Dead phish bounce: Alerting to brand risk with email backscatter

Forging the sending address of unsolicited messages is a common practice, one that is both easy and effective at improving the realism of the campaigner’s messages.

One side-effect of this practice is that some email systems will “bounce” a message to the sending address, generating “backscatter” email that is typically ignored as noise in the email stream. In some cases, however, this ‘noise’ can alert organizations to the fact that a phishing campaign using their branding – and potentially targeting their customers – is underway.

Proofpoint recently detected a large number of emails sent to a single organization and quickly determined that these were bounce-back messages to a spoofed sending address in the organization’s domain. Whereas in a spam campaign a variety of sending addresses might be used, in this case the spoofed sending addresses all belonged to the domain of a travel industry company, whose loyalty page had been reproduced on a compromised site in order to capture the logins of unsuspecting users.

The page appears legitimate because it is built using web calls to the vendor’s original page – which it should be emphasized, had not been compromised. Instead, the page was hosted on compromised site that included only a CSS and JavaScript, and the rest of the page elements are populated using calls to the spoofed company’s actual page. (Note that the connection is also unencrypted, increasingly a red-flag for wary end users.) When a victim enters their credentials and clicks the sign-in button, the credentials are relayed to another site and the page redirects to the vendor’s actual loyalty program login page.

Similar to the misappropriation of branded creative for use in malvertising campaigns, the theft of branded creative web content for credential phishing sites creates risk of brand damage for the organization, and moreover often goes undetected. In this case, the backscatter from bounced phishing messages can alert the spoofed organization that their brand is being misused to carry out credential phishing.

Subscribe to the Proofpoint Blog