Email spoofing, scamming, and hacking, Copyright 2024 by Steve Burgess

Email domain spoofing scams

With fortunes, privacy, and identity fraud at stake, we have had a number of cases involving phishing and spoofing in the past few years and into the present where fake/spoofed domain names look almost the same as legitimate ones, but are not. They may even lead to sites that look the same as the legitimate ones, because it’s straightforward to fake a web page that the average user is unlikely to detect.

How does this work?

Someone sends you an email that looks legit, let’s say johnsmith@wellfargo.com, and it even has a logo in the signature block that looks right.

You may already have noticed, because you’re reading this article and are alert to what I’m talking about, that the domain wellfargo.com is not the same as wellsfargo. It’s missing the letter “s.”

In your case, it may be an Invoice to be paid from what looks like a legitimate vendor, or it may be a request to sign into your account. When you click on the link in the email, it takes you to a website that looks real, at least to a busy person who wants to get this one task out of the way before getting on to your busy day. Or maybe you just weren’t wearing your reading glasses. [reading glasses image?]When you sign in, you get an error going to the page you normally get when you log in to your bank account, and the perpetrator gets your real login and password. Because many people use the same password (bad idea!) for many websites, they also have your password to those same many websites.

What’s the point?

As above, it’s a way to get into your various online accounts, which often include bank, stock trading, accounting, and commercial online stores in your name. It may also be a way to steal not just your online stuff and money, but even your online persona.

We have had cases where such emails have been used to authorize millions – literally millions – of dollars in transfers to banks, in and out-of-country.

Script spoofing

What the heck is that?

That’s using letters or numbers that look like other letters or numbers in an email. It may look legit but if you answer it, they now know that it’s a live email address, and worse. They may fool you into paying a bunch of money to someone that’s not who you think it is. They’re not trying to get you to log in to a website, but rather to get you to authorize a nefarious transaction.

For instance a Cyrillic “?” looks just about like a Roman (English) “a” but it looks different to a browser or an mail server.

Greek and/or Cyrillic share other characters with Roman letters (English) that look the same or almost the same, but are different codes, including lower case a, o, I, u and upper case O, M, K, T, A, X, Y, H, B, E, and P.

A recent popular script spoofing scam involved citbank.com, but with the “a” being a cyrillic “a.” Your browser is probably not going to allow you to go to the website with the alternate character, but your mail server may have no such compunctions to protect you.

How do I know whether it’s legit?

One way would be to copy domain part of the email address (the part that comes after the “@” sign), paste it into a browser and see whether it goes to the legitimate site. At the moment, when I type in Citibank.com with the Cyrillic “a” in Firefox, I get a message that says “Check if there is a typo in xn--citibnk-6fg.com.” In Chrome, it’s a similar message. So these browsers, at least currently, are catching that it’s not the Roman (i.e., English) letter “a.”

When I do a search for Citibank with the Cyrillic “a,” Both Chrome and Firefox offer as the first listing, the real Citibank website (which is safe to visit), and as a second listing, a Wikipedia page on “IDN homograph attack,” which is an article on email addresses that have letters, such as the Cyrillic “a” that look just like the Roman letter “a.”

(IDN, incidentally, stands for Internationalized Domain Name. I knew you wanted to know that!)

How can I avoid becoming victim to this scam?

There are few things you can do to be safer.

• First, and most importantly, don’t click on links in the body of emails. Type the web address into the address/search bar manually.
• You may hover your cursor (if you’re using a computer) over the link in the email and the underlying actual link should show up. Look at it carefully to see if it is what you expect.
• You may right-click on the link, copy it, and then paste it into a text document, to see if it is a real web address or whether the link.
• Don’t respond to emails from users unknown to you… and even if it does look like a user known to you, like say a bank officer, make sure the domain is correct.

But the safest thing to do is to type the domain name or email address yourself. It’s surely a pain, but there’s a lot at stake.

Or call us – we might be able to help.