September 05, 2013, 11:55 AM — I am constantly amused and amazed by the ingenuity shown by fraudsters. Their recent use of friendly email ‘from’ names is not an exception. What makes the attack exceptional, though, is how it is born out of the confluence of several entirely unrelated trends of computing.
The actors in this story?
First of all, the friendly name. That is the display name associated with an email address. For example, Bob’s email address may be CoffeeDude1234@somesite.com. To remind his friends that an email be sends is from him, Bob adds a friendly name, making his email address “Bob Smith <CoffeeDude1234@somesite.com>”. The friendly name – Bob Smith – signals to the recipients of an email what the sender would like to be called, and is transmitted along with the content of the email. Of course, if Bob preferred to, he could let his friendly name be “Queen of Portugal” – that is really up to him.
The second actor: the smartphone. An increasing number of people use smartphones for browsing the web and reading emails. The limited screen size puts constraints on what is presented to the user. Friendly names – yes. Email addresses – no. So now, Bob’s friends will only see “Bob Smith” … or “Queen of Portugal”. Many users opt to only see friendly names when reading emails on traditional computers, but on smart phones, the (lack of) space dictates the decision.
And the third actor: social networking, and a terrifying amount of information about pretty much everybody available to anybody who knows how to ask for it. If you search for Alice, you may learn both her email and the fact that she knows somebody named Bob.
Now, let’s see what happens when all of these pieces are put together.
Our villain would like to make Alice visit a particular site – maybe because this site distributes malware; maybe because it tries to sell her cheap Canadian pharma; or maybe because it will display an enticing work-from-home story designed to trick Alice to part with her money or become unwitting cogs in the villain’s machinery.
Normally, Alice would not visit some random website, and she would ignore requests to click on links in spam messages she gets. But not this time. This time, she will fall for it. Let’s see why!
The villain sends an email to Alice that the villain wants to appear to come from Bob. On one hand, the villain could “spoof” the email, to make it appear to come from CoffeeDude1234@somesite.com – but while it is easy to spoof, it is also relatively easy for spam filters to detect spoofing, so that often leads to the spoofed message being discarded. Instead, the email is sent in the “normal way” from any old email address. Maybe the villain creates BadVillain666@hotmail.com, and then uses Bob’s friendly name, making the email come from “Bob Smith <BadVillain666@hotmail.com>” – which is fine with spam filters, since everybody has the right to pick whatever friendly name they want. And then, the email gets displayed as … you guessed it! Bob Smith. When Alice looks at this email, she believes that it is from Bob.
Alice will think that the email was sent by her friend Bob. This is certainly true if she views the email on a phone where only the friendly name is displayed. And with a pretty good chance otherwise, too, given how common it is for people only to display friendly names. This belief may be reinforced by the content of the email – “Alice, take a look at this! Talk to you later. Bob” – followed by the URL of the webpage the villain wants Alice to visit. This is happening today, and passes under the radar for the best anti-spam systems.
Then what is the natural next step for criminals? I believe they will simply develop a collection of different stories that fit the social contexts of most potential victims. “Hey Alice – try out this game and let me know what you think. Bob” may trick Alice to install a Trojan on her device, and “Alice. I went to London for a few days, but was robbed. Can you lend me some money for me to pay the hotel?” is the beginning of a common scam. But those examples – that’s just a start.
For example, let’s think what will happen when Alice and Bob are married, and the villain poses as Bob, asking Alice for her banking password or social security number? “I will explain why I need it later.” Alice responds with the information, and her response gets delivered to –you guessed it! –the villain with the friendly name Bob. Or when Alice is your elderly mom, you are Bob, and the villain wants your mom to think that you are in dire need of money – Please lend me $500, I need it today! Can you send it by Western Union?
With the vast amount of information typical users are making available on social media to anybody who cares to look, we are increasingly vulnerable to attacks of these types. And this genie will not go back into its bottle.