‘eMail spoofing’ threatens school computer networks

School technology leaders and other education stakeholders should beware of an insidious new practice among computer hackers: sending eMail messages infected with dangerous computer viruses posing as attachments from legitimate companies, such as software from the Walt Disney Co. or security patches distributed by leading internet protection firms.

Called “eMail spoofing,” this little-known but increasingly popular tactic—through which hackers are able to disguise the true origin of their messages by impersonating taglines belonging to major companies—is among the internet’s most prevalent dangers, security experts have warned.

Spoofing, they say, has been a leading contributor to the spread of the recently unleashed Klez virus, along with a growing contagion of other electronic plagues that have crippled thousands of computer systems and wreaked havoc upon critical school, home, and business infrastructures from coast to coast.

In one such type of attack, the bogus eMails infiltrate systems and evade web filters disguised as free virus patches or security upgrades from long-standing companies such as Symantec Corp., a leading maker of internet security solutions. When the victim reads the eMail and attempts to download the phony patch, the virus automatically is uploaded to his or her computer system, and the attack begins.

According to Kevin Haley, group product manager for the Symantec Security Response Team, this latest tactic marks the next evolution in so-called “Trojan horse” attacks, in which hackers attempt to infiltrate computer systems by sending viruses disguised as messages from trusted friends or colleagues.

For some time, virus writers have been able to pull actual eMail addresses directly from a compromised computer’s address book, then piggy-back on these addresses to spread their attacks. With this latest approach, however, hackers can actually falsify the origin of their messages to make it appear as if they are being sent by a legitimate entity.

In one such spoof investigated by eSchool News, hackers latched on to the domain Norton.com, a web address owned by Symantec and associated with the company’s popular Norton Antivirus solution. The eMail tagline read:

From: Norton Antivirus
Sent: Monday, June 30, 2003 4:06 AM
To: info@eschoolnews.com
Subject: Patch for Klez.H

Although the tagline itself was not blocked by mail filters and raised no immediate red flags among staff members, a closer inspection of the text within the body of the message aroused suspicions.

The message contained blatant errors in both spelling and syntax—mistakes that called into question the true origin of the eMail. It stated: “Klez.H is the most common world-wide spreading worm.It’s very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic, most common AV software can’t detect or clean it.”

The eMail also was paired with a suspect attachment that purported to be a free security patch designed to protect machines against the Klez virus. Symantec confirmed it sent neither the message nor the patch, but warned of reports that the Klez virus has, in fact, been spoofing its eMail addresses.

Haley said eMail spoofing presents a growing dilemma for internet users. There are plenty of tactics hackers can use to make it appear as if an eMail message containing a virus actually is being sent from a credible company address or some other trusted domain, he said.

“They don’t own the domain. They are simply spoofing it, or making it look like [the message is] coming from some place that it isn’t,” he said. “It’s all about social engineering: What, as a virus-writer, can I possibly do to get you to open that message?”

As computer hackers continue to develop new and increasingly nefarious ways of sending and launching dangerous computer viruses, school technology leaders need to stay abreast of the latest techniques and methods of protection, Haley said.

“The old rules still apply,” he added. Schools and other vulnerable targets can fortify their networks by ensuring their anti-virus systems are up to date. Technology administrators also should teach educators and other users—including students—what to look for when receiving questionable messages and other online solicitations. Telltale signs include errors in spelling, syntax, and an overall unprofessional appearance.

“We think people ought to have security patches in place,” Haley said. “But education really is an important part of security as well.”

School technology leaders who spoke with eSchool News say they’re looking for ways to cut down on the threat posed by eMail spoofing.

Jim Hirsch, associate superintendent for technology services at the Plano Independent School District in Texas, says his district has been receiving embedded virus files “attached to what seem to be legitimate messages” for several months now.

The real problem, he says, is that schools cannot set up eMail filters to block spoofed messages in the same manner that they can with spam and other unwanted solicitations, because there is a possibility that legitimate messages also could be lost.

“It’s a constant education issue for our users. Individuals should delete any messages they receive that purport to save the network or ‘fix’ their computer files,” Hirsch said. “It’s no secret that I, or anyone, can make an eMail appear to come from any user at any domain.”

He added, “The ultimate filter is the individual, and we have to continue to educate people so they feel comfortable being their own filter when eMails of this type are received.”

Raymond Yeagley, superintendent of schools in Rochester, N.H., said employees there began receiving similar messages more than two months ago. Fortunately, he said, “we were able to recognize the poor grammar and immediately became suspicious.”

He continued: “We frequently send messages to our users warning them not to believe the eMails they may receive urging them to delete a Windows system file, download an unknown patch, et cetera. Our policy is that anything to be installed on one of our school computers must be installed by, or at least approved by, one of our IT staff members.”

Yeagley said he knew of at least one instance where, thinking it was a patch, an acquaintance had downloaded the virus and then sent it to others “to be helpful.”

“To the best of my knowledge, nobody in my district has downloaded the virus from any of these eMails, but I worry about the messages reaching some of our staff members in another way that will seem even more harmless,” he said.

Marc Liebman, superintendent of the Marysville Joint Unified School District in California, said eMail spoofing has yet to be a problem in his district, but he worries what will happen if students come across such messages before there is time to alert them to the potential consequences.

“The danger is not so much our adult users, [but] I am concerned that they [will] appear in the eMails of our students, who are by nature more curious and bold and will open and play with messages like this,” he said. “We will have to add this to our list of things kids should know about and avoid.”


Symantec Corp.

eSchool News Staff

Want to share a great resource? Let us know at submissions@eschoolmedia.com.