With the robust and genuine software and hardware security applications the cost of computing is going too high. The vendors are no more struck in pleasing their consumers with just the usability features. They have tightened the technology and even releasing numerous updates though they seem overwhelming to their customers. In this kind of situation, finding out new vulnerabilities in software and them trying to exploit them with viruses and trojans are not viable for the hackers. It is here where they figured a new strategy – exploiting the weakest link of a sturdy technical security system. Guess who? The human of course… It can be the administrator of the PC or a corporate network. Even luring a small employee of a corporate network into downloading something infects the network.

Kevin Metnick, a security consultant, mentions in his CSEPS Course Workbook that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.

Social engineering explained
The concept of Social Engineering is to directly trick the user of the computer to download malware or to reveal sensitive information under the auspice that they are doing something perfectly innocent. The task is too simple and many fall out for it for the lack of awareness on the scams being played on.

With a world class antivirus that gets 1st rank in all AV-tests and a best team releasing realtime AV definitions everyday or a robust firewall from the industry leader, is simply not helping the administrator of the computer. Because it is himself who is infecting the PC. The job of the attacker is to simply lure him to do it. However, it may not be downloading malware that the attacker wants every time. He may just lure the user into giving away some sensitive information. It ranges from SSN to credit card number.

The hacker hijacks a genuine domain or creates a genuine-looking one by himself. It is a part of website spoofing. Once the user enters the domain they are either lured into providing their personal details or download something. Selling scareware is also a part of social engineering. In fact Google reported that 90% of all domains involved in distributing fake antivirus software used social engineering techniques.

Why your antivirus can’t keep up?
Each hacker holds a number of domains under him. If one is identified and taken down, the other goes up. The malware mutation used here is also rapid. Though you have the latest version of antivirus called Internet security suite, it may be too late before the vendor identifies and releases a fresh virus definition. Microsoft has gathered information about few billions of downloads over the past two years, and roughly 1 out of every 14 program downloads are later identified as malware. In few cases, just clicking on the background of the malicious site will initiate a download.

Anti social engineering: Should it be from your computer and AV or You?
You computer security is only as robust as your security awareness. Any computer, be it running on Windows XP, Vista or Windows 7, the software will not allow any data to enter your system unless you permit it by initiating its download. And if somebody tries upload any corruptive data to your system, it wouldn’t work because you never initiated it in the first place.

The popular browsers today are designed not to download blindly anything, even if it is initiated by the user himself. The browser does its job perfectly by alerting the user with details of the initiated download. (You might remember the classic pop up of the browser with a OK and Cancel options on it.)

But the hacker is clever enough to give a set of instructions including a message saying “You will receive a warning about this control. Ignore the warning and click OK”. The user unaware of the situation clicks OK and downloads the malware. The PC is now infected under the full authorization of its administrator.

In other situation, the user might get an email saying its from his bank (email spoofing from the hacker) informing that he has withdrew a huge amount from his account and a link to site what looks like his banking website. The scared user is now tricked into typing his account details and the password. In the next few hours, the account gets emptied by the hacker.

Most of the social engineering techniques run in the same way. Agreed that genuine antivirus is required to protect your PC, but it is not designed to tackle situations like this.

Here are few tips that help you help from preventing social engineering to some extent:

• The awareness of the user is the key here. Keep yourself updated on the online scams.
• Avoid using administrator privileged account for PC, unless for updating the security patches.
• Beware of unknown websites and emails that prompt you for personal information.

Most of the people fall victim for social engineering tactics either out of stupidity or greed. And unfortunately, we don’t have patches or hot-fixes for either of them. The person should also have a proper mindset to deal with social engineering tactics. A mature person is less likely to get enticed and fall for online scams.

The ransomware came into radar screen of security researchers in 2009, where a Vundo Trojan is found to encrypt all personal files and the users are asked to pay for the key to decrypt them. The earliest form of scareware just used to make people pay for useless software and fake antivirus. The hackers were able to make it sophisticated enough to hold a PC for ransom. Apart from encryption, the ransomware might just block access to all the applications of the system, asking the user to buy a license in order to fix the problem. The hacker might even entice with a 30-day-money-back guarantee message, which is false.

