Fucking awesome. Please help me think of ways to bring the hammer down.
Here’s an email I just received to my Hotmail account:
a) I am not a Citibank customer
b) Citibank is one word, not two
c) I don’t think they conduct official correspondance via students or alumni at the University of South Carolina
So far I have marked the email as a phishing scam (which you can do in Hotmail) and sent the email to the contact information I could find on the USC website. What else can I do?
Also reported it to Citibank.
Can a phisher hijack someone’s email address to send out emails?
They can send emails from their own servers bearing false origination addresses. It wouldn’t be originating from the false address; it would just look that way to the recipient. I got a bunch of spam last week that bore my own address in the “From:” field. Email is completely unprotected that way.
On the other hand, I’ve heard that some malware installs an email server that sends spam under remote control by a distant spammer…
usc.edu is University of Southern California, not University of South Carolina.
Yes. We had a student do that at my school over the summer. It’s crap for the students, as some colleges have pretty low security.
Beadalin,
What makes you think that the email address in the from field has any relation to the people that sent it? The USC email account is just there to hide who really sent the mail and to help evade spam filters.
You’re right, it’s Southern California.
At any rate, this is the first time I’d ever seen “on behalf of” in the From line, and jumped to conclusions. Of course it’s more than possible (and really likely, even) that someone highjacked this person’s account. Either way, I think it’s an appropriate response to report it to USC and Citibank.
USC account compromised, Sherlock.
I removed the email address from the OP, since it could well be a hijacked email account and not that of an actual spammer.
I have to go with spoofed email address, not compromised. I get lots of bounce backs from spam using my email address as the From: field, and I know my systems are secure and that the emails in question did not originate from my servers.
Thanks, Giraffe.
I got this same email yesterday, reported it.
I have been receiving such emails lately from legitimate sources (From A on behalf of B). What does it mean, what is the purpose, how is it done, etc?
Misspoke. I see it all the time in my work environment. Usually it’s administrative assistants who have full access to the Outlook accounts of the people they support. So admin Tim can schedule a meeting or send an email on VP Tom’s behalf.
In my hasty rage, I’d assumed that the person sending “on behalf of Citi Bank” was someone who had created a phishing account and was too dumb to log into that account directly. More fool me.
It doesn’t mean anything except that someone edited the From: field of their email. None of this is meaningful because any part of the header that comes from the spammer is assumed to be an outright lie.
Outlook can be configured that way. My boss sometimes dictates and has me or his secretary send e-mails on his behalf that way, because he types like e.e. cummings and it takes him forever. (I don’t know how to configure it that way; our sysadmin did it for me.)
Oh, I see, silly of me, of course I know how to do it. I often do emails that do
To: Shrimpface<email@server.cam>
From: Fishface<emailadd@server.etc>
So all I need to do is
To: Shrimpface<email@server.cam>
From: “Fishface on behalf of B. Obama”<emailadd@server.etc>
I just wasn’t thinking. The email addresses are the only thing that counts. You can put anything you want in the rest. I had never seen it and now it is becoming common.
Hi, Eva Luna, I’m back.
Sailor. It is more than that you can put anything at all you want in the from line. It might not be easy with outlook but it is with other programs.
You could send a mail.
To: Shrimpface<email@server.cam>
From: “B. Obama”<bobama@whitehouse.gov>
Nothing along the way verifies that it is from whitehouse.gov
Mail readers can usually let you see the full headers, which can tell you at least a few of the drops the message went through. This can often tell you if the from line is spoofed. You can get open source mailer code, and with these you fill in the from line explicitly. If the headers make it look like the mail actually came from USC, then the account has been compromised.
Often people steal mailing lists from machines that have been compromised, or harvest addresses from the web, and stick in random from addresses.
Does the link you gave actually go to citibank. Often you can tell that the link printed is not the actual link, which can be verified looking at the url you wind up in. Half the time it has been taken down by the time I click on it to fill out nasty things in the fields. (I do it from UNIX machines where I don’t have to worry about malware.)