How Easy is it to Create a Fake Email Address – Demo


Presenter: For this demo today, I will be
using a virtualized environment which is what you see here. I have a Windows 2003 server
for this demo. It’s not a necessity that you have Windows 2003. I’m using it for a simple
reason that I need outlook express as an email client which is here, which you get by default
embedded into the OS. And the reason why I need outlook express is that the SMTP tool
that I’m going to use, this works very seamlessly with outlook express. So I start the server,
this is what the console looks like. You can go to the settings section, domains; create
some domains. I did one globalsign.com, microsoft.com, and you can have a few more of them created
by clicking add. Then you can go to the user section and click on add and then basically
create users. I already have a couple of them here. This is configuration page on the SMTP
server. You can also create new users directly from
your outlook which is your email client. I already have few of the accounts. I can quickly
show it to you. These are just warning signs you can ignore. Here, I have one Bill Gates.
I have Microsoft. I have two Barack Obamas. I have NetBankingatHSBC, and I can start some
emails, so let me create a new account for you. The display name; I’ll just have it as
NetBanking. Click on next, the email will be [email protected], .co .in whatever
you want. Then these are the email server configurations. You leave POP3 as default,
and since I’m running the SMTP server on this machine itself, I will use the incoming and
outgoing mail server addresses as loop back addresses 127.0.0.1. The same goes here and
that’s it. This is the account name. You can give a password as well, and done. I click
on finish, I click on close. I go to create email and now I see [email protected] which
I just created. The mail will be going to myself, and the subject could be Your Net
Banking Account. I think I might even have a draft created
already just to save time. I have it here, yea. And I simply paste it here. I change
the… I did earlier for HSBC. You can change this as well if you want to or anything.
It could be Barclays Bank. It could be any other URL. It’s basically a fake website.
I click on send, the email goes away. It should be in now. There you go. If you click on this
mail, it exactly has same content that I prepared and send an email, so the idea was to show
to you how you can do it live. So this is a fake email coming from [email protected]
I don’t work at Barclays. I have no access to their email system, still I can create
an account, send an email which comes to me and I pretty much cannot figure out there’s
nothing in this email which tells me, as a victim, that this is a fake email. So I read the mail, I say there is some issue
with my net banking account, I may end up clicking on this. If I click on this, I may
actually go to the right website because my search engine will take me to the right website.
It doesn’t show anything here but if I would have had created a phished website, that phished
website would come up here and would have given me an option to enter my net banking
credentials which is not happening because basically, I’ve not created a phished website.
So this basically shows you how easy it is for me to create an account and start sending
email. You can do all this what I’m doing here. It was just a matter of a few minutes.
Literally, in few minutes, you can have this SMTP server and this email client. There are
many other SMTP servers and email clients that you can use. It’s that I’ve used this
years ago. I was more familiar with it. There could be
even more advanced SMTP servers now which can do even more, which can have more advanced
capabilities. What I’m using now is not a hacking tool. It’s basically a very simple
genuinely it’s an SMTP server but it can be misused the way I’m trying to show it to you
for this demo. Of course, you can use this tool to send mails from many different accounts
to many other accounts. Now, one important point here is that with this kind of an approach,
you can basically impersonate anyone in the world, and the opposite is also true. Anyone
else can also impersonate you, so it becomes quite scary that this can happen which is
true. I just showed it to you it is possible, and the protection against this obviously
digital signatures.

Danny Hutson

Leave a Reply

Your email address will not be published. Required fields are marked *