RussellHltn wrote:While I can think of a number of ways it can be done, I'm wondering if anyone has any insight on how this particular campaign is being done.
You obviously want a more detailed explanation then I can give, but the fact that it is happening regularly should make everyone realize the "openess" of email.
Two cases:
It happened to my brother-in-law while they were traveling, and I got the bogus email, which I promptly ignored. It was last fall. It appeared real, because it came from his normal email, and the CC emails were all people I knew as family members, and the bogus email said he was in the city I knew he went to.
He is an IT professional, and conjectured that a valid email he sent to one of us from this city was "hi-jacked" in route at some point (not from a wi-fi hotspot) and the fake email was created from it. He was never sure if they actually compromised his account or "spoofed" it, as I think you called it. Either way, the result was almost identical. The big three "free emails" certainly do not give you any guarantee of privacy as they pass your email through the back halls of the internet on it's way to all of the IP's of your family and friends.
Second case, a friend: Email account was actually compromised, password changed, then bogus emails sent to family. Because the email account was now in the hands of the perpetrator, real holders of the account were now locked out, and knew nothing, and responding emails to the account were of course intercepted and responded to as if they were from the family member. I conjecture that it happened similarly as above for my brother-in-law, first an email was "hijacked, or his email address was merely picked off the net on some website or blog, and then his password was "cracked."
I hope your topic helps educate us. If I have your email address and your password, I have your account - and the emails of your friends and family, and maybe much, much more if you have a net mail account- access to the content of all of your sent and saved emails!
Besides my personal passwords, I only know the email passwords of three other people, because I had to help them with computer issues. Two out of those three passwords were their own first names! That would mean that I could guess their passwords merely by my first guess. And my nephew "confessed" to me last week that he had guessed both of his parents passwords, and he is only six years old! He would have told me what they were if I had asked...is it really this easy?
There are far more sophisticated password cracking methods, but maybe its really this easy....