Written by Dean Calvert
It’s becoming more and more dangerous to take things at face value these days. People, photos on menus of food for sale, even some cars – we find ourselves needing to do more homework before taking the plunge and risk getting suckered in.
Email too has certainly become one of those communication media that requires us to be more careful. I received the following email this morning:
On the face of it this probably looks honest enough to most people. It’s come from the ATO, has a reference number associated with it and the email address looks like it belongs to the ATO. But a little further investigation shows this to be a fake. I should highlight that I figured this was a fake when I first saw it – I don’t have a return lodged with the ATO at the moment plus I’ve seen enough fake emails to be able to spot them, but how would you know if you were to get this?
Let’s take a quick look at the process I follow to verify an email that looks a bit suspect.
Start with the web link that’s shown in the email text – that’s the blue writing with the underline. With most email programs you can hover your mouse over the line of text (don’t click it!!!) and the website this link refers to will be shown. I did this and saw the following:
For most fakes when I see this I simply delete the email, but if you’re still curious let’s dig a little further.
If I open the email itself I can then select a menu option to view the message header information – this is the hidden information in the email that tells me where it came from and how it got to my mailbox. It can also show the real email address.
I’m using Outlook 2016 – the process may vary a bit for you but if you wanted to try this you need to do so very carefully. I open the email (double click the message itself), select the File menu and then the Properties button.
I then can see the Internet headers section – just click once in here, press the Ctrl-A keys on your keyboard to “select all” and then Ctrl-C to copy the text to the clipboard. You can then paste this text into your favourite text editor – Word, WordPad, Notepad, Notepad++ or whatever else. What you’ll see may look like gibberish, and some of it is, but let’s look at the key bits of interest.
We start with the originating server. Scroll down through the text a bit until you see the “From:” and “To:” sections – it’s here we’ll see the origin information.
The highlighted number is the IP address of the server, in this instance it’s called “email.ato.com”, but I doubt that’s its real name. I take that IP address and use a command line tool called “traceroute” to find out what its real name would be (FYI an IP address can have multiple names, so this could be a legitimate name for this address but I figured there would be some other name for it too).
I can tell from this information that this is a computer, possibly a hosted server in a data centre, attached to a service provider in Italy called Aruba (not related to the HP Enterprise subsidiary Aruba Networks). I doubt the Australian Taxation Office would be using any Italy based resources to communicate with Australian citizens!
The other interesting point is a bit higher up in the header text, I can see the following:
The IP address 22.214.171.124 refers to a computer called “mail.redde.net” but when I dug further into this address it replied with the name “MX7.flashbak.net”, however using the trusty traceroute tool to locate this server name I got an error that this name couldn’t be found.
We could keep digging into this, but the story here is what looked like a seemingly normal email from an Australia Government body is actually a fake email from someone using a server in Italy to take me to a potentially compromised webpage somewhere else. In this instance the name showing when I hover over the web link is “electrosafe.net.au” but using traceroute against that name shows the real name is “192-185-56-31.unifiedlayer.com – I don’t suggest you try visiting this though as I got the following message when I tried to take a look:
Thanks to Microsoft SmartScreen on Windows 10 for being ready to stop me doing potential damage to my computer, and maybe the network.
So the moral here is to be careful about how you respond to emails you get. I suspect this one didn’t get clobbered by my spam filter as it was just text, in fact the Spam Confidence Level (SCL) of this one was only 1 (I also got this from the message header), which is low, which probably means it’s early days of any fake messages coming from this source.
If you get an email from a source that you’re not really expecting to hear from, and if it’s directing you to simply click on a link, be careful. Be particularly careful of any attachments to the message.
If in doubt, ask for help. Simply forwarding the email to us won’t include all of the message header information so we’re unable to get all of this information from a forwarded message – this is where we can safely perform a remote control session and get the relevant information if required.
But the safest thing to do, if you get an email like this, is delete it and move on. Don’t click that link!
Please share this information with your co-workers so they too can be a bit more aware of some of the tricks being used.