ignored even when it is. In this case I perused the headers myself and saw the IP address 41.71.175.195, which happens to be in Nigeria (look it up!)
It's somewhat trickier to intercept the replies. In this case they did it with a Reply-To: header to a fraudulent account (rdwelclh@yahoo.com) that'd be easy to miss if you weren't looking for it.
I had theorized that they did this because they hadn't actually gotten into your swbell.net account, but it's possible they did it anyway so that they'd still get any replies from victims after your account had been secured or shut down. It would take a little longer to get rdwelclh@yahoo.com shut down since it's at a different service provider.
Sent via AMSAT-BB@amsat.org. Opinions expressed are those of the author. Not an AMSAT-NA member? Join now to support the amateur satellite program! Subscription settings: http://amsat.org/mailman/listinfo/amsat-bb
Sent via AMSAT-BB@amsat.org. Opinions expressed are those of the author. Not an AMSAT-NA member? Join now to support the amateur satellite program! Subscription settings: http://amsat.org/mailman/listinfo/amsat-bb
participants (4)
-
Gregg Wonderly -
Jim Jerzycke -
Phil Karn -
Roy