Social Engineering, Email Harvesting

Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.

I am going to talk about a skim used by spammers to harvest for legitimate email address from your contact list. There are plenty of ways used to harvest emails, but the one I am focusing on is “Email forwarding” Normally when you create an email account, you will start building contact list, containing email addresses of your friends, relatives, co-workers, etc. Over time, you will have a substantial number of contacts in your contact book.

Forward” is a very handy function available in almost all email clients, this allows one to pass over the email to some other recipient. But something to note is; the forwarded mail includes the email address of the original sender and any other forwarded addresses of the same instance.

Say you are a GoodGuy with your email and 50 contacts on your mail account. The BadGuy sends you a mail with a very emotional religious message, or a very nice joke, or an irresistible offer to something that you are likely to fall for, and guilt’s you into forwarding to at least 10 friends including the BadGuy. And you end up doing that, with good faith. Now 10 friends from your contact will receive your humbled mail message, with the instructions to do the same, “forward to at least 10 friends”. At email harvester receives a copy of any forward from the recursive senders.

Simply put, if you forward the mail to 10 contacts, and they do the same in good faith and the third circle does the same. “Roughly something like this happens Email contacts will have been harvested in just three circles, now this will keep growing depending on the number of forwards to the amount of contacts forwarded to. And then you and your friends start receiving some commercial mails from services that you never even visited or heard of. And you wonder how on earth they did they get my email. Well, you gave it to them; you actually helped them get even some of your friend’s emails. This is the effect of social engineering, the mail will play with your psychological consciousness, and you will think you are doing a good thing to respond; in return you are falling for somebodies social engineering scam.