Anyone Getting "Realistic" Fake Emails?

[kyphysics]

info@finance.comms.yahoo.net

Got an email with the above address. I opened it without looking at the address first as it was a Yahoo! themed email. It was offering for me to join some webinar. Then, I saw the email above. . .

I got to say, the email's contents look VERY legitimate. I have no idea if it's real or fake, but "yahoo.net" looked fishy to me. Any guesses as to authenticity? Stuff like this seems like it'd be hard to distinguish the real ones from fakes. There was even the typical "unsubscribe" link at the bottom. I didn't click in case it was a fake leading me to some malware.

 

[Tom.G]

Go to https://hexillion.com/ and enter YAHOO.NET in the search box.
They are in the state of Virginia and owned by Oath Holdings Inc. in New York. Street addresses and phone numbers are also listed.

From that info you can check things like the BBB, and the corporate listings and court cases on the government sites in the two states.

Have Fun! and let us know what you find.
Tom

 

[jedishrfu]

It appears that yahoo.com has the same owners. They are likely a holding company to protect the privacy of the owning corporation while at the same time managing the domain to prevent squatters should the domain name lapse.

Physicsforums.com has a separate company called Perfect Privacy LLC and not Greg's address.

 

[MikeeMiracle]

You need to appreciate how computers read the domain names to help understand if something is legitimate or not, namely backwards. The last part of the domain is all important.

There are what is called "root" domain name servers, they hold the records for all the "root" domains. For example .com .net .gov . Every computer comes with a record of these "root" servers.

Lets take www.microsoft.com

Your computer will first contact a "root" name server and ask for a query of the .com domain. It will ask who "owns" microsoft.com. The root server will respond with another name server who is resposnsible for the microsoft.com domain.

Your computer will then contact the name server responsible for the microsoft.com domain and ask for who own the "www" part. If that name server owns the www part it will respond with an IP for www.microsoft.com. If there more bits to the address before the "www" part the name server will respond with another name servers who can resolve the next bit.

So taking the example above "finance.comms.yahoo.net" first we resolve ".net" section and then the ".yahoo" section. The query for "comms.yahoo.net" get resolved by the "yahoo.net"name server. Later the "finance.comms.yahoo.net" section is resolved by the name server specified by the "comms.yahoo.net" name server.

The point is that yahoo.net is owned by the legitimate Yahoo company and that's the last part of the address. It's when the name we recognise is at the start of the address that we should look further.

If the address was "yahoo.net.finance.comms" Initially it seems legitimate but from what I have told you this resolutions 2nd step is to the "finance.comms" server. That "finance.comms" name server can create anything it likes past this section to fool you as it controls what happens after that point.

I hope this helps clarify what to look out for in address's. This is true for ALL internet address, e-mail, web pages and anything else with an address.

 

[kyphysics]

You need to appreciate how computers read the domain names to help understand if something is legitimate or not, namely backwards. The last part of the domain is all important.

There are what is called "root" domain name servers, they hold the records for all the "root" domains. For example .com .net .gov . Every computer comes with a record of these "root" servers.

Lets take www.microsoft.com

Your computer will first contact a "root" name server and ask for a query of the .com domain. It will ask who "owns" microsoft.com. The root server will respond with another name server who is resposnsible for the microsoft.com domain.

Your computer will then contact the name server responsible for the microsoft.com domain and ask for who own the "www" part. If that name server owns the www part it will respond with an IP for www.microsoft.com. If there more bits to the address before the "www" part the name server will respond with another name servers who can resolve the next bit.

So taking the example above "finance.comms.yahoo.net" first we resolve ".net" section and then the ".yahoo" section. The query for "comms.yahoo.net" get resolved by the "yahoo.net"name server. Later the "finance.comms.yahoo.net" section is resolved by the name server specified by the "comms.yahoo.net" name server.

The point is that yahoo.net is owned by the legitimate Yahoo company and that's the last part of the address. It's when the name we recognise is at the start of the address that we should look further.

If the address was "yahoo.net.finance.comms" Initially it seems legitimate but from what I have told you this resolutions 2nd step is to the "finance.comms" server. That "finance.comms" name server can create anything it likes past this section to fool you as it controls what happens after that point.

I hope this helps clarify what to look out for in address's. This is true for ALL internet address, e-mail, web pages and anything else with an address.

This was confusing, yet informative at the same time. :)

Thanks for the in-depth explanation to a clueless person on this topic!

For whatever reason, I always assumed the "end" of an address that's different from the usual was a big sign of fakery.

For example, IRS.com ...I mean, come on! We know the real IRS is IRS.gov. But with non-governmental sites, I wasn't aware it could still be legit.

I'd usually assume Google.net would be a fake, for example. Interesting stuff.

