Forging the sending address of unsolicited messages is a common practice, one that is both easy and effective at improving the realism of the campaigner’s messages.
One side-effect of this practice is that some email systems will “bounce” a message to the sending address, generating “backscatter” email that is typically ignored as noise in the email stream. In some cases, however, this ‘noise’ can alert organizations to the fact that a phishing campaign using their branding – and potentially targeting their customers – is underway.
Proofpoint recently detected a large number of emails sent to a single organization and quickly determined that these were bounce-back messages to a spoofed sending address in the organization’s domain. Whereas in a spam campaign a variety of sending addresses might be used, in this case the spoofed sending addresses all belonged to the domain of a travel industry company, whose loyalty page had been reproduced on a compromised site in order to capture the logins of unsuspecting users.
Similar to the misappropriation of branded creative for use in malvertising campaigns, the theft of branded creative web content for credential phishing sites creates risk of brand damage for the organization, and moreover often goes undetected. In this case, the backscatter from bounced phishing messages can alert the spoofed organization that their brand is being misused to carry out credential phishing.