Previously, in the Operating Systems chapter, I discussed some aspects of how email works. The beginning of this chapter will a bit of a review. Email software has several parts. There are the emails themselves and an addressbook. The information for each is kept in a separate file. Several email programs will keep the emails in a text file, which is a simple chain of blocks filled with data. There is no index. You can dump the file and read it with a disk editor.
Exercise:
An example of this is Thunderbird. Thunderbird is an email reader and management program made by Mozilla, the same people who make the Internet browser Firefox. You can download Thunderbird from https://www.mozilla.org/en-US/thunderbird/ Once installed on your machine, open an account with an email provider who provides POP (Post Office Protocol) email service, such as Juno or Netzero. You can configure a POP service to download your messages.
To configure your Thunderbird email reader to download from your Netzero account, set the server type to POP; the server name to “pop.netzero.net”; check “Automatically Download New Messages”. Also, ‘connection security’ is SSL/TLS and ‘Authentication Method’ is ‘encrypted password’. The other options are at your discretion except for ‘Fetch Headers Only’. Leave ‘Fetch Headers Only’ unchecked.
Once you have created the account, send and receive a few emails, to yourself if you must. Now, you have the files you need.
Follow directions on Thunderbird’s help page to backup and restore email files and your addressbook: https://support.mozilla.org/en-US/kb/moving-thunderbird-data-to-a-new-computer In Thunderbird, click on ‘Help’. Click on “Troubleshooting Information”. Find the line that starts “Profile Folder”. Click on “Open Folder”. This will take you to the Thunderbird directory. Click on the “Mail” folder. You will see a folder “pop.name-of-service.com” For Juno, that will be “pop.juno.com”. For Netzero, that will be “pop.netzero.net”. Click on the folder with your email service’s name.
In this folder, you find a file “Inbox”, which is—you guessed it! – Your inbox! You will also find files with the names of your folders, if you have divided your emails into folders. In Windows or in Linux with a GUI, left-click on the “Inbox” file. Uncheck, “Always use this app for this file”. Select “Notepad”. If you do not see “Notepad”, click on “Look for another app”. This will open the file in text mode, read the non-ASCII characters and still the file without error.
As you page through the file, you will see raw header information followed by the message itself. Some messages will be HTML. Other messages will be in plaintext. Notice how one message simply follows another.
Make sure you have two messages in your Inbox. Close Notepad. Delete a message. Reopen the file. Can you tell the difference between the deleted message and the message that is not deleted? [Answer below.1] If you close Notepad, highlight the email address, click on “File” on the menu bar and; click on “Compact Folders” from the drop down menu, then; go back, reopen the file with Notepad, you will no longer find the message.
Even when you compact a file, do not think that your emails are gone! How are files compacted. The software (in this case Thunderbird) copies the readable messages to a new temporary file and skips over the deleted messages. Once the copy and condensing is complete, the old file with the deleted messages intact, is deleted and the new temporary file is renamed to the proper file name—in this case “Inbox”. As I discussed above, the operating system does not really delete files when they are deleted. The operating system merely inserts a code into the file directory to indicate the file has been deleted. Sound familiar?
Example: In Windows, a question mark “?”, is inserted into the first character of the name to indicate the file has been deleted. However, all the file information—start position, length, blocks used—remains intact. Using this information, one can look for the file and usually find some of the data.
This is exactly how the police, using EnCase, find old emails messages. Before EnCase, this was done by manually. Now, a tool has been written. A good example of how computer hacking has evolved and tools are now easily available for hacking.
To get really get rid of a file, is to use a file shredder that writes binary 1’s and 0’s to the file and then delete the file. McCaffee and Symantec anti-virus security software have such a utility. However, as far as I know, it will not shred a deleted file. To shred delete files, you need to use a utility like “Shred 22” or “My File Shredder3”. I endorse neither utility. I merely mention them, as an example of a commercially available you tool that claims to shred files.
Another file of note, in the Thunderbird home directory, is, “history.mab”. This is the address book. This too is a text file that can be read with a disk reader or simple editor like Notepad. This file is a bit more complicated to read but, if you look, you will see the emails.
From Merriam Webster’s online dictionary4:
noun phish·ing \ˈfi-shiŋ\ : a scam by which an e-mail user is duped into revealing personal or confidential information which the scammer can use illicitly
Phishing is one of the many new computer-related terms that have found their way into the general lexicon over the past decade or so. Its “ph” spelling is influenced by an earlier word for an illicit act: “phreaking.” Phreaking involves fraudulently using an electronic device to avoid paying for telephone calls, and its name is suspected of being a shortening of “phone freak.” A common phishing scam involves sending e-mails that appear to come from banks requesting recipients to verify their accounts by typing personal details, such as credit card information, into a Web site that has been disguised to look like the real thing. Such scams can be thought of as “fishing” for naive recipients.
In my urban legends, “phreak” evolved as a contraction of “phone freak” because it was an easy way to refer to such “freaky” nerds. Whether bona fide historians and legitimate etymologists agree or, even other hackers, agree with me, you’ll have to ask them.
Phishing. Sending phoney emails, scam emails, trying to get personal and identification information from a target. Also, may include viruses, trojans, malware, ransomware and other nefarious internet bad guys to ruin your machine and aggravate your life.
Phishing Scams. It never ceases to amaze me, just how naive and gullible some people are. All those “Dear Kind Sir, Blessed in the Lord and Blessed be you. My dear kind, departed husband, died tragically last year, when he was offed by the local warlord who was feuding with a neighboring warlord. My dear kind, husband, being the treasurer of all food and drug distribution for our village, managed to put $450,000,000 USD in a local savings account. But, I (his wife mind you) can not get the money out of the account. But, we can go 50/50. I’ll say your his long lost brother, who escaped the poverty of our village by emigrating. They will award you his money as his only heir. Give me your name, address, bank account number, national i.d. number. Don’t bother about sending me a check. Because, I’m going to clean out your account first.”
