Writings from the intersection of law enforcement and the Internet

Phishing your own is fun...until you catch your own

My agency recently conducted a “phish your own” campaign and the results were, as usual, disappointing. Or maybe shocking. I was unaware that the message was going to be sent, but as soon as it hit my inbox, I questioned my office mate if he had also received the message? Upon affirmative response I declared it a phishing simulation as there was no way the spam filter would not have caught it. The email had more red flags than a pre-hurricane beach. Yet, ridiculous as the email was, over twenty people still fell for it. In a real life situation that is twenty opportunities for the attackers to access our network.

So here are three four a few quick and easy ways for to spot a phishing message.

Legitimate businesses have dedicated and well-known domain names, and make their employees use those domains for email purposes. If you get an email that appears to be from Paypal then the sender domain should be “@paypal.com” since that is the official domain of Paypal. If your suspicious email came from the domain @paypal101.com, or @payypal.com, or @paypal.bigspender.com, then it is not from Paypal.

Businesses generally mandate that employees use their corporate email address to conduct official business. There are numerous compliance and best practice regulations that drive that mandate. It is not an acceptable business practice for a loan officer of a national bank to use his Gmail or yahoo email account to transmit official documents. Likewise, your human resources manager is not going to send out the new paid-time-off policy from a Proton-mail account. If the sender's email address is not appropriate for the apparent purpose of the communication, then it should be discarded until the alleged sender is contacted through a secondary channel.

Mismatched domains is a red flag the size of a picnic blanket. Email addresses can easily be spoofed so that it appears to be from someone it is not, but it's only topical or in appearance. The email system still needs to know where to deliver the mail so on the backend the addresses must be correct. I can send an email from mattdotts[@]yahoo[.]com and instruct your email application to display that it is from matt[@]paypal[.]com, but the email application still knows it is from mattdotts[@]yahoo[.]com. Otherwise, it would send any return reply to the spoofed address, not the real address. Most email applications (Outlook, Thunderbird, Gmail) will quickly display the actual email addresses by hovering your cursor over the address. If the email looks like it came from customerservice[@]visa[.]com but when you hover over the address Outlook displays customerservice[@]VXXXI9[.]com then you have an issue.

Although domain and email addresses checking are the easiest way to check for a phish, you can’t always rely on it. Many attackers use already compromised accounts to send out phishing messages to those in the victim's address book or social networks. A common attack method is to cross-reference a compromised account with the account owner’s LinkedIn or Facebook connections. This gives the attackers an entire list of targets who have probably already received an email from the compromised account so spam filters will easily be bypassed. The recipient will not immediately delete the message either because the message came from an apparent coworker/colleague/associate's account.

Since we cannot strictly rely on domain checking we have to use some basic common sense.

Most people, and certainly business professionals, proofread their message before hitting the send button. Many phishing emails can be easily spotted due to poor spelling, grammar, and syntax, of the written words. The significant majority, not all but most, of phishing campaigns, are orchestrated from overseas. The email messages are written from people who do not speak English as their first language. In fact, some do not even speak English at all and simply copy the text from their native written language into Google translate to get the text for their phishing messages. English is a complex language with all kinds of nuances. Native English speakers know them, but the bad guys don't. Use that to your advantage.

There is a theory that attackers intentionally write their messages poorly to quickly eliminate more observant and better-educated targets. If you click on a link in a poorly written email, then you are more likely to follow through with the rest of the scam. This makes sense but I think the poor grammar is more the result of emails being written by a Russian and using Google translate to compose the text. Quickly culling out the more intelligent message recipient is just a side-benefit.

And lastly, be aware of generic greetings and closing salutations or at least ones that are not consistent with how the alleged sender usually speaks. If the greeting seems odd, then it probably is. Trust your instinct.

Phishing emails are usually designed to be sent out in mass. They are written to appeal to the largest segment of the send list so they must use general greetings and closing salutations. Common spam greetings are “Dear Sir”, or “Hello (bank name) Customer”, or “Brother in Christ”. Common spam closing salutations include “Respectfully yours”, “Always”, and “Warm Regards”. The attackers do not have the time to personalize each message so they must design the text to be generally appealing. If the message is specific to you then it is a spear-phishing attack – a directed campaign specifically targeting a known person or group of persons. That is a wholly different attack and an elevated defense needs to be enacted.

As previously mentioned, many times the attackers are using compromised email accounts to target those in the accounts address book or sent/received mail folders. This allows the attacker to bypass common email security mechanisms such as DMARC or SPF and lowers the target's suspicion since the email sender is recognizable. But, is this how the known sender writes and conducts himself/herself through email? Is the greeting correct? Is the closing correct? If the other emails you have received from the email account are well written, why is this message strewn with spelling errors, poor punctuation, and closed with “Forever Respectfully Yours”?

Check the sender's domain. Question the purpose of the message. Read the text before clicking any link. Ask for help.

#phishing #infosec #cybersecurity