 

[mfb]

Big companies will try to get as many of these domains as they can get. It makes it harder for others to create legitimately-looking websites. That goes beyond just using different top level domains. They will often register various misspellings, too.

 

[Ellalucero]

I got hundreds of emails like this on daily basis. First you should check the sender email id, and check the domain associated with it. Never open any link on the first place, first insure that Email is genuine, and if there is any doubt then you should probably Ignore the email.

 

[Ellalucero]

Here are few more things you can consider,

No legitimate organisation will send emails from an address that ends ‘@gmail.com’.
The domain name associated with the email is misspelt
The email is not well written
Email contains suspicious attachments or links
Suspicious links
Big offering in the email

 

[kyphysics]

...

So taking the example above "finance.comms.yahoo.net" first we resolve ".net" section and then the ".yahoo" section. The query for "comms.yahoo.net" get resolved by the "yahoo.net"name server. Later the "finance.comms.yahoo.net" section is resolved by the name server specified by the "comms.yahoo.net" name server.

The point is that yahoo.net is owned by the legitimate Yahoo company and that's the last part of the address. It's when the name we recognise is at the start of the address that we should look further.

If the address was "yahoo.net.finance.comms" Initially it seems legitimate but from what I have told you this resolutions 2nd step is to the "finance.comms" server. That "finance.comms" name server can create anything it likes past this section to fool you as it controls what happens after that point.

I hope this helps clarify what to look out for in address's. This is true for ALL internet address, e-mail, web pages and anything else with an address.

Here is another email I accidentally clicked on today (I wanted to select the box to try to delete it, but my mouse accidentally clicked on it to open):
yahoo@sports.comms.yahoo.net

Two questions:
1.) Would I be correct to assume it is legitimate, because of the "yahoo.net" ending? For reference, I play fantasy sports, so this was an email advertising some fantasy sports stuff on Yahoo. But even without that background, is the logic that if it's a "yahoo.net" ending, then it's ALWAYS legitimate (no matter what comes before that part of the address)?

2.) My second question is whether someone can send you an email with a "fake legitimate email" as the sender's email? Let's say abcxyz@yahoo.net is legitimate email address from Yahoo! But, suppose a scammer wants to send me some type of malware through email. Can that evil person use abcxyz@yahoo.net as his sending email address (even if he's not really sending it from that address)? Can some, in other words, fake the sending email address (of a legitimate one)?

 

[pbuk]

Here is another email I accidentally clicked on today (I wanted to select the box to try to delete it, but my mouse accidentally clicked on it to open):
yahoo@sports.comms.yahoo.net

Clicking on a link that opens your email application is a completely different thing to clicking a link that opens a web page, however clicking links you don't trust is still not a good thing.

1.) Would I be correct to assume it is legitimate, because of the "yahoo.net" ending? For reference, I play fantasy sports, so this was an email advertising some fantasy sports stuff on Yahoo. But even without that background, is the logic that if it's a "yahoo.net" ending, then it's ALWAYS legitimate (no matter what comes before that part of the address)?

Well Yahoo do own the 2nd level domain yahoo.net, although the sports.comms.yahoo.net domain as well as comms.yahoo.net is controlled by a marketing company Lion Re:sources, part of the Publicis Groupe. However because of the point below you cannot rely on the email actually coming from them.

2.) My second question is whether someone can send you an email with a "fake legitimate email" as the sender's email? Let's say abcxyz@yahoo.net is legitimate email address from Yahoo! But, suppose a scammer wants to send me some type of malware through email. Can that evil person use abcxyz@yahoo.net as his sending email address (even if he's not really sending it from that address)? Can some, in other words, fake the sending email address (of a legitimate one)?

Yes. Depending on your email client and spam settings and any anti-malware plugins you are using such a faked address may or may not be marked as spam.

 

[jedishrfu]

Some suspicious links will display one site but link to a completely different site.

in some cases, you can hover over the link to see the actual URL.

Here’s a suspicious link for yahoo.net that goes to a competitor.

Yahoo.net

 

[kyphysics]

Some suspicious links will display one site but link to a completely different site.

in some cases, you can hover over the link to see the actual URL.

Here’s a suspicious link for yahoo.net that goes to a competitor.

Yahoo.net

That's absolutely nuts!

How did you do that?

Also, to be clear, that is an URL. So, that sucks you can fake that, but could a person fake a "sending email" in the same way? If so, they're wouldn't that mean everyone is susceptible to this?

 

[anorlunda]

Also, to be clear, that is an URL. So, that sucks you can fake that, but could a person fake a "sending email" in the same way? If so, they're wouldn't that mean everyone is susceptible to this?

Yes it sucks, but it has been that way since the dawn of the Internet.

Being safe on the Internet, means following safe practices, not examining the appearance of URLs emails or other addresses. You must assume that anything can be faked.

