Phishing - StART to Phinish

Phishing - StART to Phinish

Phishing is a variation of social engineering that uses maliciously crafted emails in order to trick a user into performing an action that is intended to benefit the attacker. The two largest outcomes of these types of attacks are often getting the user to download a trojan or getting them to supply sensitive data such as login credentials. In this particular scenario, a trojan is any type of malicious software that masquerades as something that it is not. The two very common ones that fit this use case are keyloggers and ransomware. Although there are hundreds of other categories of sensitive data, login credentials tend to me the most heavily focused in regards to phishing emails. The first question that seems to trouble most people is, why would someone target me to steal my information or infect my machine? The answer is, they're not targeting you. Well at least not in the case of phishing. You can think of phishing emails as malicious templates that are sent to as many emails as possible. Yes, the email may have your name in it but you can thank automation for that. Phishing is the generalized version of social engineering related email scams. Although there are many versions of phishing, the three main ones to be familiar with are: Phishing, Spear-Phishing, and Whaling. As the names indicate, spear-phishing targets a specific individual or group while whaling targets large/high-profile individuals. You can categorize these into their level of personalization.

We will start this article from the ground up and look at emails from the most basic, user-friendly analysis. Then we will dive deeper into thwarting even the most well crafted and complex phishing scams. I find that the quickest and most surefire method for spotting questionable emails starts in the subject line. Look for: URGENT, ALERT, STATEMENT, RECEIPT, LOCKED, PENDING, and anything else that would get the wheels in your mind turning. There are countless other subjects that might be somewhat suspicious. I pulled these from the countless Amazon phishing email scams that I get on a daily basis. Phishing, as mentioned earlier regarding its generalization, is a numbers game. Get as many users to open and hopefully interact with the email as possible. This hits on the first tactic that phishing scams take advantage of, urgency. If something is marked as urgent or in a way that immediately concerns you, most people are going to react differently than they would when they receive another HomeDepot 10% off advertisement email. This can get your adrenaline pumping and can cause you to make irrational decisions. That's the goal. So you open up the email to see what the issue or concern is. Here's where the fun begins.

As soon as you've opened up the body of the email, expand the sender's address/details to confirm who actually sent you the email. With a well crafted phish, this won't help too much. But, 95% of the time this is a dead giveaway that this is a bogus email. Here's a typical example from my good old friends at amazon: info-caseid52434899@cleopatra28.kukubimasupportamazon.com. Now if that doesn't look like a legitimate amazon email address, I don't know what does... Yeah... I'm going to guess that amazon has the resources and the intelligence to use a more succinct address. The next, and probably most helpful attribute for spotting phishing scams (IMO), is the grammar, punctuation, and tense of the email. Now that you've opened up the email and confirmed the supposed legitimacy of the sending address, read the contents. If you possess the ability to read at or above the 5th grade level, you will most likely see some inconsistencies. Queue up another fantastic example:

From top to bottom, another phenomenally crafted email address that seems completely legit... I'll just list the inconsistencies: lock -> locked, hold -> is holding, randomly placed comma, file the card -> file with the card, unlocked -> unlock, click button -> click the button, and cap it all off with a big orange button that wants my credentials. It almost feels as though someone used a Mad Lib to construct this email. Now in order to judge this email, I have made the assumption that Amazon would have better grammar, punctuation, and security practices. I'll let you be the final judge in that regard. Amazon is completely transparent in their security policy regarding spoofed emails so here's a quick blurb from their policy documentation:

Amazon will not ask you for the following information in an email communication:

  • Your bank account information, credit card number, PIN number, or credit card security code (including "updates" to any of the above)
  • Your mother's maiden name or other information to identify you, such as your birth city or your favorite pet's name
  • Your Amazon or Seller Central account password

This form of phishing email has actually become less and less prevalent in my experience. The attackers have become so lazy and uninvolved that they are now simply sending empty emails with subject lines and a single attachment. Although it would seem like these might be a little bit harder to judge on their authenticity, the same rules apply. Check the sending email address and think about general human interaction. When have you ever sent or received an email with just an attachment, no body, no introduction or conclusion, and a subject line that stands out? I can think of only a single example, when I send myself something purely for the purpose of getting an attachment from one device to another. There may be a few other examples that you can come up with but I 100% guarantee you that a reputable business is not going to play it that way. The emails you receive may not necessarily have attachments or nicely crafted buttons, you may just find a hyperlink for a website that you're instructed to visit. Do NOT open these attachments or click on these links! Now we are getting to the point where you need to decide how deep you're willing to dig. Are you someone who is focused on better preparing yourself for the inevitable onslaught of future phishing emails or do you want to take it a step further to better protect others from similar social engineering attempts? If you chose the latter, there are 2 extremely easy steps that you can take to spread the word and help others identify this type of malicious behavior. VirusTotal and the Anti-Phishing Working Group.

