advertisement


Question about email spoofing

ToTo Man

the band not the dog
My parents and I all have Yahoo email addresses. This morning I find three emails in my Spam folder purporting to be from my Yahoo contact list, one of which is me. All emails arrived on 28th Jun. Hovering the mouse over the sender's names shows them to be from the following email addresses, none of which are in my contacts:
[email protected]
[email protected]
[email protected]

My mum has received two emails from names that both her and I have in our contact lists, myself and a relative. Again, we don't recognise the email addresses of the senders:
[email protected]
[email protected]

My dad received only one email, purporting to be from me. It was deleted before I noted the email address but chances are it came from a Hotmail or Outlook email address like above.

I'm the only one who has a second email address, and it is a Hotmail address. Given that the spam/spoof emails are from Hotmail or Outlook addresses I'm thinking it's my Hotmail account that's been compromised rather than my Yahoo, which is surprising as it's normally Yahoo that's leakier than a sieve when it comes to data breaches.

Can someone explain to me what kind of breach I'm likely to have experienced and what steps I need to take to protect myself, aside from obviously changing my Hotmail and Yahoo passwords?
 
Change your password immediately to a very strong one. If your address book has been accessed you should work from the assumption that your entire account has been compromised. This could have been due to any number of different causes. Put your email address into https://haveibeenpwned.com/ to see if you're credentials have leaked on any security breaches. If that's the case and it's not yahoo, be sure not to use the same password across multiple sites. Yahoo had had some big hacks over the years too though.

The actual email spoofing is trivial, and if they have your address book already there's not much you can do to stop them. Changing your password won't matter as they're not using your email account to send. It's sloppy of them though because it's also trivially easy to make it really look like it came from your address!
 
Change your password immediately to a very strong one. If your address book has been accessed you should work from the assumption that your entire account has been compromised. This could have been due to any number of different causes. Put your email address into https://haveibeenpwned.com/ to see if you're credentials have leaked on any security breaches. If that's the case and it's not yahoo, be sure not to use the same password across multiple sites. Yahoo had had some big hacks over the years too though.

The actual email spoofing is trivial, and if they have your address book already there's not much you can do to stop them. Changing your password won't matter as they're not using your email account to send. It's sloppy of them though because it's also trivially easy to make it really look like it came from your address!
According to pwned, my yahoo email has had a total of 5 breaches (the most recent one was in Oct '19), and my hotmail email has had a total of 4 breaches (the most recent one was in Nov '20).

This may show how ignorant I am regarding online security, but when I sign into either my hotmail or yahoo email from an unrecognised device (e.g. if I clear my browser cookies) I am sent a code to my mobile as part of the Two Step Verification process. I assumed this would mean that I would be notified if someone else accesses my account. Do hackers have a way to circumvent the Two Step Verification?
 
It's possible then that your address book was copied ages ago and they just got around to using it. It is possible to intercept that kind of 2 factor auth but somehow I doubt they're going through that kind of trouble.

I think your best bet is just to change your passwords and let your contacts know to double check emails from you. Sounds like they're getting flagged as spam anyway, which helps.
 
First this is not what we call spoofing. Spoofing is when someone masquerades as someone else.

What it does look like is that owners of those email addresses have had their computers compromised/hijacked by a hacker who is using those to send malicious emails to harvested addresses such as yours. Your addresses can be harvested in so many different ways by determined criminals. The obvious is if you have responded to a malicious email however just leaving a message on a web site bulletin board saying what a good service you have had exposes your email address to a hacker. Similar if you have bought stuff over the web. Who hasn't? And then that web site gets hacked and the email addresses are harvested.

I have seen this happen soooo many times and I have in the past actually gone into those hacked web sites and had a look around and tracked the hacker back. You have to understand what you are doing and the risks hence I have several unconnected email accounts and work from within a sealed VM.

The simple answer is not to open these emails and delete them and if you can block them.

You are only exposed if those emails are opened and then usually you have to execute code by clicking onto something. However best practice is to block and delete without opening them.

In todays hostile World I only accept emails from within a VM. If that VM gets screwed everything is trapped within it and I just delete it and get a fresh copy from a backup and start again. I haven't yet had to do this!

