Watch out for spoofers
Falsified e-mails can be damaging. The only defence is to use your common sense.
Published: June 26 2001 17:31GMT | Last Updated: June 26 2001 17:43GMT
I have been spoofed! Last week somebody falsified an e-mail - probably a lot of e-mails - to make it appear that I was soliciting on behalf of a dubious "get rich quick" scheme. The e-mail carried my address, as the sender, but I had not sent it.
E-mail spoofing is on the rise, according to computer security experts, and it can be a lot more serious than it was in my case.
Spoofing is a technique frequently used by perpetrators of all manner of e-mail hoaxes to hide their identities. It is a favourite with spammers but is also used by hackers. All too often, the person whose online identity has been hijacked becomes the primary victim.
Death threats have been sent to the White House using spoof e-mail addresses, triggering Secret Service investigations of the purported senders. Hate mail, political action and other controversial messages are regularly spoofed.
At work, spoofing can be used to embarrass or discredit individuals by associating them with inappropriate e-mails. It is most often associated with sexual harassment but may be used to spread any material that might trigger disciplinary action by an employer.
A new spoofing scam involves hijacking website domain addresses. The fraudsters send spoof e-mails to an internet registrar requesting transfer of the web address to a new hosting company. If the owner of the domain name does not respond promptly to e-mails confirming the transfer, the theft may be accomplished overnight.
Spoofing is the bane of law enforcement authorities charged with solving cyber crimes. It has slowed the efforts of US agencies to determine whether computer break-ins and other damage are the work of anarchists or criminals attempting to extort money or just the exploits of teenage hackers.
Businesses are also vulnerable. Michael Allison, chairman and chief executive of the Internet Crimes Group, which investigates computer crimes, warns that victims of spoofing often seek redress from the "deep pockets" of companies involved. He describes one case in which an executive was duped into travelling to speak at a non-existent industry conference by spoof e-mails. Although the incident may seem amusing, it was anything but funny for the company that was allegedly sponsoring the conference. "He went after the company whose e-mail system had been abused, with a lawsuit," says Mr Allison.
Yet spoofing seldom makes headlines. Unlike hacking and virus incidents, which grab the attention of the press, the typical spoofing incident directly affects only a handful of people. Spoofing may be the oldest form of fraud on the internet but it is one of the biggest challenges to security.
Unfortunately, technology does not offer a defence. Companies and organisations that host e-mail servers can install "firewall" filters to try to detect spoof e-mails, says Jeffrey Bedser, an e-mail security expert at Internet Crimes Group. But such filters seriously degrade a system's performance so they are not widely used. Similarly, encryption and authentication technologies may make life more difficult for spoofers but they also impede honest e-mail users.
Identifying the perpetrator of an e-mail spoof can also be difficult. Although the origins of an e-mail can be found by reading the detailed "header", this information is sometimes hidden, or partially hidden, and accessible only by systems administrators. Determined spoofers can also falsify the information in a header using software that is freely available and widely used by senders of junk e-mail. "There is no silver bullet - no easy way to avoid spoofing," says Mr Allison.
Common sense, rather than technology, may be the best defence. If the postman were to deliver a"get rich quick" solicitation, would you fall for it? Probably not - even if the name of a colleague, friend or public figure were attached.
If a typed letter, without a personal signature, landed on your desk, how much credence would you give it?
Human nature, rather than technology, is the problem. Some of the most effective methods of stealing information via the internet do not involve sophisticated hacking techniques; they rely upon the naivety of internet users.
Perhaps your company is involved in acquisition talks. An e-mail arrives in the inbox of an administrative assistant, apparently from the chief financial officer, requesting a copy of documents related to the buy-out. "The deal is in the balance. The hotel phone system is a mess," he or she explains. "I cannot access the company network. Please send to my hotmail address."
Every day this and similar scams result in the theft of sensitive business information, Mr Allison warns. He recommends that companies establish policies that preclude the transmission of sensitive company information to external e-mail addresses without verification and approval.
Rather than trusting e-mail as a friendly, informal medium for exchanging messages we must become distrustful and wary of any e-mail that does not pass the "What if this came in writing?" credibility test.
The problem for corporate e-mail users is that such mistrust introduces inefficiency. If we must question the validity of all e-mails, keeping on top of our overflowing inboxes will take even more time.
news.ft.com |
