Home  › Marketing › Strategies

Spoofing: Identity Crisis

  |  March 15, 2002   |  Comments

What can bring your brand, corporate image, and tech infrastructure to their knees before you know it's happened? Spoofing. (And you thought spam was bad.)

Who steals my purse steals trash... / But he that filches from me my good name / Robs me of that which not enriches him / And makes me poor indeed.
--William Shakespeare

Imagine this scenario: Hundreds of thousands of spam emails appear to come from... your company. The ensuing flood of bounces and complaints from recipients crash your server. Outraged addressees clog your phone lines. Business grinds to a halt. Days and dollars are spent salvaging your technology, soothing complaints, and doing damage control for your brand. It's called spoofing -- and it could happen to you.

Spoof email forges the sender's identity to trick the recipient into opening it (or to trick a spam filter into delivering it). When recipients click on a link or attachment, they're off on a little trip to well-known circles in Internet Hell: Scam, Porn Site, Disinformation Campaign, or Virus.

Real-Life Spoofs

  • flowers.com (now 1-800-FLOWERS.COM). A student used the company's address in spam selling information on "free cash grants." Bounces and return-to-sender hate mail swamped flowers.com 's network and crashed its system.
  • Sony. A message "from" Sony's president threatening a hostile takeover of Apple Computer at an inflated per-share price landed at tech and finance companies from Silicon Valley to Wall Street.
  • Herbert Smith (law firm). An icily worded message "from" management informed employees a colleague had been brutally murdered, naming her replacement. Shocked staff forwarded the message to friends outside the company's London and Hong Kong offices. A viral global smear campaign rapidly unfurled.
  • Microsoft. An attachment in a message "from" Microsoft was purported to be a software update. Those who clicked succumbed to the virus the "update" really was.
  • PayPal. A message, apparently from an AOL account, told recipients they had been paid $200. It linked to a fake PayPal page that collected their financial information. (Similarly, email "from" the American Red Cross following the September 11 disaster sent recipients to fake Web sites where people used credit cards to make "donations.")
  • Warner Bros. A message "from" "warnerbros.au" linked to a porn site. (Computerworld magazine and many other media companies suffered similar fates.)
  • The FBI. "From" a bureau employee: "Your application is approved. Please fill out this form to confirm your identity." Requested were name, address, and credit card number with expiration date.
  • Juno. Back when dinosaurs walked the earth (in 1997), ISP Juno filed suit against five companies and 10 groups spamming with fake Juno addresses. The claim sought millions in "damages to Juno's reputation."

Making a Federal Case out of Spoof

Anti-spam activist and Web pioneer Rodney Joffe successfully filed suit against a spoofer who, in his estimate, cost his business $20,000 cash, employee work hours, and attorney's fees. "Almost none of these people are caught because few are prepared to invest what I invested," he said. "The odds are with the spammer because there's no real federal law that covers this, and this was a federal case."

Here's how the spoof unfolded: Joffe's system was suddenly overwhelmed with bounces (undeliverable messages). Recipients of the spoofed message, believing it to have come from his company, complained, which added to the email deluge. Some were so outraged that they phoned company executives to vent. It took a couple of hours to figure out what was happening and to formulate an email response template for complaints. These then had to be manually sent to tens of thousands of complainants.

The problem is real and getting worse, Joffe says. "One reason is blackhole lists, like MAPS, are being fragmented. Companies are installing their own spam filters. Spammers craft spam to get through. If you can put anything in [a return address line], you might as well put in things that will be received. .edus and .govs are very popular, so is .mil."

The How and Why of Spoof

Spam software can randomize the "from" line, so 1 million messages would not appear to come from, say, ClickZ (which would arouse the suspicion of an ISP). Randomize enough names, and the software will occasionally spit out a real one, belonging to a real company -- maybe yours.

There's some division of opinion on why spoofers choose the addresses they do. Margie Arbon, MAPS director of operations, says .edu addresses are used because universities often have open relays, so by cloaking yourself as a .edu you can get messages through them as if you were a legitimate user.

Then there are those spoofers who appropriate a real email address. "Phishers" will mock up an ISP's site and email you, telling you that a new ID needs to be entered, with a link to the fake page provided. Once they have your password, they hack your account and send email as you.

Coalition Against Unsolicited Commercial Email (CAUCE) board member and author John R. Levine says spoofing is technically no harder than "forging a return address on paper mail."

"I get a lot of bounces from mail I never sent," he told me, "but it's easy to explain to people I'm not a spammer. Customers are not that technically sophisticated. Spoofing is rarely done well -- it doesn't look professional or sophisticated. But people say, 'Oh, how nice.' Click. Boom."

