“Hello pervert, I sent you this message from your Microsoft email. I want to inform you of a very bad situation for you.” This email, or a similar one, is received by many people each year. Its sender tries to scare the victim by claiming that he caught him masturbating to pornographic videos using Pegasus spyware, but above all that he hacked his mailbox.
And by looking at the email address from which the message was sent, the victim realizes that it is indeed theirs. This sextortion scam is not new, it spreads in waves, with more or less regularity and seems to be experiencing a resurgence in recent times. The objective is always the same: force the victim to pay to prevent the alleged videos of her masturbating from being sent to her friends, colleagues and family.
While some people truly believe that their email has been hacked, there is actually no threat. Tech&Co explains how scammers manage to spoof, not hack, their victims’ email addresses.
A skill that is not available to everyone but…
This technique, also known as spoofing, has been used by cybercriminals for years, especially for phishing emails. Ursuper a person’s email address is not accessible to everyone, but it is quite simple, according to Benoit Grunemwald, cybersecurity expert at ESET. Scammers accomplish this by modifying the “From” field in the header of an email, something that is not possible through messaging services like Gmail or Outlook.
When one Internet user sends an email to another in Outlook or Gmail, their address is automatically selected, so the “From” field is not even visible or, if it is, it is not enough to press it to modify it as desired. One of the methods used by scammers to achieve this is to create malware that sends fraudulent emails.
“This is what we see with this scam. The hacker did not enter every email address of the people he scammed (…) he created some kind of program that will take all the email addresses he has in his database, put the text next to it and say ‘every time you send this text to this address, the sender will be the same as the person who receives it,’ explains the cybersecurity expert.
Because, given the simplicity of such a program, a person can turn to artificial intelligence, says Benoit Grunemwald. Companies like OpenAI, Microsoft or Google offer tools capable of coding, including their chatbots. Alternatively, a person can also go to cybercriminal forums to purchase malware that will help them in their task.
A question of authorization
If scammers manage to fake the sender of an email, it is thanks to the SMTP (Simple Mail Transfer Protocol) protocol. It has been at the center of emailing since its creation in the 1980s. The problem is that “it was not created by asking the question or considering that, a few years later, smart people were going to usurp someone’s identity,” Benoit Grunemwald emphasizes.
In fact, the protocol does not include authentication by default, which allows a cybercriminal to easily modify the “From” field in the header of an email” to spoof someone’s address. But this is not the only one, or rather, it is not the real problem, points out the cybersecurity expert, “because today everyone has moved to SMTPS, a bit like HTTPS, and that is why we will ask you to authenticate”.
The problem is rather “linked to a global authorization to use domain names,” he says. These are easily recognizable names found after www. in web addresses or after @ in email addresses (google.com, elysee.fr…). With this protocol, an email will go through an SMTP server (which you can configure yourself) to be sent. And to do this, the server in question will communicate with another.
The problem is that these relays would have to at some point tell themselves that an email claims to come from a certain domain name and check whether the person behind it is actually authorized to use it to prevent those who don’t own it from sending it. But it is not like that.
Therefore, although protection mechanisms have been implemented by the sender since the creation of the SMTP protocol, scammers still manage to escape, especially because these mechanisms are not yet adopted by everyone.
From now on, don’t panic, you know that this scam is a scam and that your precious email account is safe. Don’t let this stop you from choosing a strong password or, better yet, adopting passcodes.
Source: BFM TV
