Singnet users, watch out for email account upgrade phishing email from “helpdesk@singnet.com.sg”

Received an unexpected email from “Singnet” Today, apparently without a doubt (even without the obvious spelling errors), though this E-mail is obviously a hoax, I do not know how many people are fooled into thinking it is genuine. It reads:

In addition to my previous article on phishing, lets dissect this email headers to raise the truth and origin of this email- and you should whenever you see a questionable email, or one which asks for personal details, though it may seem to come from a legitimate source.

So lets take alook at the headers, you can view it by right clicking email and selecting properties or options in your mail program.

The first part looks completely OK, the server which pulls this email from the singnet server into my singnet account is valid. The return path is the email which your email program will automatically use as a reply address, since it’s placed at helpdesk@singnet.com.sg, it appears to be a legitimate email.

*Note that I replaced @ with [at] to prevent indexing of the phisher’s email here.

However, clicking on reply will create a message with a reply to the email helpdesk [at] j- mail .info which is obviously not the same email which it is sent or perceived to be sent from. Do note not to trust what you see on the “reply” box as sometimes it can be a formatted name made to look like an email address. You will understand what I mean sometimes when you reply to an email and you see like “John Tan” underlined in outlook rather than johntan@someemail.tld, this is the case where the phisher can replace “John Tan” with “helpdesk@singnet.com.sg” while the email is still sent to the phisher’s email helpdesk [at] j- mail .info hidden behind the name for example.

It seems that the email was sent from a server with a university of Berkeley web email account running the squirrelmail webmail software, presumably from some unfortunate soul who had their student email account hijacked by this phisher. The sender details are as follows:

True enough, the sender’s IP 128.32.61.106 originates from California Berkeley contrary to a Singapore IP and origin- area where it should be sent from instead. The sender masked the email to the helpdesk email and return/send path helpdesk@singnet.com.sg while it’s actually sent out from Berkeley’s own smtp server at smtp-out1.berkeley.edu (smtp-out1.Berkeley.EDU [128.32.61.106]).

Going abit further, we can tell that the attack was sent via a web browser interface via HTTP which can only mean port 80, through automated or manual means. And through the problematic email account (account “mdnoerper”), this will allow the Berkeley administrators to trace the source of the problem and plug the phisher.

Then many will come to ask, what those phishers can do if they take control of my email account? Well despite the obvious fact of the possibility of your bank account being emptied to some Swiss account if you respond with your details to bank phishing emails, taking control of your inbox may allow a hacker to take over a server for their own use if they manage to execute any Trojans within the email storage itself. Otherwise they can always use your email for spamming or sending out more phishing emails and having you accountable.

I hope this will shed more light on phishing emails. Remember surf smart, mail smart, it’s a rough digital world out there.