You won a lottery. You won a prize. You won a free cell phone. Isn’t that redundant? Who ever won a cell phone that you have to pay for? That’s like winning a lottery that I had to put the money into the pot!
Go on to Craigslist and read their warnings about buying or selling merchandise. Go on to any legit dating site and read their warnings about personal ads. Never send money to some one who has fallen in love with you after 3 emails or 2 or 1 or 5 and is stuck in the islands; lost all their money; was mugged and lost their wallet and; can’t get home. There are police and embassies for that. The hotels help with that. Some of those emails are good. They mimic the embassy. Just try and call though, through the real line listed in the phone book.
Believe me, if someone you know, is stuck overseas, you will know. At 3 AM, the State Dept, will call you. The person will identify themselves ad tell you, “We regret to inform you that your son, teaching English in China, fell from his apartment balcony and is in the hospital. Here’s the name and number of the hospital.” – That is a real story. That is how it really happens.
A real example, from a real email:
I have included a few more, from collecting over a period of less than 2 days.
Really? You are invited to tell us about your bank and banking experiences? You’re also invited to write them a check for you life’s savings too.
Do you think a legitimate company like Microsoft and one of their divisions would use cockamamie email addresses like the ones in this email?
The hyperlink is a spoof. You always need to check the links before clicking on them. Where does this link really go? Put your mouse on the link and what appears in the menu bar below?
Does this look like a link to Microsoft Outlook’s security?
http://www.carnet-delenclave.fr/wp-content/uploads/2016/05/hot/sigin.outlook.htm
You can try going to the web site without the link to see what comes up. There is no point in this case.
This one is good. Terrifying. But, also easily discernible as a fraud.
A court notice without a court? No phone number or address? No official seal? No sheriff with a gun showing up at your door telling you to come to court? Really? No name of parties, no docket numbers. Scary yes. A good fraud maybe. But, with a little consideration, just another fraud.
This one deserves some more consideration. Notice the attached zip file. Usually, this means that there are data files attached to the email. A zip file is just a compressed. That must be an awfully large file or number of files they sent you. I doubt. it. It is also a way to hide what they are sending you.
This particular email had an ‘exe’ or executable file attached. Google mail will not allow ‘exe’ file attachments to prevent such phishing expeditions and to prevent the spread of malware and viruses. However, a zip file containing an ‘exe’ will make it through.
What was the ‘exe’ file? A known spoof that sends “dllhost.exe”. Dllhost.exe is a Windows system file. There is a spoof that sends a malware with the same name, but does different things. So, when you unzip the file and run it, it installs itself on top of the Windows file. Erases the Windows file. Now, your system is infected with a virus.
This is a good example of a trojan.
One more:
I got 4 of these in one month. From the U.N., the E.U., whomever. The catch is the pdf attachment. You may think that a pdf is not an executable file. A pdf is a document and not a program, right? Well, a pdf can have Javascript code and do program like stuff and; make calls to the Internet and download stuff to your machine and; install viruses and; do nasty stuff. You have to turn off Javascript and disable “running external programs” in your PDF reader, to make sure that a pdf does not infect your machine. Some browsers, like Tor do this automatically. Sandboxing your browser may help. Saving the pdf and opening it, with a PDF reader, NOT in your browser, with a PDF reader set NOT to run Javascript and NOT to run external programs will make reading unknown pdfs safe. Or, we could just ignore this non-sense altogether. That’s my choice. Just hit the delete key.
Honeypots. – These links and offerings for money and prizes are called honeypots. Traps laid with shiny, sparkly trinkets or; delicious smelling food, which are nothing more than lures and snares for the unwary.
Duck Hunting,Turkey Shoot & Porn Sites. – How does it feel to be hunted like a duck? They lie in wait for you to mate. They put out the most gorgeous decoys with blond and red hair. You can just resist. When you come running for that model, they shoot your computer dead!
While a porn site may be a legit site, after all, killing customers is bad for business, they are major attack sites. Porn sites are a business like any other. They want their customers to have a good experience. Customers with bad experiences are not repeat customers. Porn is such a lucrative business, why would a porn site bother with attacking their customers?
They don’t. But, they are attack sites. Hackers know that many web surfers will go for porn. Many of those web surfers are not savvy. The hackers hijack the porn sites and put malware into the ads and downloads. Adding their viruses to the legit links and clicks on the porn site. A lot of this is transparent and unbeknownst to the user.
Virus protection services like McAffee, MalwareBytes and Avast, provide warnings, that certain sites have been registered or noticed to be infected as attack sites. I would strongly advise of not going to such web sites.
Real story. I was once commissioned to clean a machine. It was running slow. I ran Malwarebytes. It took 3 days to complete. It found 150 viruses. During off hours, some young man had done a lot of surfing to a lot of porn sites. The moral of the story is, you need to practice safe sex with your computer. A little abstinence might be good too.
Spear Phishing. A phishing attack directed at a particular individual, usually to provide intel to engage in a more sophisticated social engineering or network penetration attack.
Ex. Sending emails with honeypot links to an admin in the hope that you will get admin access and rights vs. an ordinary user.
1The status of the deleted message has been changed. The field “X-Mozilla-Status: 0009” has the value “0009”. A message whi ch can be read has a value of “0000”.
Cyber Security 411 