Unmasking an Email

My Morning Rush

I got an email today supposedly from BBB.org regarding a customer complaint. I was wondering who was the customer not brave enough to approach me by email and complain on my face?

So far, I haven’t had any complain anyway so I became suspicious of the email. I read the email from phone. It has an attachment so I got up from bed and opened the email from my laptop. Yeah, I do take every customers feedback seriously. And since I’m not a “corporation” type company…I’m my own! Heck, I better check this one out…if ever its legit.

Obviously, if it’s a real customer…I need to reach out to that customer who feels I didn’t give my utmost services.

Hidden Within

When I opened the email from my email client, just as I suspected…the email has an attached zipped file. It was titled BBB_complaint##############pdf.zip

The “#” represents numbers that I didn’t care to put in my post anymore. I knew already that the zipped file attachment has some executable file (.exe file) inside. I get these types of emails almost 3 times a month. If I trace the sender’s IP, it will be some other place outside US, even it’s hidden under the name of USPS, BBB or PayPal.

The Verdict

The attached file, if unzipped is an executable file. This is what I found from IC3.gov (Internet Crime Complaint Center)

In the last month, security researchers have observed several large spam campaigns with malicious HTML attachments. A 2007 botnet is believed to be behind the spike in these attacks. Traditionally, HTML-based attachments were used for phishing attacks to entice HTML victim to the desired spoofed web page. This current attack vector uses the HTML attachment with malicious javascript to redirect victims to the exploit kit. The exploit kit will then scan the target machine for vulnerabilities that can be exploited to install an information-stealing Trojan.

 If you were me?

Let’s say you were me.You’re a small business owner and you woke up on Saturday morning, thankful for the break you have today. Oh, you’re a business owner, so Saturday is mostly not a break at all. It’s that time where you checked every bits of your email, scan and delete, un-clutter and do all the administrative stuffs you have to do to run your business.

You got an email complaint from BBB.org. So, even you are not a member of BBB.org, you’re curious what the complain is about. The email is as follows.

Looks legit, so you went on and follow the instructions and opened the file.

How to Unmask an Email?

So, how would you know if you are getting a legitimate email from Better Business Bureau?

Simple, if there is a zipped file attached, do not open it. This scammers uses PayPal & USPS most of the time. This is the first time I got a fake email from BBB.org, so it was just recent that they started using the name Better Business Bureau.

What if there is no attachment? Phishing emails can come in several forms. Sometimes with an attachment or sometimes, with a link to the attachment that will force it to download to your computer when the link is clicked.

Another way to unmasked an email is by looking at the email’s Message Source.

From your email client, with the scam email highlighted, right-click on it. Then click “Properties”.

The Properties will show the email “Details”. Click on “Details” and then “Message Source”

 

As you can see, I also highlighted the IP address where the email “really came from”. Although it says that the “Return Path” is noreply@bbb.org, the email actually came from the IP address 202.29.184.105

I then try to find the location of that IP address using the IP-address.org tracer. It showed that this IP is located in Bangkok Thailand. To be more specific, the sender was from the Office of Information Technology Administration in Thailand.

I couldn’t cut and paste anymore but if you click on the Message Source of the email, a new window will appear showing the whole email details. It will show the HTML code behind the styled BBB.org email and the attached file with an endless of “garbage” codes which is the virus.

That’s it! If ever you encounter such email and you are unsure of it, whether it looks like it’s from a legitimate company, the best thing to do is unmask the email or email the “real” company’s support to verify it. If you don’t want to go through all the trouble, then just delete the email.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top