Techniques used to install Ransomware:
Ransomware is just one kind of malware. So all the methods been used to install it in your PC are similar to that of any virus or trojan infection. However, the actual talent of the hacker lies in making the victim to pay the ransom. Heavy techniques of social engineering are used here. The following are a few techniques used by hackers of ransomware:

• Spam emails with malicious files. The malicious files contain code that exploits the vulnerabilities in the software applications. The code then takes control of the PC denying the access to applications and files.
• The exploitation of the vulnerabilities in browser due to opening malicious web pages. Then an in-line adult advertisement, is shown in every web page the user opens. It covers main part of the web page which the user can’t get rid off. The text written on the banner will be in a foreign language. The user is also asked to send SMS to a premium rate phone number, to get special code that will make the ad disappear and also receive access to an archive of explicit videos.
• The user visiting a spoofed site may suddenly see a message that his PC is infected and to download a tool to get rid off it. The downloaded file actually contains ransomware.
• A malicious .dll file is smuggled into the PC, which manipulates the working of parental controls or Web content filtering features of the PC. When the user tries to open even legitimate sites like Youtube, Facebook, etc from browser, a message in red background is displayed saying: “Restricted Site! This web site is restricted based on your security preferences. Your system is infected. Please activate your antivirus software.” The domains will be allowed to access only of the user purchases a fake AV from the hacker.
• Another technique includes manipulation of the master boot record, preventing the booting into operating system. A message is displayed saying that the access to the PC is blocked and the user is asked to visit a site. In the site, he will be asked to pay for getting back access to the PC. However, in such cases, the user can just bypass the prompt and restore the master boot record. Rescue disks are very much helpful in these cases.
• An Instant messaging worm is found to block access to the Facebook account in the infected PC. The message looks as if Facebook itself has blocked the account. The victim is asked to complete answers for a survey within a short period of time. Amid of the survey the victim is tricked to subscribe premium rate services on their mobile phones.
• Adult websites are main hub for the malware downloads. For example, a piece of ransomware identified as WORM_RIXBOT.A, was downloaded over 137,000 times from a single adult website, in December alone. This worm prevents users from accessing their desktops and asks them to send a text message to a premium number in order to receive unlock code.
• The recent Japan earthquake also triggered few ransomware infections. The emails sent to the users contain links to fake news articles from where the malware installs in the PC. Then the access to the desktop is seized with a message claiming to be from Federal police saying that some illegal activities are discovered on PC and pay some fine within the given time of they don’t want their hard drive erased.
• The recent technique of ransomware involves display of a windows reactivation message. The victim is given a toll-free phone number for getting the reactivation code. However, the call will not be free and the hacker is paid indirectly from the victim’s pocket.

In most of the above instances, the files on the hard drive are encrypted. For decrypting the files, a private key is required from the hacker. In such cases, the users must plug off their PC, immediately after seeing the encryption message to stop further encryption of files. This makes sure to save at least some amount of data from getting encrypted. The hard drive should then be removed and installed as a secondary drive in another PC to copy unaffected files into some other storage device. Regular backups are key here to minimize the impact. The encryption can then be cracked down with the help of some security expert.

Recently, a report (by Conductor) said that smartphone ownership increased roughly 58% during the year 2010 (from 17% in 2009 to nearly 27% in 2010). The 2010 holiday shopping saw a 300% increase from mobile users (to 5 high-traffic e-commerce sites). It has even reached to the point that mobile email usage rises while web-based email declines (according to comScore). There are now more than 7 million mobile internet users in the UK according to Nielsen. That compares with more than 40 million in the US. Social networking is also big and growing at higher pace in mobile segment. According to comscore, nearly 58 million mobile subscribers accessed a social networking site at least monthly via mobile device as of December 2010.

Now you see the size of this segment of users, connected to Internet. No doubt it is attracting more and more marketers towards mobile marketing, but is it just marketers who are getting attracted?

We now see a new trend in malware, emerging – the smartphone malware. In fact it has already grown to a frightening level. Cyber criminals are now targeting smartphone users with new malware. After-all it is on operating systems that smartphones run on; and the more the features, the increased are the vulnerabilities. Moreover, you can’t deal with unwanted files and folders or afford installing a security solution easily in a smartphone, like in case of a computer. In the present scenario it is not easy prevent, check for or get rid of malware in your smartphones. You connect yourselves to Internet (which is a wild-west today) with these vulnerabilities, thereby increasing the chances of your mobile being affected.

