Tuesday, 19 August 2014

How to spot a phishing email

Not a day seems to go by without reading about another hack and most of these are either initiated by some kind of injection of bad data into a web application and the rest are mostly originated by phishing emails. The most serious hacks are usually initiated by phishing since phishing will often get you inside a company in a way that web applications usually can't - this means the attacker potentially has access to everything that an employee has access to. My own experience is that this is usually far more than they should but anyway....

A phishing email is an email that intends to create a means to steal information. It does this by producing some trust with the person reading the email and then asking them to do something, either typing in some login credentials, which the attacker can then steal or perhaps run a program which will install a virus onto the local machine which allows the attacker remote access.

In order to create trust, good phishing emails need to look legitimate. This might include one or more of the following:

  1. A from address that looks believable (but possibly a close copy of a real address) like info@micosoft.com. It could also appear to come from one of your friends or contacts due to a virus on someone else's machine. The from address can be manually set by an attacker to anything they want, although most modern email scanners will detect this.
  2. Some official looking logos. Remember, any image that appears on a web site can be copied and used by an attacker. Just because it has a Microsoft logo, doesn't mean it is from microsoft.
  3. Some kind of urgency or warning to make you do something. Phrases like, "Account validation required", "Illegal access detected, please confirm your details" or "You account will be locked if you fail to take action". Don't be scared by these phrases. I have never seen a proper system that uses only emails to warn of such drastic actions. Any good site, like your bank, will tell you to visit the bank website and carry out any actions that are required.
  4. Hyperlinks that look correct but not be. A hyperlink, like the following example, can say one thing but point to a different site. Hover over this link and notice that the actual destination does not match the text: http://www.microsoft.com (your browser might block the link!)
  5. Some kind of attachment to open. Note that what it appears to be might not be what it is. A classic example is a program with an icon that looks like a pdf. When you open it, the program runs, installs a virus and then opens a pdf to make it look like it is just a simple attachment. Some attachments will be blocked by email readers by default and some are more dangerous than others. In general office documents and PDFs are most dangerous because they can contain code that is run when they are opened.
  6. Suitably abstract language that is needed when sending emails to lots of people. Rather than Dear Luke, it might say, Dear Colleague. "Your IT department has requested that..", "Your manager requires you to...." when these are translated from other languages, these might sound quite funny, "Your account is will locked you not obey instructions".
  7. Some kind of invitation to be curious. How many of you have clicked on a Facebook link because, "You will never believe what happens..." or "This is the funniest thing I've seen all week..."?
It can be very hard to spot the best types of phishing emails - they can look very convincing. But the following suggestions should make it all but impossible for the phisher to succeed.
  1. IT departments should plan to keep operating systems up to date with the latest updates. Many of these are created to block holes in the operating system, some of which can be exploited by phishing. Do not continue to use very old operating systems, again, plan long term update policies even if it means new PCs come with new operating systems so replacements happen automatically over time. Older Windows operating systems allow programs to run, sometimes without you even knowing.
  2. Use a modern email client or a web-based email client. Modern clients have better security features in general.
  3. Ensure you have a modern virus checker on your email system (either on your mail server if you have one, or on your local email client). Keep it up to date! Online mail tends to include this built-in but check that you are not just assuming that.
  4. Try and use SPAM filters and any other kind of automatic detection for bad emails. Many new systems have a range of measures to detect suspicious emails, although these are not perfect - sometimes they create false negatives and false positives.
  5. Set up a culture and training in your organisations, both to spot bad emails but also to avoid sending out emails that look like phishing. If you want your employees to do something involving clicking links or updating details, communicate it verbally or instruct the user in the email to visit a site they should already have access to rather than sending a link.
  6. Be suspicious of any emails with strange requests and check them out before obeying the instructions. As far as I know, NO proper company would send out an email with embedded content or hyperlinks to ask you for personal details, including login details. They would also not send out attachments for you to open.
  7. Do not open any "fun" stuff at work, whoever it appears to come from.
  8. Never, ever, ever allow a program to run from an email attachment, if it asks you for permission, unless you are 100% that the email is expected and was sent from a person you were expecting it from.
Post a Comment