[Dshield] Banks Openly Inviting Email Fraud

Jon R. Kibler Jon.Kibler at aset.com
Mon Feb 23 21:06:27 GMT 2004


It deeply concerns me how many financial institutions, especially banks, are leaving
themselves wide open to email fraud. In fact, they are training their users to accept
as legitimate, email that under most circumstances would be clearly red-flagged as
potentially fraudulent.

What is occurring is that many financial institutions are sending newsletters and
business-related email from unverifiable sources. They are sending email to their
customers from sources such as:
   1) MTAs that do not have a hostname. When querying the MTA's IP in the whois
      database, often these IPs report as being owned by someone other than the
      financial institution claiming to be (and who actually is) the sender of 
      the email.

   2) MTAs that have forged hostnames. That is, the IP address of the connecting
      MTA claims to have a hostname that either does not resolve or resolves to
      an IP address other than the IP address of the connection.

   3) Bulk mailing services (often offshore). These services often also do not have
      valid MTA hostnames (missing or forged). The email address in the "From:"
      header is often different than the envelope sender address, and the domain in
      both addresses is often a domain such as "bankabc03.com" instead of the
      domain "bankabc.com" that would more clearly be viewed as possibly legitimate.

   4) URLs embedded into these emails are sometimes in IP address notation format,
      and point to legitimate financial institution web services that simply do
      not have a valid hostname.

On several occasions we have contacted the appropriate administrators for these
institutions and received the response "this is not a problem." It never ceases to
amaze me how security ignorant are these senior IT professionals!

Why are the above a problem? Because the institutions are training their customers 
to EXPECT to receive official bank email that originates from clearly unverifiable
sources. This allows anyone to set up a mail system and web site that claims to
be that institution, but is instead fraudulent. 

Customers can look at the email headers of a fraudulent email, and see that they
contain the same types of data -- including errors -- that they find in email that
they know is legitimate. Same thing with URLs. Using such sloppy practices, these
financial institutions are simply inviting fraud.

Do yourself a favor: CLOSELY examine the emails that you get from your bank, stock
broker, credit card company, retirement account, etc. Pull up some of these emails
and do a "show all headers" and examine the "Received:: lines. Do the headers show
that the email was received by your mail server from a VERIFIED source? In other
words, your header should look something like this:
	Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z]) by ...
and not like:
	Received: from mail.mybank.com (mailout.mybank.com [w.x.y.z] (may be forged)) by ...
	Received: from mail.mybank.com (z.y.x.w.static.abigisp.net [w.x.y.z]) by ...
	Received: from mail.mybank.com ([w.x.y.z]) by ...

As a word of explanation, the data you see in a received header is as follows:

The HELO_GREETING and the HOSTNAME_FROM_IP_LOOKUP can be forged with trivial effort.
The only reliable information (and it is reliable ONLY in the header added by your
MTA) is the IP_OF_CONNECTION information. Also, depending upon the MTA that you use,
your Received header format may vary some from the standard format.

Does all the email you receive from various financial institutions have "Received:" 
headers that provide verifiable information? Do all the URLs in these messages 
use hostnames that are that of the financial institution, and not IP addresses or
those of other organizations?

If all of your email from financial institutions conforms to such expected norms,
then please consider yourself lucky. The rest of you should start complaining long
and loud to your financial institutions about how insecure they are and how they
are deliberately making themselves ripe targets for fraud!

Jon Kibler
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list