A recent report from McAfee shows that mobile malware threats increased by 46% in 2010, from the year before. The Zeus genre Trojan Zitmo (Zeus In The Mobile) is on the stands for the smartphone users. This was created on basis of an old spyware commercial package but is very potent in terms of cyber crime activities. Android/Gemini, created for Google Android users, is another such malware inserted into legitimate mobile applications and games and is often spread to infect.

Many popular companies like Kaspersky, Symantec, McAfee, Eset have already evolved with mobile security solutions. Even the updates of virus definitions are available regularly. The installation is little complex to handle for non-tech savvy people. Must say that the security solutions for mobile segment are not as rapid in terms of evolution as it is in case of malware. Lack of awareness on malware and security solutions is the major weakness among smartphone users and helping attackers to exploit smartphones much easily.

So, if you think using smartphone for accessing Internet, emails and downloading applications is cool, beware of the threat lurking in and make it a point to install a suitable security solution. And if you are planning to buy one, you must consider the feasibility of installing a security solution in it.

Related Links:
Mobile development platform

The experts said that the criminals immediately started customizing their malicious websites, including keywords related to tsunami and earthquake, to get on top of the search results using black hat seo methods. It has been found out that they were trying to deploy malware, scareware or fake antivirus programs into the visitors computers through these sites.

Apart from scareware deployments, there can also be fake/spoofed sites posing themselves to be Tsunami relief organizations and ask for donations. Sources say that this happens every time a disaster occurs. So be sure while visiting sites related to Tsunami and even donating funds online for the victims. The less tricky thing will be to donate through the sites suggested by Google in this list.

Potential of the threat
As per the source: the malware code, found to be ELF_TSUNAMI.R, has high damage potential though the distribution potential and overall risk are rated to be low. This code operates as an .ELF file through Linux IRC (Internet Relay Chat) backdoor program and performs brute force attacks via multiple login attempts onto the router or exploit the router. The attacker can also disable the firewall on the compromised router, leaving the network susceptible to more attacks.

How it works?
The attacker drops an .ELF file containing the ELF_TSUNAMI.R code into the router. This might be dropped by other malware or unknowingly downloaded by a user in the network, while visiting a malicious website. This creates a backdoor on the router through which the attacker can send and execute commands via an Internet Relay Chat (IRC) server.

The vulnerability in D-Link routers
Currently, D-Link routers are found to be existing with the remote authentication bypass vulnerability. Due to this vulnerability, the attacker can download the ‘config.xml’ file without requiring normal authentication requirements. This file contains complete configuration details of the device as well as usernames and passwords of the users listed in the device. When the attacker has the file, he can simply take over the admin privileges of the affected router and the subnet under it. The details of firmware versions with vulnerabilities can be found at http://www.juniper.net/security/auto/vulnerabilities/vuln13679.html.

Few instances here will tell you how dangerous can a small USB drive be:

• According to research from Avast, roughly one in eight of the 700,000-plus malware incidents it identified in 2010 were due to tainted USB devices.
• Security consulting and research firm the Ponemon Institute, found that more than 800,000 data-sensitive devices, including USB drives, portable hard drives and laptops, were compromised in 2009.
• The top two virus threats reported by BitDefender, are actually spread through USB drives.
• According to research by Panda Security, a whopping 25 percent of malware today is developed to spread through USB devices.
• Recently, an assistant professor and his student at George Mason University, demonstrated how Operating Systems fail a USB Attack. They just used a smartphone connected to a PC through a USB cable and were able to hack it. The professor simply credited his successful exploit to the USB protocol which does not ask for authentication when an unknown device connects to a computing platform.

These are only a few instances on what an infected USB drive can do.

USBs – a threat for Corporate Networks
An employee can simply bring in an infected USB drive to office, knowingly or unknowingly, and connect it to his system and get it infected. The system then spreads its infection to other PCs over the network. A research report from Avast says that more than 60 percent of all malware in circulation can be spread via USB drives. To corporate networks, notorious USB devices are not just confined to spreading malware. They simply offer a way for indiscernible data stealing.

