Serious software flaw allows hacker to “send an email from anyone else’s email address”

Hook, Line, Sinker (phishing scam)

Hook, Line, Sinker (phishing scam)

Periodically, a really big IT story hits the headlines, but for the masses to be interested, they have to understand its significance. Here is the significance of this story.

Imagine for a moment that you receive an email from your bank. To make sure that the email is not just another Phishing email, the first thing that you check is the ‘actual’ email address of the sender. You look for small differences in the email address – right?

That’s because we all know that the senders of Phishing emails usually, register a domain which is very similar to that of the bank – say or, and then, they send you an email from the domain, purporting to be from the bank, with an email address like: [email protected] or, [email protected] – to the trained eye, they are easy to spot!

If the email is from the bank’s official email address – the one that you have received emails from before, you trust it – right? The bank’s email asks you to log into your bank account to confirm or, correct some details, so you do.

Or, imagine for a moment that you advertised something for sale on eBay and accepted an offer from someone who, tells you that they have made payment through Paypal and asks you to post the item to them. Nothing wrong with that, but obviously, you check your Paypal account first, to make sure that you have received the payment – right?

If you have received payment you post the item to the buyer. If you haven’t you don’t but, what if, you received an email from Paypal telling you that they had received payment from the buyer but, in the email, they tell you that a glitch in the system meant that they couldn’t credit your account for a couple of days. OK, again, you check the email address that they have used to send you the confirmation of payment email and you look for discrepancies in the address (eg. [email protected] etc.) If there is a discrepancy, you don’t send the item, if there isn’t, you do send the item – right! Well, why not? You have confirmation of payment from Paypal’s proper email address!

Or, imagine that you run a camera shop and receive an email order for an expensive camera from the offices of the local Council. You immediately check the email address to make sure that it is the correct address and not something like [email protected]

If the email address is correct, you dispatch the order or, maybe, before you do, just to be sure, you telephone the 0871 *** **** number in the email, to confirm that the order is correct. When the telephone is answered by a nice young lady “Good morning, Westminster Council, how can I help you” who, upon listening to your enquiry, transfers your call to the purchasing department who, subsequently confirm that the order is correct, that you will be paid 30 days after receipt of the camera and asks you to send the camera to the address in the email – you send the camera – right?

In scenarios like these, when the receiver of the email makes his or, her judgement, everything hinges on whether the email address is the correct address and not a spoofed email address – why?

Well, nobody can send emails from someone else’s email address without having personal access to their email account (username, password etc.), especially very important email accounts that can easily be abused – right? -AND- there’s no way that an internationally recognised IT company, a very well known household name, would have a gaping hole in their system that allowed anyone to send emails from anyone else’s email address – is there?

If there were such a gaping hole in a system and an unscrupulous individual or, gang of internet fraudsters discovered it, they would wreak havoc on the internet. Incidents of internet fraud would explode. Within days, nobody would trust that their emails were genuine. The affect on worldwide commerce could be catastrophic! Everyone would have to adjust their systems, especially the banks and any other important financial institutions.

I have offered three scenarios, but imagine what internet cons the real fraudsters would dream up. The internet just wouldn’t be a safe place to be!

Well, Daniel, the top ‘techie’ has discovered that there is such a hole in the system of an internationally recognised IT company and to demonstrate this, we have made a screen shot video that demonstrates how, using the flaw in the system of this company, anyone can send an email from anyone else’s email address.

Now, playing a joke on a work colleague by sending them an email from the bosses email address is one thing, but sending out emails from a bank’s email address is a serious matter, but believe it or, not, using this system, it is possible for anyone to do both!

Print Friendly, PDF & Email

Comments are closed.