Some security professionals may argue against the use of VirusTotal in regards to email scams. VirusTotal  is a place where you can upload files and URLs to check them for known malware and malicious content. Right off the bat, this sounds like a no brainer, right? The tradeoff to being able to publicly upload and search for this content is that anyone can use it. VirusTotal warns you up front:

Please do not submit any personal information; VirusTotal is not responsible for the contents of your submission

If you can't guarantee that your personal information is not somehow contained within the attachment, I would avoid using the resource. As an example, there is a very strong chance that the email attachments that I'm receiving from this extremely reputable amazon entity, contain both my full name and email address. Don't want anyone to know what that is? Then don't submit that file to VirusTotal. Case closed.

There are hundreds of different options for reporting phishing scams. Rather than simply deleting or marking the emails as spam, I would suggest reporting them to an agency that supports the overarching security posture of the internet. Each mail provider typically offers some type of service/email account that you can forward these to, but rather than limiting it to that specific domain, I suggest using the APWG which is an international consortium devoted to unifying the global response to cybercrime. If you're not feeling up for doing a bit of background research, just send the email to: reportphishing@apwg.org. If you're not technically inclined or just don't care that much, your work stops here. You've done your good deed for the day. That may also mean that you won't be interested in the remainder of this article.

Before we dive any deeper into ripping emails apart to inspect their construction and routing, let's address the elephant in the room. Any security professionals reading this are ready to discredit my opinion because I just told them to forward an email. Forwarding emails destroys extremely valuable metadata contained within the header of the email. When you forward an email, you replace the original header with one of your own creation. The header provides the most viable option for tracking the official source of an email! With that being said, many security professionals would argue that the time and resources spent attempting to identify and track down an attacker often outweigh the outcome. If any of this investigative work interests you, I would definitely suggest taking some time to learn more about Digital Forensics. We will merely create a microscopic scratch on its surface in our dissection of the email header.  

Now that we have gotten through the identification process for the majority of the poorly crafted phishing emails, lets move into deeper water. More experienced hackers and phishing artists will have spoofed the email address to look legitimate and will have used the proper grammar, punctuation, and syntax to convince you that this might actually be worth reading or paying attention to. Before you go pulling out your credit card and social security number, lets take a look at the email header. The header stores a ton of hidden metadata that you would never see unless you were looking for it. Each email service has tooling and functionality specifically for this purpose. Although I'm a big supporter of both Yahoo and Gmail, I've found the latter provides a better platform on which to dissect the header. You will find countless tutorials specifically dedicated to navigating you through this process... Click a few buttons and voilà. But seriously, go to the email, click the 3 vertical dots on the upper righthand side, select "show original", and you're staring right at the header.

Now that you are looking at the "Original Message" including the email header, click the "Copy to clipboard" button. Then use Google's Message Header Tool, paste the copied information, and click the "ANALYZE THE HEADER ABOVE" button. Google works its magic, checking SPF and DKIM (depending on what is setup) and you will get a color coded response to indicate the authenticity of the email. The three common fields you might see include: Pass, Fail, and Softfail. If the email header information checks out, you should be seeing a Pass value for SPF/DKIM. Most of the well known email providers will actively be using SPF and DKIM to aid in the confirmation of email authenticity, but this is not guaranteed. In trusting these results, you are also relying on the email providers commitment to keeping their records up-to-date.

Although working through this process can give you a bit more piece of mind or further verify  your suspicion, I would not use this as a concrete determination. To gain more thorough clarification, you will need to analyze the sequence of header information looking for logical inconsistencies, address information, and checks/balances. This is all simplified by the use of SPF and DKIM records which will be explained in further depth in a follow-up discussion. We'll cover the complete email header breakdown in its own article. In closing, make sure to: read the email in its entirety for context/grammatical clues, be on the lookout for authoritative/urgent subject lines, doublecheck the sending address, and never click/download something when you are not 100% confident of it's origin. Remember, you are not alone in the fight against phishing scams and there are a multitude of resources available for you to report or get assistance with suspicious emails.