Home | Editorial Opinion |     Share This Page
How to Help the Crooks

People sometimes make life easy for cybercriminals

All Content © Copyright 2012, Paul LutusMessage Page

Introduction | The Victim | Personal Experience | The Remedy | Updates

(double-click any word to see its definition)

Introduction

There are a number of things people do online that greatly increase their risk of encountering cybercriminals — careless browser usage, not updating their software and operating system, easy-to-guess passwords, and so forth. This article discusses a very common e-mail practice that is much more dangerous that it appears to be, and that has no real purpose — the same result can be achieved in a different way, but without the risk.

The Victim

One day, without any warning, Jane Doe lost her personal identity — her bank accounts were drained, her credit cards were deliberately maxed out, and worse, someone else was pretending to be her, creating financial obligations in her name. Then, after a long, expensive, emotionally wrenching process, her life slowly returned to normal. In a later analysis by law enforcement authorities with Internet expertise, the detailed process of identity theft was revealed. In reverse chronological order, it went like this:

  • In the last step, Jane's online bank account was raided. The online bank required her e-mail address as a logon name, but the thieves knew that address, and they guessed her password by reading her e-mails and those of her friends.
  • In the next-to-last step, the thieves sent e-mails to Jane and all her friends, and in each e-mail, the names of her friends were used to trick the recipient into thinking the message came from them. Each e-mail contained a dangerous malware link and a message like, "Hey Jane, this site is really useful — try it! Signed, your friend, Bill."
  • How did the criminals get Jane's name and e-mail address, and the names and e-mail addresses of all her friends? That's easy — they intercepted an especially dangerous kind of e-mail that contains more than one destination address — a "multiple-recipient e-mail" or MRE.
  • Where did that dangerous e-mail come from? That's also easy — Jane composed it, attached a list of the names and e-mail addresses of all her friends, and clicked "send".
That's how Jane lost her identity — simply by composing an e-mail with more than one destination address, an MRE. Is it really that easy to lose one's identity, and is an MRE really that dangerous? Well, yes, and yes. Here's why:
  • In the e-mail system, a person's name and e-mail address are paired like this: "Jane Doe <jdoe@bigsite.com>" This form allows the recipient to store a person's name and e-mail address in a convenient way.
  • If a cybercriminal can get hold of the e-mail, he has a person's name, plus the logon name that's used by many banks and online businesses — a person's e-mail address.
  • By getting this kind of e-mail address, the criminal is halfway into the victim's online life — the other half is a password.
  • If a criminal can capture the entire e-mail, he may find clues to the victim's password.
  • But it gets worse — much worse. if the e-mail has multiple recipient addresses, the criminal can begin to attack all the recipients at once, and he can exploit the fact that the recipients are all friends.
Here's an example — let's say that Jane Doe, Bill Smith and Kevin Jones are all friends, and they regularly send MREs to each other. Their addresses are:
  • Jane Doe <jdoe@bigsite.com>
  • Bill Smith <bsmith@bgisite.com>
  • Kevin Jones <kjones@bigsite.com>
If Jane, Bill and Kevin only ever sent out e-mails with one recipient address, any intercepted message would be relatively harmless. But an intercepted MRE is a gift to the crooks. It works like this:

The crook who intercepts the message takes the address list and composes phishing e-mails that exploit the fact that the recipients are all friends, like this:

Jane's phishing e-mail:
Dear Jane:
  I just found out about this cool site from Kevin — check it out:
  http://malware_central.com
Your friend, Bill
              
Bill's phishing e-mail:
Dear Bill:
  I just found out about this cool site from Jane — check it out:
  http://malware_central.com
Your friend, Kevin
              
Kevin's's phishing e-mail:
Dear Kevin:
  I just found out about this cool site from Bill — check it out:
  http://malware_central.com
Your friend, Jane
              

The diabolical thing about this is that, once a cybercriminal has a list of e-mail addresses that the criminal knows are friends, he can exploit that fact to lull the recipients of his e-mails into clicking a dangerous link — after all, the recipient thinks it's from a friend. And the larger the list of addresses, the more effective this scam is. And finally, crooks are famously lazy, but the above phishing e-mails can be composed automatically by the computer — the crook doesn't have to raise a sweat. There are software packages that completely automate the process of taking over your identity, but they all have one thing in common — they need people to send out multiple-recipient e-mails.

Moving on to the next MRE issue — what's the chance that an e-mail will be intercepted by criminals? Well, it depends — if the message has only one recipient, the chances aren't very good, but if it's an MRE, the chances are much better. Why is this?

