Hacked - Episode 1: Email Spoofing
Episode Date: October 15, 2015Hey new listener! This original pilot episode is pretty vintage. If you're just getting into hacked, we recommend starting anywhere in the 2020 reboot. Cheers! In this episode, we explore a technique... known as "e-mail spoofing". Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
In October 2013, a bunch of tech journalists got a press release from a Swedish biometric company called Fingerprint Cards.
The press release was announcing the fingerprint sensor manufacturer had been bought out by none other than Samsung,
which is pretty big news, not just for the company, but for their shareholders.
Media covered the press release, and for 17 minutes, the Swedish stock market went kind of nuts with the news
before the stock was frozen due to volatility.
Samsung had bought fingerprint,
and a lot of people stood to make a lot of money off of the deal.
The only problem is Samsung didn't actually buy fingerprint,
and that press release from a fingerprint PR person that started the whole thing,
fingerprint didn't actually send it.
I'm Jordan Blumen.
And I'm Scott Weinder.
And this is hacked, a podcast about the curious, enlightening,
and occasionally criminal underbelly of the internet.
Can we cut the,
dispensful jams? Perfect. Thanks.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up
for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agentic system powered by the swarm of
experts. Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic
agents that handle whole entire workflows. Humans stay in the loop and on the loop to validate
the critical decisions and keep everything trustworthy, and all of this is just off running on
their secure operations graph. A constantly updating intelligence engine fueled by more than
9 trillion telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context, not synthetic training data. And the
The result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision
reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks
like, go to arcticwolf.com slash hacked.
Okay, so who are we?
As I said earlier, my name is Jordan.
And I'm Scott.
Scott has 20 years experience in tech with an extensive computer security backer.
And Jordan, while he spent his career in communications, and he's got something that we refer to as a
pension for storytelling.
Thanks, Scott.
We decided to make this podcast because 15 years ago, digital security was a pretty obscure
subculture.
Today, it's kind of at the heart of political, personal, and pop culture.
Every day we're exposed to cybercrime because, you know, every day, our lives move more and more
online.
So we figured we would talk about it and try and understand it so we can be both more aware and
less afraid.
So where do we start?
Today we're going to talk about email spoofing.
This is normally where we would play the theme song, but this week we're saving that for the end.
It's kind of shameless, but stick around.
Email spoofing is the practice of sending out an email masquerading as someone else.
You need to log into your email account to read the emails that people have sent to you,
but you don't need to log in order to send an email from your email address or someone else's.
Hence, spoofing.
You're faking or spoofing who the e-mail.
email is actually coming from.
When I sit down in front of my computer, I log into Facebook.
I type in my username and I type in my password, at least if my browser didn't remember
it for me. In the same way, if I sit down on my computer and I want to log into my email,
I type in my email and I type in my password. From my perspective, these two things are very,
very similar. But does someone trying to pretend to be me on the internet, they couldn't be more
different. Email is an ancient service. It's as old as the internet itself and it was created
to be kind of this anarchistic, egalitarian distributed network.
It really requires no login or authentication to provide any kind of proof of who you are sending
and who you are sending it to.
Communication on the internet really just boils down to trust.
If I see a message from someone I know, of course I'm going to open it.
I trust that person.
If I see a message from someone who I don't know, it becomes a question of discretion.
If it's from some weird Russian website trying to sell me Viagra or Seales, I'm probably not going to open it.
If it's someone I met a little while ago, yeah, maybe I'll open that email.
And knowing that that's how people decide what they do or don't open is a pretty valuable tool.
Being able to, you know, kind of jump into somebody else's trust network and use a preexisting trust relationship can be incredibly powerful.
You know, if, like as Jordan said, you get like a sketchy Russian Cialis salesman sending you attachments, chances are you're not going to open them.
but if your grandma sends you an invite to her 90th birthday party or something along those lines,
there's a good chance that you're going to open it.
I love you, Nana.
And that's just it.
You know, the base starts there.
You know, there's a variety of reasons that people can do this and would do this, you know,
bypassing people's security, stealing personal information, installing, you know, software
that allows them to take over your computer, or things like stock manipulation, which is how
we open the show, are totally viable.
Like just today, I made Jordan quit his job without him to be.
knowing. Wait, what? Hey man, it's Jordan. How you doing? I'm all right. How are you? I'm not too bad.
Did you just get an email from me? What's it say? I'm quitting. Okay, so I didn't send that email.
No, I did. You did? Yep. Okay. So how did you send that email? Did you have my password?
Not at all. So all I did was draft up what I wanted the email to look like, copied it into my clipboard, connected to an email server, say that I was,
you and send it to him.
And how long did that take?
About two minutes.
Okay, so I asked Scott to take me through the process of sending an email from my account
without ever logging in as me.
And more than the feeling of having your privacy invaded, more than the surreal sense
of, I guess, watching someone pretend to be you, what struck me most was how easy this
all was.
like really, really easy.
Here's what he did.
Scott opened up the terminal on his computer.
If you picture people hacking in a movie,
you know that black screen with a bunch of sort of just ominous nonsense scrolling by?
It's that thing.
Ain't by real.
Right. I have my doubts.
Then he wrote a line of text saying hello to the mail server.
It was one line of text.
So I've always assumed that computers talking to each other.
It was ones and zeros, or at best, just something completely indecipherable.
What Scott wrote in the terminal was a line of text that I could actually read.
It was almost plain English, and the server responded in English.
