Email Spoofing Appears As From GoldToken
Warning: | We unfortunately cannot do anything about email spoofing other than warn people not to trust these things. |
Any email not from GoldToken Games Administrator
No legitimate website will ask you to click on a link or attachment to confirm any details unless you asked for it; ie when you first join a site they will ask you to click a link to confirm your email address is active and yours. With all the details about phishing, it is shocking to find so many people still click on links asking them to confirm details, especially when it is so easy to fake who an email is from. Do not be one of the casualties!
The Gory Details: |
Whom ever sends spoofed email likely has a catch-all subdomain, so anything.in.the.world.including.my.lousy.trousers.and.the.kitchensink.com would lead to the site of that spammer. BEWARE Any link included in a spoof email is likely used as an identification, which they use to confirm that your email address is active and they can start flooding it with even more spam. Do not click on any link included in such emails for this reason.
GoldToken only sends "It's Your Turn" (to move), passwords when sent for, replies to messages you sent our support account (so you know to expect a reply), and the newsletter. If it is anything different, its spoofed spam.
What Exactly is Email Spoofing? |
E-mail spoofing is a term used to describe (usually fraudulent) e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source.
E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message. By changing certain properties of the e-mail, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the e-mail appear to be from someone other than the actual sender. The result is that, although the e-mail appears to come from the address indicated in the From field (found in the e-mail headers) it actually comes from another source.
Occasionally (especially if the spam requires a reply from the recipient, such as the '419' scams), the source of the spam e-mail is indicated in the Reply-To field (or at least a way of identifying the spammer); if this is the case and the initial e-mail is replied to, the delivery will be sent to the address specified in the Reply-To field, which could be the spammer's address. However, most spam emails (especially malicious ones with a trojan/virus payload, or those advertising a web site) forge this address too, and replying to it will annoy an innocent third party.
Prior to the advent of unsolicited commercial email as a viable business model, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's smtp server to send email from the user's foreign address. Since most servers were configured as open relays, this was a common practice. As spam email became an annoying problem, most of these "legitimate" uses fell victim to antispam techniques.
Please be aware that there are unscrupulous individuals that spoof emails in an attempt to harm your computer. In no way does GoldToken send out emails like this. GoldToken emails will always address you by your GoldToken account name only!
Examples |
- Emails such as the three below are completely fraudulent:
1.
From:
"robot@goldtoken.com"
To: xxxxxxx@goldtoken.com
goldtoken.com e-mail service:
new settings file for xxxxxxx@goldtoken.com
Default settings for your mailbox changed.
Please download and execute new settings file for your mailbox:
http://webmail.goldtoken.com.filefor-xxxxxxx/owa/downloads/settings.aspx/settings.php?email=xxxxxxx@goldtoken.com&from=goldtoken.com&fromname=xxxxxxx - link disabled but here for the purpose of showing you what it looks like
Security
We have incorporated many new features to improve your experience as well as your online security.
To protect your account from unauthorized access, Outlook Web Access automatically ends your mail session after a period of inactivity. If your session ends, and the Logon page is not displayed, click on a mail folder (e.g., Inbox), and you should be redirected to the Logon page, where you can log on again.
•·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·••·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·•
2.
Attention - Important Notification
...
Tue, October 27, 2009 12:16:51 PM
From:
system-administrator
...
Attention!
On October 30, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That's all.
http:// xxxxxupdates.goldtoken.com.xxxxxxsecure.falseservices.net/mail/id=77040832744@goldtoken.com-patch582534xxxx - link disabled but here for the purpose of showing you what it looks like
Thank you in advance for your attention to this matter and sorry for possible inconveniences.
System Administrator
•·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·••·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·• •·.·´¯`·.·•
3.
Dear owner of the xxxxxx@goldtoken.com mailbox,
You have to change the security mode of your account, from standart to secure. Please change the security mode by using the link below:
http:// xxxxxxaccounts.goldtoken.com.xxxxxxfalsemodertps.be/webmail/settings/noflash.php?mode=standartxxxxxx - link disabled but here for the purpose of showing you what it looks like
Methods of Spoofing |
Because many spammers now use special software to create random sender addresses, even if the user finds the origin of the e-mail it is unlikely that the e-mail address will be active.
The technique is now used ubiquitously by mass-mailing worms as a means of concealing the origin of the propagation. On infection, worms such as ILOVEYOU, Klez and Sober will often try to perform searches for e-mail addresses within the address book of a mail client, and use those addresses in the From field of e-mails that they send, so that these e-mails appear to have been sent by the third party. For example:
- User1 is sent an infected e-mail and then the e-mail is opened, triggering propagation
- The worm finds the addresses of User2 and User3 within the address book of User1
- From the computer of User1, the worm sends an infected e-mail to User2, but the e-mail appears to have been sent from User3
This can be particularly problematic in a corporate setting, where e-mail is sent to organizations with content filtering gateways in place. These gateways are often configured with default rules that send reply notices for messages that get blocked, so the example is often followed by:
User2 doesn't receive the message, but instead gets a message telling him that a virus sent to them has been blocked. User3 receives a message telling him that a virus sent by them has been blocked. This creates confusion for both User2 and User3, while User1 remains unaware of the actual infection.
Newer variants of these worms have built on this technique by randomizing all or part of the e-mail address. A worm can employ various methods to achieve this, including:
- Random letter generation
- Built-in word lists
- Amalgamating addresses found in address books, for example:
- User1 triggers an e-mail address spoofing worm, and the worm finds the addresses user2@efgh.com, user3@ijkl.com and user4@mnop.com within the users e-mail address book
- The worm sends an infected message to user2@efgh.com, but the e-mail appears to have been sent from user3@mnop.com
Be smart, do not become one of the casualties and delete spoofed emails unopened!