Received an unexpected email from “Singnet” Today, apparently without a doubt (even without the obvious spelling errors), though this E-mail is obviously a hoax, I do not know how many people are fooled into thinking it is genuine. It reads:

ATTENTION,

This mail is to inform all our Signet Webmail users that we will be upgrading our webmail site date.Subscribers of our site are required to send us email account details so as to enable us know if you are making use of your mail box.

Further be informed that we will delete all mail accounts that are not functioning, to create more space for new user. Please send us your mail account details as follows:

*ID/EMAIL:
*Password:

Failure to do this will leads to immediate deactivation of your email address from our Webmail database.

Thank you for using our singnet
SINGNET WEBMAIL SUPPORT TEAM

In addition to my previous article on phishing, lets dissect this email headers to raise the truth and origin of this email- and you should whenever you see a questionable email, or one which asks for personal details, though it may seem to come from a legitimate source.

So lets take alook at the headers, you can view it by right clicking email and selecting properties or options in your mail program.

Return-Path:
Received: from mx15.singnet.com.sg (panther1.mcis.singnet.com.sg)

The first part looks completely OK, the server which pulls this email from the singnet server into my singnet account is valid. The return path is the email which your email program will automatically use as a reply address, since it’s placed at helpdesk@singnet.com.sg, it appears to be a legitimate email.

Reply-To: helpdesk [at] j- mail .info
User-Agent: SquirrelMail/1.4.9a-3.berkeley

*Note that I replaced @ with [at] to prevent indexing of the phisher’s email here.

However, clicking on reply will create a message with a reply to the email helpdesk [at] j- mail .info which is obviously not the same email which it is sent or perceived to be sent from. Do note not to trust what you see on the “reply” box as sometimes it can be a formatted name made to look like an email address. You will understand what I mean sometimes when you reply to an email and you see like “John Tan” underlined in outlook rather than johntan@someemail.tld, this is the case where the phisher can replace “John Tan” with “helpdesk@singnet.com.sg” while the email is still sent to the phisher’s email helpdesk [at] j- mail .info hidden behind the name for example.

It seems that the email was sent from a server with a university of Berkeley web email account running the squirrelmail webmail software, presumably from some unfortunate soul who had their student email account hijacked by this phisher. The sender details are as follows:

Received: from smtp-out1.berkeley.edu (smtp-out1.Berkeley.EDU [128.32.61.106])

True enough, the sender’s IP 128.32.61.106 originates from California Berkeley contrary to a Singapore IP and origin- area where it should be sent from instead. The sender masked the email to the helpdesk email and return/send path helpdesk@singnet.com.sg while it’s actually sent out from Berkeley’s own smtp server at smtp-out1.berkeley.edu (smtp-out1.Berkeley.EDU [128.32.61.106]).

arsenic.calmail ([192.168.1.2] helo=calmail.berkeley.edu)
by fe4.calmail with esmtpsa (TLSv1:AES256-SHA:256)
(Exim 4.68)
(auth login:mdnoerper@berkeley.edu)
SquirrelMail authenticated user mdnoerper@berkeley.edu)
by calmail.berkeley.edu with HTTP;

Going abit further, we can tell that the attack was sent via a web browser interface via HTTP which can only mean port 80, through automated or manual means. And through the problematic email account (account “mdnoerper”), this will allow the Berkeley administrators to trace the source of the problem and plug the phisher.

Then many will come to ask, what those phishers can do if they take control of my email account? Well despite the obvious fact of the possibility of your bank account being emptied to some Swiss account if you respond with your details to bank phishing emails, taking control of your inbox may allow a hacker to take over a server for their own use if they manage to execute any Trojans within the email storage itself. Otherwise they can always use your email for spamming or sending out more phishing emails and having you accountable.

I hope this will shed more light on phishing emails. Remember surf smart, mail smart, it’s a rough digital world out there.

LEAVE A REPLY

Please enter your comment!
Please enter your name here