So if that wasn't weird enough, the next step is that he said he was me to the server,
and he did that by writing in my email address as the sender, and he hit enter.
He didn't write a password, just the email.
And the server literally responded, okay, it just kind of trusted him.
Then he wrote the recipient, like you went on an email.
That was the email address of the person you just heard.
He wrote subject, I'm quitting, and then he composed an email.
All of this in that ominous black terminal.
And that was kind of just it.
Scott never logged into my email.
He never needed my password.
He just sort of put on a Jordan mask and started walking around pretending to be me.
And the internet believed him.
Yep.
What the actual hell, dude.
This is the language of the internet.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving into the most impactful breaches of 2025. Their field CTO and security leaders are going to
unpack not just what happened, but why these attacks succeeded. And most importantly,
what businesses can do to fortify their defenses for it's too late. You're going to walk away with
real insights into how threat actors are evolving, how defenders are responding, and what strategies
can help you stay ahead of the next big breach. It's not fearmongering. It's practical, actionable,
intelligence from experts in the trenches. Register now at arcticwolf.com slash hacked.
I'm going to get a bit technical down and give you a bit of background of, you know, why this is possible.
The language of email is called SMTP or simple mail transfer protocol.
This language was created to standardized digital messaging.
And it was done so in 1982.
You're old enough to remember the internet of 1982.
You're old enough to know that it really wasn't publicly available.
Organizations that were on the internet had to be.
their own mail servers that would accept emails for their users and relay emails from their users
to others. The key term here is relay. So what's a relay? Well, a relay is when a message is sent
to a server but destined for another server. The server then just redirects it to the appropriate
server. The term open relay is used to describe a server that has no restrictions on this redirection.
Open relays were incredibly prevalent in the late 90s and early 2000s, until the age of spam that brought these loopholes to the forefront of our full inboxes.
Today, finding truly open relays is very difficult, and if you do manage to find one, it is probably on a blacklist, a list of known servers used by spammers and criminals, and therefore is essentially useless.
But...
Semi-open relays are quite common.
The company that provides your home internet probably also provides you with an SMT,
server to use. They do this so that they can firewall off your access to external SMTP servers
while still allowing their subscribers to send emails. So the point of all that, what you're saying is that
anyone with an internet connection still has access to one of these servers, which, if I'm understanding
correctly, is really all you need to spoof an email. Yep. And I should probably take the opportunity
now to tell you that email spoofing is illegal. It's illegal. Very illegal. Okay, so someone can
my banker an email pretending to be me. Right. Your banker gets an email from you.
From me. Right. Air quotes. But that would be the end of it because the second he responds,
it just goes to my email address, which this hacker presumably doesn't have access to.
Hackers not going to be able to get my monthly statement or request any information.
Not necessarily. SMTP provides a way for the sender to specify a separate email
address that is only used when replying to that specific email. So your banker receives an email
from Jordan at hackedpodcast.com, trusts that it's from you, clicks reply, and email address the
reply will be sent to can be totally different. As your banker, if you don't go out of your way
to verify this new recipient, you'll never even notice. And clever people will even go out of their
way to make this new malicious email look just like the original one.
Look like the original one.
Well, again, you know, using you as the guinea pig, Jordan at hackedpodcast.com, if I were to register an email Jordan at hacked quadcast.com, replacing the P and Pod to a Q, the email address from a strictly visual sense are almost perfectly equivalent.
And now that we've said that, anyone getting emails from Jordan at hackedquodcast.com should probably just disregard them.
But even if somebody takes the time to verify, to take a second look at it, really, that are going to see no difference.
So, do you get it?
In broad strokes, yeah, I kind of, I think I do.
Can you guess what the secret sauce is, you know, the last hurdle?
The last hurdle.
Well, if it's this easy to send an email from my email address, the next trick would be convincing the person you're sending to that the email was actually written.
buy me. Right. Which of I'm being honest, couldn't really be that hard because every single day
I publish a guide to how to imitate Jordan Blumen online online. You can read how I write on Facebook.
You can see what's going on in my life on Twitter. You can figure out where I am on Instagram.
It really wouldn't be that hard to pretend to be me with all that information available.
And you know what they say? A picture is worth a thousand words.
If I see on Instagram that you're somewhere like Niagara Falls, I download that photo and attach it to an email that I send your parents with an update from your trip.
There's no way that they won't believe it's you.
That's why I stick to postcards.
So is there any way to protect against this or is it just don't use email?
Not really.
You know, the protection that we have today is way stronger than it was 15 years ago.
And that's because people like Google and Microsoft have spent tens of millions of dollars researching how to protect against us.
You know, this problem dates back to 1982.
So redefining the way something works and something that billions of people use.
It's going to be pretty tough.
Yeah, almost impossible.
Almost.
Well, you can use more reputable email services.
You know, there are a lot of forms of protection that do exist, but you have to trust that your email provider has implemented them, is validating against them, you know, to have any kind of confidence.
Right.
So, like, people can do this and your security comes down to your...
email provider to catch these spoofed emails before they even get to you.
Right.
Right.
Is every episode going to leave me with this weird feeling?
I think so, yeah.
Yeah, I think I knew the answer to that.
This has been Hacked Episode 1.
I'm Jordan Blumen.
And I'm Scott Weinder.
And to wrap things up, we're going to play ourselves out with the official Hacked podcast theme that we promised you earlier.
This episode has been produced by Sticks and Stones, art and design by Matthias Schmail.
Thanks for listening.