If you are really interested you can have a look at the email headers and you'll get a trace back of where the email really originated. So if an email from your mum is sent from Nigeria........ This won't help finding the culprits if they are using a hacked web site.

Cheers,

DV
 
Virtual Machine.

I get these types of mails daily, the all end up in the spam folder, I just ignore them and carry on with my day.
 
Likewise. No way in hell would I use a free email address (other than say Apple, which isn’t free) for anything serious.
 
Likewise. No way in hell would I use a free email address (other than say Apple, which isn’t free) for anything serious.

I must have left my email address on a German site (think it was Amazon or an Amazon link) the amount of spam I've had from German speaking punters is unreal but it all ends up in the spam or junk folder.
 
First this is not what we call spoofing. Spoofing is when someone masquerades as someone else.

What it does look like is that owners of those email addresses have had their computers compromised/hijacked by a hacker who is using those to send malicious emails to harvested addresses such as yours. Your addresses can be harvested in so many different ways by determined criminals. The obvious is if you have responded to a malicious email however just leaving a message on a web site bulletin board saying what a good service you have had exposes your email address to a hacker. Similar if you have bought stuff over the web. Who hasn't? And then that web site gets hacked and the email addresses are harvested.

I have seen this happen soooo many times and I have in the past actually gone into those hacked web sites and had a look around and tracked the hacker back. You have to understand what you are doing and the risks hence I have several unconnected email accounts and work from within a sealed VM.

The simple answer is not to open these emails and delete them and if you can block them.

You are only exposed if those emails are opened and then usually you have to execute code by clicking onto something. However best practice is to block and delete without opening them.

In todays hostile World I only accept emails from within a VM. If that VM gets screwed everything is trapped within it and I just delete it and get a fresh copy from a backup and start again. I haven't yet had to do this!

If you are really interested you can have a look at the email headers and you'll get a trace back of where the email really originated. So if an email from your mum is sent from Nigeria........ This won't help finding the culprits if they are using a hacked web site.

Cheers,

DV

I never open emails from addresses I don't recognise, I just hover the mouse over the sender's name and if it's an unknown address I delete it.

Perhaps a coincidence but on 27th or 28th June I contacted Dave at VintageGale through his website contact form using my hotmail account, could my email address have been harvested that way? He replied with his direct email address and apologised for the contact form's limited functionality, - he said his email address wasn't displayed on the site because he frequently gets trolled by Russian scammers attempting to harvest email addresses. The Spam folders of my hotmail and yahoo accounts started filling up with names from my address book (including my own name) on 28th Jun.

FWIW - I could just be extremely lucky or because I'm a Mac-only user but I've had my hotmail and yahoo accounts since 2002 and 2008, respectively, and, as far as I know, have never been the victim of financial fraud as a result of my email accounts being hacked. In 20+ years of being online I've only been done over once financially, and it was through my Steam (online gaming) account, which I promptly closed around 10 years ago along with my Facebook account and never reopened.
 
First this is not what we call spoofing. Spoofing is when someone masquerades as someone else.
I thought this was spoofing. Emails were sent to me from the names of people in my contact book, including my own name, but when I hover over the names for more info the actual email addresses of the senders are not as expected.
 
I thought this was spoofing. Emails were sent to me from the names of people in my contact book, including my own name, but when I hover over the names for more info the actual email addresses of the senders are not as expected.
Are the messages NDR/Bouncebacks that end up in Junk?

Sounds like spoofing - forged sender address /display name. Google will give you loads of info as to the how and whys this happens. There are a few scenarios/methods. One such:

Maybe someone you have all emailed at some point in the past has a computer/device that has been compromised/infected and their mail system used to send out Spam/Phish - To and From addresses are randomly chosen from all the addresses harvested from their device - address books, sent/received, cashes, registry - basically anywhere there might be email info is pulled, this is why you can get fake mails sent to you from your own email address. In this case there is squat you can do as the machine is not yours and you don't know whose it is.​

If you have 2FA on your email accounts it is very very unlikely you will have been compromised by a man in the middle attack.

https://www.proofpoint.com/us/threat-reference/email-spoofing
Email spoofing is a technique used in spam and phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust. In spoofing attacks, the sender forges email headers so that client software displays the fraudulent sender address, which most users take at face value.​
 


advertisement


Back
Top