School technology leaders and other education stakeholders should beware of an insidious new practice among computer hackers: sending eMail messages infected with dangerous computer viruses posing as attachments from legitimate companies, such as software from the Walt Disney Co. or security patches distributed by leading internet protection firms.

Called "eMail spoofing," this little-known but increasingly popular tactic—through which hackers are able to disguise the true origin of their messages by impersonating taglines belonging to major companies—is among the internet's most prevalent dangers, security experts have warned.

Spoofing, they say, has been a leading contributor to the spread of the recently unleashed Klez virus, along with a growing contagion of other electronic plagues that have crippled thousands of computer systems and wreaked havoc upon critical school, home, and business infrastructures from coast to coast.

In one such type of attack, the bogus eMails infiltrate systems and evade web filters disguised as free virus patches or security upgrades from long-standing companies such as Symantec Corp., a leading maker of internet security solutions. When the victim reads the eMail and attempts to download the phony patch, the virus automatically is uploaded to his or her computer system, and the attack begins.

According to Kevin Haley, group product manager for the Symantec Security Response Team, this latest tactic marks the next evolution in so-called "Trojan horse" attacks, in which hackers attempt to infiltrate computer systems by sending viruses disguised as messages from trusted friends or colleagues.

For some time, virus writers have been able to pull actual eMail addresses directly from a compromised computer's address book, then piggy-back on these addresses to spread their attacks. With this latest approach, however, hackers can actually falsify the origin of their messages to make it appear as if they are being sent by a legitimate entity.

In one such spoof investigated by eSchool News, hackers latched on to the domain Norton.com, a web address owned by Symantec and associated with the company's popular Norton Antivirus solution. The eMail tagline read:

From: Norton Antivirus
[mailto:av_patch@norton.com]
Sent: Monday, June 30, 2003 4:06 AM
To: info@eschoolnews.com
Subject: Patch for Klez.H

Although the tagline itself was not blocked by mail filters and raised no immediate red flags among staff members, a closer inspection of the text within the body of the message aroused suspicions.

The message contained blatant errors in both spelling and syntax—mistakes that called into question the true origin of the eMail. It stated: "Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic, most common AV software can't detect or clean it."