How do scammers get your contacts when they send emails that appear to come from you? [closed]
Everyone is familiar with ploys where scammers send fake emails to people in your contact list saying things such as "I am in jail in the UK and need you to wire $10,000...". When this happens to friends of mine and I examine the email headers, the vast majority of the time the email wasn't actually sent from the user's legit account. Rather, the "From" and "Reply-to" addresses as well as the name reflect the person's legit info, but the mail actually originates from somewhere else.
What are ways the scammer is getting your contacts?
While Gh. is correct about malware which skims the address book and sends out emails, there are plenty of chances for people to "legitimately" match your address up with a friend's address: online e-cards, forward-this-funny-link one click, online polls, petitions, unscrupulous or compromised forum software, ez-email and messaging aggregator apps. etc.etc.
Unfortunately, most of this is out of your control, since the owner of the sender account being spoofed may have been the one to let their list into the wild.
The "from" field is completely insecure BTW: if they can log in to a SMTP server, they can provide any "from" header they want.
How they can get your contacts: (just adding a bit).
E-mail (and other passed around contacts) are like any "6 Degrees of separation" http://en.wikipedia.org/wiki/Six_degrees_of_separation
When people blindly or accidentally FWD or CC or BCC or any other easy ways to launch everyone's contacts out into the wild, they end up passing your contacts out. Because your only 6 away from 6 billion other people on the planet, some person who utilizes the web for these purposes, gets it, and it becomes "unlisted" at that point.
That invitation to 25 people for the birthday, distributed obituaries, political cute e-mails you gotta send out to your friends, that web meme that you shot out to 2 friends, who shot that to 4 others, complete with your address still stuck in the thing. When you see your e-mail address plastered to the top of a rack of addresses, you can be assured that it has gone around the world a few times already :-)
Add to that the thousands of things we sign up for, buy, log into, and participate with that the TOU specifically states that the information you provide can be used by their own advertisers, or affiliates. Even if a company or web location is maintaining a strict privacy policy today, tomorrow it is purchased by another company, and the rules change. Again add that to the 6 degrees, and its off to the races with your information.
In the above cases, there is no malware required, as that is covered here already.
The above scenarios have been applied frequently with My e-mail addresses by customers , friends, family, and even high end tech people. It is not long after my e-mail is distributed using methods like mass FWDs, that a perfectly clean e-mail handed to few people (by me) is found out, and used for something other than it was intended. I can often show where it was handed out by someone trying to mass communicate, even if that was by accident that I was included.
Over a mere few years, my machine Has received about 25 times as many e-mail addresses then my original contacts would be, people I have no idea who they are. I ask people Not to FWD me that stuff, and not to CC me into the lists, but it still happens that I acquire lots of peoples contacts (that I do not want).
Malware infecting the sender's machine could do that.
UPDATE: Let's say the computer is infected with a Malicious piece of software. This software, for example, infects your browser(Say IE)... Let's say you login to your email account(eg, gmail)... Then it will get hold of all your contacts and then sends emails containing the payload the author wants.
Of course, this is only an example... Malware these days are more sophisticated. There could be many attach vectors.
I don't know how they're doing it in practice but what you describe could happen if malware enables the "hacker" or "cracker" to get into their account, to log in, this could be hacking cookies in some way to gain access, or somehow stealing their password and logging in.
You say the IP address isn't the originators in this case, well, the malware may be sending the login info to the hacker/cracker and he logs in from some other machine.
Funnily enough I have actually seen an email account after it was broken into had the junk/spam sent emails in the sent folder! So the account was literally logged into and emails were sent to people on their contact list. I've also seen cases where the sent email folder didn't have the emails (maybe in that instance they were deleted by the attacker, or maybe attacker used an smtp server for that provider bypassing the web interface.
It was largely yahoo addresses that were getting attacked like this i.e. people logging in breaking into yahoo. Other than that sometimes people use the same email address and password on a forum, or website and an attacker attacks the forum or website and gets their details. Before the big yahoo incident what happened often was just the from header spoofed, but never the contact list stolen. The FROM header can be spoofed and the spammer can use any SMTP server that lets them log in, but to steal the contact list they have to log into the account. So, if that happens it's best to change password.