Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

Hoax exposed

Read: 234 Comments: 9 Rating: 13

It seems that unsolicited emails never cease to deliver some unpleasantness: in the example below, the author threatens to reveal our alleged passion for adult content to the general public.

#drweb

The impostor blackmails recipients and demands a ransom in exchange for withholding the materials that may ruin their reputation.

#drweb

The attacker claims that the recipients have no choice because he cannot be caught and, according to his statement, he sent the message using the reader's own compromised account.

#drweb

Не At first glance, nothing invites suspicion—the Sender field shows ***@drweb.com. But, as we’ve already mentioned many times before, in reality the information in this field means next to nothing. This sender’s information may have nothing to do with their real email address. To find out where the message actually comes from, you will need to view the message headers. We’ve already written about how this can be done. See the issueFrom grandpa in the village.

#drweb

So this is how the elusive hacker's cover is blown.

#drweb

And from this we can easily deduce that the message is a hoax.

Is there something else worth mentioning about this email? Well, the scammer makes use of the Feedback ID header:

#drweb

The header may help to determine how efficient a mailing actually is.

If you're a large volume sender, you can use the FeedBack Loop (FBL) to identify campaigns in your traffic that are getting the most complaints from Gmail users. The FBL is particularly useful to ESPs; they can use it to see who is abusing their services.

Senders will need to embed a new header called the Feedback-ID, which consists of parameters (called identifiers) that uniquely identify their individual campaigns. Any identifiers with an unusual spam rate and that might cause deliverability issues will be reported in the Postmaster Tools FBL dashboard.

Source

As described above, the header can be used to determine whether a message has been marked as spam. This is handy for scammers who can use the statistics to modify their emails and bypass spam filters.

The message is signed:

#drweb

So an anti-spam filter, which validates sender signatures, would probably let this in (which is not the case with Dr.Web!)

The message is delivered as an image rather than text. There are two ways to discern this. First, right-clicking on the message text will bring up a save image option in the drop-down menu.

#drweb

Second, choosing to forward the message will reveal the image border.

#drweb

And the deception doesn’t end there!

The message supposedly features a special spot that helps determine when the email was opened (we wrote about theseh pixels in the issue «Hotspot»).

#drweb

But let's right-click once more and view the email in HTML format:

#drweb

Here we can clearly see that the entire message is the image we've just mentioned.

Dr.Web recommends

The scammer did the following:

  1. Faked the sender information.
  2. Used an image instead of text.
  3. Signed the email.

And none of that helped them get past Dr.Web Anti-spam! Which is nice.

If you receive a message of this kind, never panic and perform the simple steps we mentioned above.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments