***EDITOR’S NOTE: The content of this article does not make or imply any claims regarding the security or insecurity of any of the brands mentioned in it. The post describes a method by which spammers disguise the sender of a message as a well-known brand to take advantage of those brands’ being whitelisted by some organizations' spam filters. The objective of this post is to make the public aware of this method and encourage individuals responsible for an organization’s whitelist to focus whitelisting rules down to specific addresses rather than only broader domain names.***
Is more malware slipping through to your Inbox? Do you have whitelists? If the latest spam emails are to be believed (which of course, they’re not), trustworthy companies such as the payment card brands, are now sending email on behalf of other well-known companies. We’ve received a number of malware-laden emails through our spam filter that purport to come from legitimate brands, but the body is a phish masquerading as yet another company, often with malware attached in a zip file.
Do these look legitimate?
We’ve seen emails like these with a card brand as the forged sender, but the message's phony content is for organizations like the United States Postal Service, LinkedIn, TNT Courier, banks, other card brands and more. Think your spam filter will stop these? It may not, and I’ll explain why.
Emails have two ways of specifying a sender. There’s the From: header, which is what a mail client uses to display the sender to the user. Then there’s the envelope sender, which is the true sender as seen by the MTA (Mail Transfer Agent), the service that transfers mail between systems. This sender is usually denoted in the email headers by the Return-Path: header (though not every mail client adds a Return-Path: header). Dividing things this way helps with things like mailing lists. It allows the list to specify the user of the mailing list making a post, have that user show up as the sender in the mail client while also specifying to an MTA that the mailing list itself is the sender.
Spammers, phishers and malware authors have been taking advantage of this. An malicious individual will use the From: header to specify a sender related to the subject of the email so that the message appears credible. Increasingly, however, the malicious individual will use a payment card brand email address, usually a generic one, as the envelope sender. What’s the point? Spam filtering systems normally ignore the From: header, because it’s easily forged, and run checks on the envelope sender, which is less easily forged. Also, the envelope sender doesn’t get displayed in a mail client, so users won’t see it and be able to tell there’s a problem. Most systems have blacklists of banned senders, but they also have whitelists of trusted senders that bypass any further checks. If they can find an address on the whitelist, they can get their spam/phish/malware past other checks that would be likely to stop the email from reaching the user. So, what would a likely address be? How about a large card brand? Lots of companies have corporate cards and getting statements from the providers of those cards would be important. So, it may be that a company whitelists a certain payment card brand or two. Here are some common addresses we’ve observed being used to circumvent spam filtering.
- <fraud@[card brand domain].com>
- <welcome@[card brand domain].com>
- <[CardBrand]@welcome.[card brand domain].com>
At least one card brand seems to be aware of this trick, as evidenced by an internet forum post reporting that the brand now rejects mail sent to the “fraud” address with a “550 Denied by policy” error message.
Malicious parties will also use the card brand domain as the HELO name (which identifies the sending machine) in the SMTP mail transfer conversation to support its attempt to be included in the whitelist. To get an idea of just how incongruous this can be, here are some examples of phony emails that tried to use a card-brand domain as the envelope sender.
- A U.S. Postal Sservice failed delivery message, asking you to print out the attached label and bring it to your local post office
- A message from a bank with an attached form
- A payment card transaction report, where the report is the attached malware
- A message from a software company with attached invoices
- A message from another bank including attached documents
- TNT Courier including attached security documents
- A sky.com account statement
- A mortgage document from a bank
- An HM Revenue & Customs tax form
- A LinkedIn contract
- Documents sent from a Xerox scanner, supposedly at your workplace
- A document from the DocuSign service
- A fax from the eFax service
Here’s an example of one of these messages whose content purported to come from a bank, but the envelope sender was spoofed as a card brand:
Note that the IP we got it from (in the first Received: header), 220.127.116.11, is a dynamic IP from a Turkish ISP. It seems reasonable to assume that a bank in the U.S. is not going send email to you via Turkey. We’ve seen a number of these malware emails come via botnets, especially the Cutwail botnet. This IP would seem to fit that pattern.
Lest you think this only happens with card brands (though that seems to be the most common attempt), spammers use other addresses to try to hit whitelists. Spoofing an industry association interested in payments is also gaining in popularity. Some recent attempts using that organization's domain include:
- Tax returns from Salesforce.com
- A letter about outstanding debt from the Department of the Treasury
- A job opportunity from Careerbuilder with a PDF attachment that is actually a Windows executable in a zip file
- An email about Paypal's terms of service
- An email saying you requested a new Facebook password
- A card brand transaction report
- An email from a bank's investments department
- A new voicemail message
Even when the email actually is supposed to be from a particular card brand, the spammer can still get confused. Here’s an example of a card-brand phish where it’s inexplicably from Facebook (maybe the attacker couldn’t decide which was more likely to be whitelisted).
So how do you know if an email is attempting this? In Microsoft Outlook, you can open the message (while not clicking on any links in it, or opening any attachments), click on File, then click on Properties. The headers will be at the bottom of the pop-up box. In Mozilla Thunderbird, you can press CTRL-U to see the raw message. Check the headers. The envelope sender will be in the Return-Path: header. If the address has no relation to what the email is about, the spammer is probably using the camouflaging tactic described above.
If suspicious emails are getting through, and it seems like they really shouldn’t, you may want to review any whitelists you have in place. If you get real, actual emails from a card brand or some other domain, try to narrow down the whitelisted address to an actual person at that domain, instead of a generic address like “welcome” or “fraud”. If only some people at your domain get email from that sender domain, restrict the whitelist only to those recipients. Of course, also make sure you run a virus scanner on all incoming email, and keep it updated. Spammers will try any trick to get their emails through, so vigilance is key. Periodically review whitelists/blacklists for relevance and mistakes. Your users will thank you when they see less malware getting through.