  • Some computers are compromised, infected by criminals so that the computer's activities can be remotely traced, and documents can be captured.
  • What is the personal computer infection rate in the wild? No one knows for sure, but for this example, we'll use 10%, it's a reasonable estimate.
  • Given that infection rate, if an e-mail with one recipient address is sent, its chance to be intercepted by criminals is low, about 6%.
  • But if the e-mail is an MRE, because each copy is identical and because each copy is mailed to a different computer, its chance to be intercepted depends on the number of attached addresses:
    Recipient Addresses Chance of Interception
    5 5.76
    10 58.32
    15 96.01
    20 99.92
    25 100.00
  • Essentially, this means that, for a message with ten attached addresses (and ten copies sent out), the chance that it will be captured by criminals is almost 60%. For an address list with 25 or more addresses, the chances of capture are essentially 100%.
  • As explained above, once the criminals acquire the message, they can use the names of friends against each other, exploit the fact that the recipients are known to each other to reduce their sense of caution. They can send a blizzard of messages, all seemingly from friends, to try to trick the recipients into revealing personal information or clicking on an unsafe hyperlink.
Personal Experience

I have a personal story about this. While boating I meet a lot of people and I sometimes give out my contact information — carefully, but not overly so. A few years ago I gave my e-mail address to some other boaters, and we agreed to make contact sometime in the future.

A few weeks later, the people sent me an e-mail. But it was the worst MRE I had ever seen — it had an attached list of over 300 addresses, of every person they had ever met! And worse, the included message was, "Dear friends — the problems you're having aren't our fault! We're victims too!" In other words, the senders had created a catastrophe for themselves and their circle of friends, but they didn't realize that their MRE was the source of all their friends' problems, including a blizzard of spam and cleverly worded phishing e-mails seemingly from acquaintances.

Obviously, by attaching a list of 300 addresses, and using my earlier estimate of 10% infected computers, the chances were that the message fell into the hands of multiple criminals, not just one.

As I expected, within a few hours of receiving the MRE, my e-mail inbox was overflowing with spam and phishing attempt e-mails. After a short struggle, I gave up and retired that e-mail address. I normally don't get much spam because I'm careful about giving out my e-mail address, but this episode taught me that I only needed to be careless just once.

Because I operate my own Website, I can change e-mail addresses in a flash, no problem. But for the other recipients who have fixed e-mail addresses, they would have few meaningful remedies. They would essentially be placed on every spam mailing list in existence, and be barraged with endless phishing messages that would appear to be from friends.

And to think — the originators of the MRE would only have to resist the impulse to mass-mail their entire address list. But there is an easy solution — people can send a message to all their friends, but without attaching a list of all the recipient addresses. Read on.

The Remedy

This is the first time I've tried to write an account of this problem and its remedy. Until now I've just told people how to avoid it face-to-face, but as time passes I find that I'm having that conversation too often, so I decided to explain it just once and post it online.

The solution to the MRE problem is very simple:

  • First, never, ever send an e-mail with more than one visible recipient address. It doesn't matter how common this practice is, it's dangerous and it represents one of the less appreciated risks associated with the e-mail protocol.
  • What did I mean above when I said "visible" e-mail address? Can one send a message to multiple recipients, but without attaching the list to the message? Yes!
  • The solution to the MRE problem is very simple — put the recipient list in the BCC: (Blind Carbon Copy) field of your e-mail program, not the CC: (Carbon Copy) field. This solves the problem!
  • The CC: field sends a copy to each person on the list, but it also attaches the entire list to the message. Bad!
  • The BCC: field sends a copy to every person on the list, but doesn't attach the list to the message. Good!

Doesn't that seem simple? And nearly every e-mail program in existence has the BCC: feature (and if yours doesn't, get rid of it).

The CC: carbon-copy feature, modeled after the original paper equivalent, was meant for a small local intranet in an office, where one person would send a message to a committee or circle of friends, and recipients could make a reply comment and click "reply to group" so all the members could read their comments. But this relatively harmless intranet practice has turned into a very dangerous Internet practice, just because the Internet isn't a small office of benign friends — not remotely.

In summary, never use CC: for Internet e-mail communications — only use BCC: to send a single message to a group of people. Which leads to this rule:

The number of visible recipient addresses on an Internet e-mail should be one. Not two, not a dozen, one.

Thanks for reading.

Updates
  • A recent new story reveals how the Taliban, unaware of this article, published its entire mailing list by inadventently creating an MRE — simply by clicking "CC" instead of "BCC", thereby distributing their entire member list in plain-text. For shame! We need a better grade of terrorist.

Home | Editorial Opinion |     Share This Page