Precautions and necessary steps to be secure
The situation today isn’t so worse that the USB drives would simply force the users to face the threats they impose. It requires just a few changes in the default settings of USB ports to eliminate the hazards of notorious USB drives. Few of them are as follows:

• Disabling autorun option (Windows PCs)
• Blocking unauthorized USB devices
• Maintain personal and business USB drives separate. So that you don’t contaminate your office network from threats outside.
• Do not plug an unknown USB drive into your computer. This is a simple precaution but works best.
• As prevention is better than cure, you can just block USB drives on your computer/laptop (through registry key settings in Windows OS) permanently and use alternatives.

Adobe Reader 9 was known for its vulnerabilities in the year 2010, which kept evolving despite the number of security patches released by Adobe. In order to check it, Adobe Reader X was released with security enhancements like sandboxing protection for Windows XP/Vista/7 and protected mode view. However, the safety in using Adobe Reader X, especially for Windows OS is still questionable.

Security in 2010 for Adobe Reader
Adobe applications were already the most targeted client-software by attackers during the last quarter of 2009. A report from McAfee came up saying that Adobe Reader and Flash, will be the primary target for attacks in 2010. According to National Vulnerability Database, there have been around 60 vulnerabilities reported for Adobe Reader and Acrobat for Mac, nearly all of which are rated with a “high” severity, since January 2010. In some cases, the vulnerabilities were released after they were already exploited.

The number of security patches addressing critical security vulnerabilities have increased for the version 9 of Adobe Reader. Amid these, Adobe came up with Adobe Acrobat X (version 10.0) on November 15, 2010.

Why Adobe Reader was targeted?
While there are many other PDF readers in the market, Adobe is heard much of all in terms of security vulnerabilities. This can be because of -

• Adobe Reader supports JavaScript and Flash within PDFs. This creates opportunities for attackers to embed malicious codes in PDFs using these programming languages, that execute when you open the file.
• Adobe Reader supports embedded content for which it uses Parser (a bit of software) to interpret the content and display it properly. However, each bit of parsing code is a potential point of failure and is mostly exploited by hackers. Malformed content is used in PDFs to crash the parser and execute a memory corruption attack on the PC.
• The popularity of Adobe due to its support to the Windows is also one of the reasons why it is mostly targeted. Windows being the major OS with 91% market share in client PCs and Adobe being used in most of these PCs, hackers find it easy to hack into these PCs using vulnerabilities of Adobe. Adobe has Acrobat version for PDF reader in MAC OS, which isn’t reported to be targeted by attackers much.

Enhanced security features in X version
Adobe Reader X has many security advancements compared to its earlier versions. The majors being the following:

• The biggest security change in Reader X is the addition of Sandboxing or Adobe Reader Protected Mode – only for Windows. Sandboxing mitigates the risk of what an attacker can do even if they successfully exploit Reader. The risks covered include deployment of malware in the PC to changing the file system or registry of the PC.
• An intensive code hardening program was implemented to reduce vulnerabilities or security flaws in Reader. This security development process included a combination of testing, code review, and programming standards.
• Improved JavaScript blacklist framework, which allows you to disable only specific functions of JavaScript instead of completely disabling it.
• Altered way of prompting security alerts or preference settings. Especially for alerts, a yellow alert bar with descriptive text is dropped down, in place of Yes/No dialog boxes that users instinctively click without reading. The user will have to click on the Options in the text and choose one of them.

Adobe Reader X still not safe
The enhanced security features discussed above do not make Adobe Reader invulnerable. Sandbox mode only acts as a protection layer, preventing the attacker from writing files or installing malware on potential victims’ computers, even if the vulnerabilities are exploited. Other security features explained above depend on the preferences of the user. However, the version 10 of Adobe Reader is the best in terms of security, compared to its previous versions. If you are still using the older version of Reader click here to update.

Malware creators are getting innovative and looking for new ways to infect the PCs with malware. “Eternal vigilance is the price of freedom.” Similarly, the more you are watchful and aware of the security vulnerabilities and ways to defend them, the more you will be safer and secure.

Related links:
oracle support
ad server

What is Drive-by malware?
Drive-by malware mostly uses vulnerabilities in the web browser, browser plug-ins or a security hole in applications like Adobe Reader, etc to infect a PC. Drive-by malware is a malicious code that downloads when visiting an infectious website, opening an attachment to a spam e-mail or by clicking on a deceptive pop-up window. Often, this arbitrary code downloads and executes in the PC even without the knowledge or permission of the user.