As time goes on, Levine predicts, marketers are going to get more upset about spoofing, for which he says Windows security flaws are largely to blame. "Customers' perception is: If you get spam, it's fraudulent. I didn't know this company is a bunch of crooks," Levine said.

Spoofers use company names because, as Levine puts it, "most individuals don't have an identity worth defaming. You could send rude things to someone's coworkers or mother. It's well known political spam has been sent by the opposition. People do fake press releases all the time. People are a long way from understanding the way email works."

Spoofers can be anyone. Spammers earn money sending massive volumes of email. They can be competitors trying to cripple your business or disgruntled employees or irate customers out to "teach you a lesson." Attacks can be personally motivated or just random.

Fighting Spoof

What precautions should you, as marketers, take against spoofing? What if your next bounced email is from you and you never sent the message? Levine, Joffe, and Arbon gave me some suggestions:

  • Be aware spoofing is possible and can happen to you (most executives have never heard of the practice).
  • Be on the lookout. Tell your IT staff to look for bounces of mail not sent by your company and to keep an eye out for complaints. An early-warning system is critical. After the first complaint or two, you're bombarded and it's too late.
  • Have an auto-reply form letter ready explaining what happened and that it's faked. That way, you won't have to write one in the middle of a crisis situation. Have a plan of action. Remember that, in the event of a spoof attack, marketing and PR are the front lines of defense.
  • Make it known you'll prosecute. Have a dedicated email address posted on your site for reports: abuse@ or piracy@. (Software companies who have set up a reporting structure for pirated software have seen declines in the practice.)

Don't keep quiet -- whatever you do. Your company needs to acknowledge the problem, explain it to the aggrieved parties, and mop up external damage (even if internally you've taken a big hit).

Spoofers create the problem. It's up to you to provide a solution for your business -- and your brand.

ClickZ Live San Francisco This Year's Premier Digital Marketing Event is #CZLSF
ClickZ Live San Francisco (Aug 11-14) brings together the industry's leading practitioners and marketing strategists to deliver 4 days of educational sessions and training workshops. From Data-Driven Marketing to Social, Mobile, Display, Search and Email, this year's comprehensive agenda will help you maximize your marketing efforts and ROI. Register today!

ABOUT THE AUTHOR

Rebecca Lieb

Rebecca was previously VP, U.S. operations of Econsultancy, an independent source of advice and insight on digital marketing and e-commerce. Earlier, she held executive marketing and communications positions at strategic e-services companies, including Siegel & Gale, and has worked in the same capacity for global entertainment and media companies, including Universal Television & Networks Group (formerly USA Networks International) and Bertelsmann's RTL Television. As a journalist, she's written on media for numerous publications, including "The New York Times" and "The Wall Street Journal." Rebecca spent five years as Variety's Berlin-based German/Eastern European bureau chief. Rebecca also taught at New York University's Center for Publishing, where she also served on the Electronic Publishing Advisory Group. Rebecca, author of "The Truth About Search Engine Optimization," was ClickZ's editor-in-chief for over seven years.

COMMENTSCommenting policy

comments powered by Disqus

Get the ClickZ Marketing newsletter delivered to you. Subscribe today!

COMMENTS

UPCOMING EVENTS

Featured White Papers

BigDoor: The Marketers Guide to Customer Loyalty

The Marketer's Guide to Customer Loyalty
Customer loyalty is imperative to success, but fostering and maintaining loyalty takes a lot of work. This guide is here to help marketers build, execute, and maintain a successful loyalty initiative.

Marin Software: The Multiplier Effect of Integrating Search & Social Advertising

The Multiplier Effect of Integrating Search & Social Advertising
Latest research reveals 68% higher revenue per conversion for marketers who integrate their search & social advertising. In addition to the research results, this whitepaper also outlines 5 strategies and 15 tactics you can use to better integrate your search and social campaigns.

WEBINARS

    Information currently unavailable

Jobs

    • Interactive Product Manager
      Interactive Product Manager (Western Governors University) - Salt Lake CityWestern Governors University, one of the 20 largest universities...
    • SEO Senior Analyst
      SEO Senior Analyst (University of Phoenix (Apollo Education Group)) - San FranciscoSEO Senior Analyst   Position Summary...
    • SEM & Biddable Media Manager
      SEM & Biddable Media Manager (Kepler Group LLC) - New YorkAs an Optimization & Innovation Manager at Kepler Group, you will be on the bleeding...