Here are two links to sources explaining some safe practices.

https://arstechnica.com/information-technology/2021/10/securing-your-digital-life-part-2/

https://www.odni.gov/files/NCSC/documents/campaign/DoD_IAPM_Guide_March_2021.pdf

 

[kyphysics]

Well Yahoo do own the 2nd level domain yahoo.net, although the sports.comms.yahoo.net domain as well as comms.yahoo.net is controlled by a marketing company Lion Re:sources, part of the Publicis Groupe. However because of the point below you cannot rely on the email actually coming from them.

Yes. Depending on your email client and spam settings and any anti-malware plugins you are using such a faked address may or may not be marked as spam.

Thanks for the response, pbuk.

So, here's sort of the same question I asked in the post above. IF an evil sender wanted to fake the sending email address (to be one that I would recognize and think was from a trusted source), then how could any human being every trust anyone sending anything to them by email?

If someone figured out my mom, sister, or brother's emails, for example, and then sent me a realistic looking titled email from them (faking their email address, I mean), then it'd be hard for me to not click on it (short of literally calling them by phone to ask if they sent it...but that seems cumbersome to do every time), right?
The "hover over" method used for fake links in jedishrfu seems like it wouldn't work for faked sending emails, no? If I hover over the sender in my email inbox, I can see the email address an email is coming from. But, if it's faked, is it the case that there is no way to tell? Or, is it that once I open the actual email, then perhaps I can hover (within the email) over the sender's address and it would show a different/fake address then?

 

[pbuk]

how could any human being every trust anyone sending anything to them by email?

Through context. If you know that it's your friend's birthday next week then shouldn't come as a surprise if they send you an invitation to a party with a link to click on. If you get an email apparently from your elderly aunt saying "Wassup matey, check out theese kewl new trainers" then you can bet it is fake.

If someone figured out my mom, sister, or brother's emails, for example, and then sent me a realistic looking titled email from them (faking their email address, I mean), then it'd be hard for me to not click on it (short of literally calling them by phone to ask if they sent it...but that seems cumbersome to do every time), right?

Use your common sense: in most cases (but importantly, not all cases) fakes are easy to spot from the context.

Or, is it that once I open the actual email, then perhaps I can hover (within the email) over the sender's address and it would show a different/fake address then?

No, you have to inspect the headers of the email and then look up the servers in the chain. If you have a decent email provider they should do this for you and treat the email as spam (which may mean adding a prefix to the title, delivering it to a spam mailbox or just deleting it). If you have an anti-malware plugin in your email client this may provide extra protection.

 

[jedishrfu]

I’ve seen some stuff where even the hover over a link failed to show the true url link as it as overwritten on the status bar by JavaScript on the webpage or email.

 

[MikeeMiracle]

Here is another email I accidentally clicked on today (I wanted to select the box to try to delete it, but my mouse accidentally clicked on it to open):
yahoo@sports.comms.yahoo.net

Two questions:
1.) Would I be correct to assume it is legitimate, because of the "yahoo.net" ending? For reference, I play fantasy sports, so this was an email advertising some fantasy sports stuff on Yahoo. But even without that background, is the logic that if it's a "yahoo.net" ending, then it's ALWAYS legitimate (no matter what comes before that part of the address)?

2.) My second question is whether someone can send you an email with a "fake legitimate email" as the sender's email? Let's say abcxyz@yahoo.net is legitimate email address from Yahoo! But, suppose a scammer wants to send me some type of malware through email. Can that evil person use abcxyz@yahoo.net as his sending email address (even if he's not really sending it from that address)? Can some, in other words, fake the sending email address (of a legitimate one)?

The explanation I gave is for web links themselves. An e-mail can be made to appear to come from any address very easily. Also there are normally two parts to links, the part which is displayed and the actual URL you will be redirected to. If you hover your mouse over the web link it should tell you where the link is really pointing to, if it's pointing somewhere different to the one shown then don't click on it as it is likely spam again.

 

[pbuk]

If you hover your mouse over the web link it should tell you where the link is really pointing to

Caution: this is only true in your email client* (or other environment where JavaScript is disabled). In a web page displayed in a normal browser, JavaScript can make the link do anything.

To see this in action create the following file on your desktop and open it (you have to include the code in the image below as well):
[CODE lang="html" title="fooled-you.html"]<a href="https://microsoft.com">https://apple.com/</a>
[/CODE]

The link says Apple, shows Microsoft when you hover over it and takes you to Ubuntu when you click on it!

Note that this behaviour is typical of malicious web sites so never post this code or anything like it on the internet where it could be displayed by a browser (e.g. CodePen or a GitHub gist) or you risk your account being suspended.

* email clients include reputable web apps such as Gmail, Outlook.com etc.