Infected websites major source of malware
Despite avoiding illegitimate and suspicious URLs, one can be still be prone to online malware attacks. A recent report from Symantec says that 90% of all websites used to spread malware or launch attacks against users are legitimate ones that have been infected. Often most of the webmasters or owners of these infected websites will not be aware of the infection. This generally occurs due to usage of old vulnerable Web server software which can easily get exploited by a malicious ad distributed through an advertising network, and other means. According to Websense Security Lab, the number of websites with malicious software grew 225% in the last six months of 2009 alone and that most websites with malicious code are legitimate sites that have been hacked.

Since the owner of the website itself is not aware of the infection, the users will be unknowingly opening the legitimate-but-infected site and get their PC infected with drive-by or any such malware.

Avoid reading PDF documents in browsers
Adobe Reader is the most popular PDF reader software today. However, it is also one of the mostly exploited software. According to researchers at the Georgia Institute of Technology and California-based SRI International, Adobe Reader attracted almost three times as many attempts by drive-by malware as the other programs. Thus, it is important to keep the Adobe Reader updated regularly. Despite regular updates of this PDF reader you might still be at the risk of its latest vulnerabilities. Thus, it is recommended to avoid opening PDF documents in web browser.

Other Applications that can be vulnerable
Researchers found that apart from Adobe Reader, the most frequently targeted applications of drive-by download exploitation are Sun Java and Adobe Flash. Firefox 3 had a lower browser infection rate than all versions of Internet Explorer. PCs using Microsoft’s Internet Explorer 6 are very likely to get infected by drive-by attacks. Microsoft has recently reported the instance of hackers hijacking PCs with drive-by attacks by exploiting security flaws of IE 6 and IE 7. However, IE 8 is said to be immune to the attacks.

Keep your Software updated
Keeping your system updated is the most important factor in protecting yourself against drive-by malware as it mostly exploits unpatched security holes of software applications. Users having PCs with Windows should check for patches and update their Operating System regularly. Updating all other applications like PDF reader, web browsers, plugins, etc is also as important for maintaining the immunity of the PC.

The malware existing in Internet today has become hyperactive in infecting the PCs. Even a small mistake, like neglecting the updates, in this scenario may take a big toll. Regular updation and abandoning usage of old vulnerable software is the best way to protect your PC against drive-by malware.

Related Links:
Adserver

Almost all websites online are using SSL/TLS for securing their online transactions with their clients. All the popular browsers are having mechanism to identify the certificate and validate it. When you are visiting a secure site the browser will display a “lock” icon in its status bar. The internet address of a secured site begins with https:// rather than http://, where ‘s’ represents that the site is using a secure server. In the absence of any of the above indicators, it is recommended to avoid doing online transaction within the site.

Data encryption and SSL/TLS Process
An authenticated website for online transaction gets its SSL/TLS certificate from an Certified Authority (CA) like Verisign. The certificate is installed in the web server hosting the authenticated site.

• When a user tries to access this authenticated site through his web browser, it sends a web page request to the web server.
• The server now responds with the SSL certificate.
• Web browser first verifies the validation of certificate, then encrypts the key seed of the session using SSL Public key and sends it to the server.
• Server sends an indication that all the future transmissions are encrypted.
• Then the communication between server and the browser in encrypted format follows until the connection closes.

Importance of SSL certified sites
Internet today can be called as wild west. This has become a major obstacle for the growth of ecommerce and online transactions. Making secure online transactions in these conditions majorly requires privacy and identity assurance. SSL/TLS certificate ensures both to the user. The encrypted format of data ensures safety from cyber criminals who try to steal the information during transactions. Identity assurance is another major feature of SSL/TLS certificate. This certificate is hard to obtain for ordinary or illegitimate websites. However, working with a website certified by an established CA is also important.

The credibility of SSL/TLS certificate
As mentioned earlier SSL/TLS certificates are not easier to obtain. These are operated by Certified Authorities. Certified Authority (CA) usually will be an well established entity. New comers must have to undergo significant barriers to enter into SSL/TLS certificate market and to be included into the web browser’s trusted “root” SSL/TLS certificates list. Thus, if it is an established CA that provides credibility for a SSL/TLS certificate, it is a secure and reliable browser that gives credibility to the CA.

