Ivan Fraixedes' Blog

Basic Hints to Identify a Gumtree Spoofed email

Posted on Feb 16, 2015

Email spoofing is a kind of attacks which have been used by cybercriminals for long time; even though the number of people who are aware about them has increased for last years, therefore the number of victims is lower, they’re still using it, because I guess that it’s cheap to execute and they’re still generating profit with them.

This post is not for hackers, I’m not a hacker, I’m another common geek guy, hence not to expect to learn the next crazy hacking trending technique; Ive written it based in one of my experiences and I thought that it could be useful for people with no technical skills to know how these attacks happen and be aware about them.

The Scenario

The most of the free classified ads websites are constantly suffering of email spoofing attacks, because they have substantial web traffic of a lot of people making “business” deals in a non-regulated way, it means that nobody takes care of those deals which the most of them involve money exchange, so they are a good source of potential “clients” for cybercriminals.

I also use them for those purposes, however taking the same care that I take in the real life that basically is driven by one principle “don’t trust with anybody, except your mum!” (there is some sarcasm in that sentence).

Then, henceforth I will show you how I got a Gumtree spoofed email and the steps that I took to find out that it was spoofed email and hopefully you will get the execution pattern that they use to try to have a good business deal with you.

The Story

I had an ad published in Gumtree and I got an email which was trying to emulate an official Gumtree one.

The main point here is that we cannot see anything strange with a simple look; however the operational was not expected, Gumtree has never sent me an email with a link to see any request, and if you use it quite a bit, then you may start to suspect of it for that reason; nonetheless the operational could change through the time so it’s not a hint which could show us that it’s a spoofed email.

In my case, I could detect straightaway something very strange because the fake customer sent me a usual message through the ad’s contact form and when I just replied, 5 seconds later I received that email, hence too fast to write an email with that response even though Gumtree had forwarded me and email with a link to read the request. In this case it should be enough to discard this email and consider that somebody wants to cheat us, but if you hadn’t had the chance to realise that the email got into your inbox in that moment, you had probably realised that the email came just after your replied.

Anyway I was further with it and I checked the email sender, because as you can see some email providers, in this case gmail, only show the name that user wants to show than the specific email address.

And thereafter, I checked the URL of the link, just only positioning my mouse pointer on top of the text link and looking the bottom of the browser window, where browser should usually show the full URL where the link points. The link wasn’t pointing any URL under gumtre.com domain name, therefore with this hint we should be enough suspect evidences to discard this email as potential customer request.

However, let’s give a small nudge to the world and report it as phishing therefore, don’t forget to report to Gumtree in the case it is related with, and if your email provider offers you any chance to do it, as it is the case of gmail, then do it as well.

Conclusion

In the Internet world, there are at least the same tricks to cheat you than in the physical world; using the common sense and being always aware is a must as probably you already do in the physical world, hence remain always vigilant and in front of a bad feeling, don’t do any step if you are not sure that it is secure and ask for advise if you think that you need help.

In the other hand, we need to put more emphasis to claim more security in the email systems, not only for confidentiality, but authenticity and non-repudiability too, which nowadays are already technically solved, however they aren’t commonly used, perhaps because nobody has found the way to spread them in an user friendly way, besides not to find a real business plan which can encourage investors to invest enough money to spread them.

In the time being, we could claim to the current email provider some easy built-in features which allow us to see

  • What is the real address of the sender
  • What URLs are pointing the text links

which, I think, they can be solved with simple text analysis and a little bit of design and user experience.

If you would like to read what there are behind the scene of the URL address linked by the email, don’t miss my next future post.

Take care.