Spoofed emails could easily land in user’s Gmail inboxes without even warning them of suspicious activity, security researchers have discovered.

While spam is normally used to deliver malicious documents or links to unsuspecting users, spoofed emails have a bigger chance of luring potential victims, because they are likely to click on a link or open a document coming from what they believe is a trusted contact. When it comes to spoofed messages, the sender is impersonated or changed to another, thus making messages appear legitimate.

Which users may expect Gmail to warn them of such suspicious activity, researchers at the Morphus Segurança da Informação recently discovered that this doesn’t always happen. According to them, users should revise the trust they have on Gmail blocking messages with spoofed senders, even when no alert is displayed regarding the legitimacy of that message.

“We realized that a message that appears in your Gmail inbox folder even with an important sign, coming from one of your Gmail contacts with no spoof or security alert, may have been forged and impersonated by a fraudster or cybercriminal,” Renato Marinho, Director at Morphus Segurança da Informação, explains.

Marinho explains that the Simple Mail Transfer Protocol (SMTP) defines the “mail envelop and its parameters, such as the message sender and recipient,” and not the message content and headers. Thus, a SMTP transaction includes Mail From (establishes the return address in case of failure), Rcpt to (the recipient address), and Data (a command for the SMTP server to receive the content of the message).

The value “From” displayed in the email is usually equivalent to the value used in the SMTP command “mail from” but, because it is part of the message content, “can be freely specified by the system or person issuing commands to the SMTP server.” Basically, an attacker simply needs to change the “From” to a desired value to spoof the sender, but that is almost certainly going to trigger anti-spam or anti-phishing mechanisms, Marinho explains.

However, attackers could also attempt to send spoofed messages on behalf of a certain domain by changing the “Mail from:” SMTP command as well, a practice that can be combated by applying spoofing protection mechanisms. Among them, SPF (Sender Policy Framework) allows admins to specify the IP addresses of the mail servers that are allowed to send e-mail messages on behalf of their domain.


The 2016 tax season is now in full swing in the United States, which means scammers are once again assembling vast dossiers of personal data and preparing to file fraudulent tax refund requests on behalf of millions of Americans. But for those lazy identity thieves who can’t be bothered to phish or steal the needed data, there is now another option: Buying stolen W-2 tax forms from other crooks who have phished the documents wholesale from corporation.A cybercriminal shop selling 2016 W-2 tax data.

Pictured in the screenshot above is a cybercriminal shop which sells the usual goods — stolen credit card data, PayPal account logins, and access to hacked computers. But hidden beneath the “other” category of goods for sale by this fraud bazaar is an option I’ve not previously encountered on these ubiquitous, cookie-cutter stores: A menu item advertising “W-2 2016.”

This particular shop — the name of which is being withheld so as not to provide it with free advertising — currently includes raw W-2 tax form data on more than 3,600 Americans, virtually all of whom apparently reside in Florida. The data in each record includes the taxpayer’s employer name, employer ID, address, taxpayer address, Social Security number and information about 2016 wages and taxes withheld.

Each W-2 record costs the Bitcoin equivalent of between $4 and $20. W-2 records for employees with higher-than-average wages in the 2016 tax year cost more, ostensibly because thieves stand to reap a higher tax refund from those W-2’s if they successfully trick the Internal Revenue Service and/or the states into approving a fraudulent refund in the victim’s nam


Recently, on a trip to visit potential customers in one of Europe’s smaller markets, I ran into a recurring theme.  When I speak to any audience about security, including potential customers of course, I tend to focus on concepts and ideas, rather than specific products and services.  Choosing the components of a solution is important, but can only be done once an approach is well understood.  This comes much later in the discussion.  Not surprisingly, most people prefer this approach, particularly when they are able to map between the concepts and ideas and the specific problems and challenges they face.

As you can imagine, one of the concepts I often discuss is the identification, prioritization, and mitigation of risk.  As I’ve discussed previously, this is one of the most critical components of a mature and successful security program.  This particular trip was no different from most others in that I broached this particular topic with nearly everyone I met with.  What was different on this trip, however, was one response I received repeatedly: “We are in a small market.  No one will attack us.”  This surprised me quite a bit.

Indeed, I have heard this line of reasoning many times in the past.  What surprised me was not that people would be inclined to think this way, but that they would be inclined to think this way in 2017.  It is surprising given how interconnected the world is, how we’ve repeatedly seen that no target is too small or too remote for the motivated attacker, and how organizations that do not come to terms with this reality ultimately pay for it, sometimes dearly.

Sadly, market size isn’t the only way in which people lure themselves into a false sense of security.  Let’s take a look at a few of the different ways in which people convince themselves that they do not need to understand the threat landscape they face and mitigate the risk it presents them with.

Organizational Size

Some people, organizations, and boards seem to think that if their organization is under a certain threshold (either employee-wise or revenue-wise), then the organization can simply fly under the attacker radar.  This line of reasoning is reminiscent of the old “security by obscurity” way of thinking.  As experienced security professionals know, this is a dangerous way of thinking that generally winds up producing disastrous results.


source:  Artemus FAN, Steve Jones

I’ve been a geocaching fan for years.   My experiences were always interesting and I learned so much about Global Positioning Satellites (GPS), the technology and some clever uses of geocaches beyond the game.


While I was traveling, I often carried my Garmin GPS 48 receiver.   I bought it in the 80’s and it has never failed me or  in my quest to hide, find a geocache or determine my exact location.  In January 2008, I was at  the Heydar Aliyev International Airport in Baku, Azerbaijan precisely located at  N40º 27.909” E050º 03.271”. My Garmin unit is so accurate that I can normally approach within three feet of a hidden cache location - provided that cache is reported precisely on


Late in the Summer of 1995 I was asked how geocaching could be used to deploy or find an improvised explosive device.   This task was based upon an event that occurred at the Paris Train station.  The Armed Islamic Group (GIA) were broadening the Algerian Civil War in France.  The train station bomb killed eight and injured more than 100 people.


A GPS coordinate consists of a latitude and longitude coordinate, for example:    

N36° 48.858” W093° 11.619” (this is my home coordinates and can be seen on Google Earth).


With a simple GPS receiver, anyone can use the technology, for good or bad deeds.   Furthermore, it’s a great sport for everyone because geocaching will teach you about the constellation of GPS Satellites, map reading, cache building, building a network of friends as well as helping one with exercise and fitness.


My geocaches (caches) are normally large, easily found, and contain nice items for exchange, while the average cache contains a log book, pen, tokens and “travel bugs.”

A travel bug is a token that is moved from one geocache to another by a series of geocaching enthusiasts.

On January 25th, 2017 a fellow geocacher using the handle  “Knocky737”  reported that he found one of my Travel Bugs (Cricket  TBJJMK) in Israel:  GPS Location:

N32° 04.517” E034° 46.680”.   Cricket was originally deployed in Springfield, Virginia on March 26th, 2005 and has travelled through Germany, Austria, Switzerland, and the Czech Republic before landing in Israel.

 The Cricket Travel Bug is a “dog tag” itself and is attached to an American Flag dog tag that I gifted to colleagues and friends on my first deployment to Afghanistan in 2001.


As I recall, I dropped several of my travel bugs while I was on a TDY, with a little free time, the need for some exercise and area familiarization.  My other travel bugs were Dragonfly, Mantis, Aphid, Termite and Cicada...all of which have “died” in the last 12 years.