How to validate a website for SSL certificate?
As SSL/TLS certificates are not easy to obtain, cyber criminals use different methods in web programming to create one of their own. However, we can validate a SSL certificate claimed by a website using few simple steps:

1. Open the URL in a website and make sure that the URL starts with “https://” rather than “http://”
2. When the website is loaded in the browser look for the lock icon. The
   

   lock icon is situated in the upper-right corner for Safari; in lower-right corner for Firefox and IE. The lock icon is situated in the right end corner of the address bar for Google Chrome. However, a lock icon doesn’t necessarily mean that the site is SSL certified.

3. In order to validate the SSL certificate click on the lock icon of the browser which displays a pop up window of the page info. Click on view certificate option for further details. This will show further details of the organization and the CA who issued the certificate. Check on the expiry date of the certificate by selecting Validity – > Not After.
   

   Valid SSL Certificate

   Invalid SSL Certificate

4. Always use high security browsers while doing online transactions. As these high security browsers have emerged after the development of the Extended Validation (EV) standard established by the CA/Browser forum, they can perfectly recognize between a valid and non-valid SSL certificate. IE 7+ and Mozilla Firefox 3+ versions are examples of high security web browsers.
   

   Warning message in Firefox

   Many web browsers block the webpage from loading and give an warning message when they find a website with suspicious or invalid SSL certificate.

What are Spoofed Websites?
A spoofed website is usually a replica of a legitimate website. Almost all the features of this site replicate the existing legitimate site including logos, fonts, colors, structure, etc. In few cases, even the URL of the spoofed site is almost close to the URL of the legitimate site so that it is easier for them to trick its visitor.

Techniques used in spoofing:

• URL Redirection: URL redirection is possible through web programming to refer a URL to another URL. Many big companies like Google, Microsoft, etc., use them for legitimate business purposes. However, this has become a phishing tool for cyber criminals.They use a legitimate looking URL (www.domain.com, for example). However, when a visitor tries to visit the site, it actually redirects him to a spoofed site (www.phisher.com). It is possible for the user to identify redirecting URLs by monitoring location bar of his browser.

• URL Cloaking: A legitimate looking URL is used to mask the URL of a spoofed site, by using ‘@’ symbol. Using @ symbol was originally intended as a way to include a username and password in the URL. When a user tries to open the legitimate looking URL, www.bank-domain.com@phisher.com, for example, it actually redirects him to the phishing site www.phisher.com, rather than www.bank-domain.com.

• URL Masking: A illegitmate / phishing site is concealed behind the text of URL of a legitimate site. Web programming has enough attributes to support masking of a URL easily.A user gets an email from phisher containing a link to a legitimate site (www.domain.com, for example). However, the link is the mask of a spoofed site (www.phisher.com). The deception actually happens in the status bar of the browser. When you hover mouse over a link the status bar should show where the link will guide you to. The deceptive link is so well hidden that the user cannot find it even in the status bar on hovering mouse over the link. This is generally done using javascript.

• Typo Scamming: Typos are inevitable when you are typing out on your keyboard. Cyber criminals use this as an advantage and register web addresses that resemble the name of a popular and legitimate site. These URLs are slightly differentiated by adding, excluding, or rearranging letters.For example, web address of a legitimate site www.bankm.com is differentiated as
  • www.banmk.com
  • www.bakm.com
  • www.bankm-online.com

Why beware of spoofed sites?
Spoofed websites are actual sources of phishing. The main job of the phisher is to convince the visitor that his spoofed site is legitimate. From then on it is the visitor who will be submitting his information to the phisher, unknowingly though. It can be his bank username and password, or any such information that is of economical value.

Cyber criminals also use spoofed websites to deploy malware into the visitors PC thus making it as a part of their botnet.

Precautions to take to avoid being a victim of spoofed sites

• Avoid using sites that do not have SSL/TLS certificate while you are banking, buying, selling, transferring money or using credit/debit cards online.
• Make it a habit of checking the SSL/TLS validity every time you visit a site before making financial transactions, by clicking on the lock icon.
• Never click a hyperlink to get to a website for financial transaction unless you are CERTAIN that it is a legitimate link.
• Just type out the URL yourself, use credible search engine results or copy paste it from your records.
• Do not use same username / password for all your online logins.

Also read on Email Spoofing.