A couple of weeks ago, I was checking email on my phone and I got a spoofed email from Stratfor saying that the CEO of the company stepped down. I initially fell for it because I couldn’t see the formatting of the email, I only had a sub-optimally formatted message that rendered on the small screen. Had I viewed it using my mail client (Thunderbird) I would not have been so easily duped.
Today it happened again.
I checked my phone this morning and looked into my Yahoo account. It said I got a message from YouTube saying that my video has been approved.
Huh? What video?
I don’t remember uploading a video recently, although I did have to put one on Vimeo because YouTube restricts the length of them to 10 minutes (or they did, don’t know if they still do).
I thought it odd that I got mail to my Yahoo account. I don’t have YouTube through my Yahoo account, I get it through Gmail. Right off the bat I thought “That’s strange, why am I getting it through Yahoo? Did I forget to change something over? Did they finally post my other video?”
In my curiosity I navigated on my phone to one of the links and clicked on it. The web browser loaded and took me to a pharmaceutical pills page. I’d been fooled by a spoofed YouTube mail.
I was fooled because my phone strips away all of the rich content. Here’s how the email looks in Yahoo Mail:
Compare to a legitimate email from YouTube:
It looks almost the same except for the inclusion of the logo and the formatting of the address at the bottom of the email. But had I viewed this mail in my email client, I would have said “Yahoo Mail? That makes no sense. Who did this message really come from?” and then I would have viewed the headers. My email client on my phone has no such ability to do that. It doesn’t even render images, it’s just a bunch of text and placeholders for images.
The message was sent from a <redacted>@online.sh.cn, but it came through the Yahoo Mail service after connecting from an IP in France. This means that somebody is using the Yahoo Mail service to send spoofed email.
This is now twice that I have fallen for an email scam because the phish is relevant to my interests. Will I be duped a third time?
A simple fix to SPF records could allow a domain to also specify that the MIME From address matches the SMTP MAIL FROM address and thereby eliminate such spam. In this case the MIME From and SMTP MAIL FROM didn't match and one of them was spoofed as YouTube, who have an SPF record dictating who can send email from their domain. Until the mess of MAIL FROM vs MIME From fields is resolved end-users will always fall foul of phishing and scams. They are never going to realize there is a difference, and nor should they. A technical feature (MAIL FROM vs MIME From) that is useful to a tiny minority is causing havoc for the majority of email users.