Cyber-Security Awareness – Anatomy of a Phish

The term “Phishing” refers to communications that, like regular fishing, use a type of “bait” to compel the reader “bite” in a way that ends up revealing sensitive or privileged information or which allows their system to be compromised.

These are one of the most common types of e-mail scams out there at present.  Below I’ve taken a couple of Phishing e-mails that have been brought to my attention lately to point out the sorts of things that should make you pause and consider if a message that seems legitimate at first glance is in fact malicious.

The first one is designed to make is look like someone has hacked your Amazon.com account and ordered a High-Definition TV to some out-of-state address.  The fake order is just the bait, however.  It never existed, the account was never compromised.  Instead, it’s supposed to make you want to react urgently to stop it, and the quickest apparent way to do so is to click a link in the e-mail to the Amazon website.

The indicators are subtle, I’ve pointed out the sort of things to look for below.

Even so, e-mail content is easily forged.  To be safe, don’t click links in e-mails, instead type them in the web browser or go to the company site yourself.  I didn’t follow the links in this e-mail, but it likely went to one of two types of sites:

1) A fake Amazon.com login page to capture your username and password

2) A web page with software designed to compromise your computer and give unrestricted access to your system and data to the person in control of that malicious website

Fake Amazon.com order e-mail, designed to compel the reader to click links to a malicious websites

Below is another example, this one is a bit more subtle.  The e-mail below didn’t trigger the [POSSIBLE SPAM] tag from our spam firewall.  One of the challenges is that with the money that can be made from these scams, they’re often under the control of sophisticated criminal enterprises.  These criminals can purchase the same tools we use to protect ourselves to test their malicious messages before sending them out.  When that’s the case, it’s a matter of how fast information about e-mails like this makes it to the vendors of the security systems and how quickly they can program a signature to detect this message, but not block something similar that is in fact legitimate.  They really do a pretty good job all things considered, but it’s a fundamentally hard problem and higher education in particular is a big target.

Like the previous e-mail, this one shares the following indicators:

  • “From:” address does not match the purported company sending the e-mail
  • Web links in the e-mail (hover, don’t click! ) don’t go to websites one would associated with the purported company.  These can’t be viewed in the graphics below, I didn’t want to actually provide a link to a malicious website – but you can do this in any e-mail with a link in it for practice.
  • All web links in the e-mail go to the same site, even if they seem to direct you different areas or even different companies
  • Once again, it’s designed to prompt an urgent, unthinking response, that response being to click one of the malicious links
  • Ship-To address is wrong

E-mail claiming to be from Intuit, designed to compel the reader to click malicious links in the message

We can expect these messages to continue to be refined to make it even harder to tell what is and is not legitimate.  For example, the From address can be forged, errors in the e-mail content like the delivery address lines can be corrected, or a mix of legitimate and malicious web links can be used.

So how can we reliably tell if an e-mail is legitimate?  Frankly, there is no easy answer.  The best bet is to remain skeptical of any e-mails you receive and weren’t expecting and most of all don’t click web links in e-mail.  Typing them into a web browser yourself is much safer.

Links to malicious websites that don’t match the purported sender are likely to remain an indicator, although if someone were able to register a DNS name something like wwwamazon.com (note the dot after www is missing) and point it to the malicious site, it could be harder tell.

An implied sense of urgency is also likey to remain, they really don’t want you taking the time to think about these messages.  The more you think about it, the more likely you are to get suspicious and not take the bait.

If you are a Washburn student, faculty, or staff member and receive something you aren’t sure of, don’t hesitate to call Washburn ITS at 785-670-3000 or support@washburn.edu.  We can help determine if the e-mail is likely to be malicious and can report compromised e-mail accounts and websites used in those messages to the proper authorities to get them taken off-line and cleaned up.

If you think you may have fallen for one of these, don’t panic!  Again, call ITS and we’ll help take corrective action to limit any damage.

I’ll address what else to do if you think your system or your information have been compromised in a later post.

Comments

  1. Floyd Davenport says:

    Another indicator can be what I would call “weak personalization”. When you get a message with something like “Dear floyd.davenport@washburn.edu“, that is an indicator that all they really know about you is your email address. I’d be suspicious.

    • kevin Halgren says:

      That’s very true and a very good point, that’s an indication that an automated tool has been used. Actual communication from a company you have a relationship with would, in most cases, have your name on file in addition to e-mail. E-mail addresses may or may not clearly indicate the name, and the automated tools they use to build thousands of these messages can’t reliably translate an e-mail address to an actual name, so they’ll use what they do have, which is the e-mail address itself.

Speak Your Mind

*