Unmasking an Email

My Morning Rush

I got an email today supposedly from BBB.org regarding a customer complaint. I was wondering who was the customer not brave enough to approach me by email and complain on my face?

So far, I haven’t had any complain anyway so I became suspicious of the email. I read the email from phone. It has an attachment so I got up from bed and opened the email from my laptop. Yeah, I do take every customers feedback seriously. And since I’m not a “corporation” type company…I’m my own! Heck, I better check this one out…if ever its legit.

Obviously, if it’s a real customer…I need to reach out to that customer who feels I didn’t give my utmost services.

Hidden Within

When I opened the email from my email client, just as I suspected…the email has an attached zipped file. It was titled BBB_complaint##############pdf.zip

The “#” represents numbers that I didn’t care to put in my post anymore. I knew already that the zipped file attachment has some executable file (.exe file) inside. I get these types of emails almost 3 times a month. If I trace the sender’s IP, it will be some other place outside US, even it’s hidden under the name of USPS, BBB or PayPal.

The Verdict

The attached file, if unzipped is an executable file. This is what I found from IC3.gov (Internet Crime Complaint Center)

In the last month, security researchers have observed several large spam campaigns with malicious HTML attachments. A 2007 botnet is believed to be behind the spike in these attacks. Traditionally, HTML-based attachments were used for phishing attacks to entice HTML victim to the desired spoofed web page. This current attack vector uses the HTML attachment with malicious javascript to redirect victims to the exploit kit. The exploit kit will then scan the target machine for vulnerabilities that can be exploited to install an information-stealing Trojan.

 If you were me?

Let’s say you were me. You’re a small business owner and you woke up on Saturday morning, thankful for the break you have today. Oh, you’re a business owner, so Saturday is mostly not a break at all. It’s that time when you checked every bit of your email, scan and delete, un-clutter, and do all the administrative pieces of stuff you have to do to run your business.

You got an email complaint from BBB.org. So, even if you are not a member of BBB.org, you’re curious about what the complaint is about. Looks legit, so you follow the instructions and opened the file.

How to Unmask an Email?

So, how would you know if you are getting a legitimate email from Better Business Bureau?

Simple, if there is a zipped file attached, do not open it. The scammer also uses PayPal & USPS or other known bank names.

What if there is no attachment? Phishing emails can come in several forms. Sometimes with an attachment or sometimes, with a link to the attachment that will force it to download to your computer when the link is clicked.

Another way to unmask an email is by looking at the email’s Message Source.

From your email client, with the scam email highlighted, right-click on it. Then click “Properties”.

The Properties will show the email “Details”. Click on “Details” and then “Message Source”

In the email source or header, you’ll find the IP address where the email “really came from”. Although it says that the “Return-Path” is noreply@bbb.org, the email actually came from an IP that has a number that originated from Thailand.

I was able to find the location of the IP using the IP-address.org tracer. It showed that this IP is located in Bangkok Thailand. To be more specific, the sender was from the Office of Information Technology Administration in Thailand.

That’s it! If ever you encounter such email and you are unsure of it, whether it looks like it’s from a legitimate company, the best thing to do is unmask the email or email the “real” company’s support to verify it. If you don’t want to go through all the trouble, then just delete the email.