Phishing
We all hear often about companies that have been hacked and that damages have been reported as a result of the attacks, like document leaks, unavailability of services, compromised credentials and so on. But many times, everything begins with phishing. Let’s see what’s the whole thing with this attack!
● What is phishing?
Well, phishing is a type of cyber security attack. More precisely, a social engineering attack. There are various ways in which this comes up: emails, phone calls, sms and so on. The point is that the attacker will try to impersonate someone or something in order to trick you and obtain items like credentials, credit card info or make you install or execute software that will infect your device or steal data.
In this article we will focus on phishing emails, since, in my opinion, it’s the most common way in which we encounter this attack.
● Go beyond the appearances - see the hidden email info
When we usually receive an email, there are some things that we are able to see, like who is the sender (name and email address), the subject, the date, the recipient’s email (usually you), the message and maybe some attachments (if it’s the case). Basically, one could say it’s enough.
But how would you react if I told you that there’s more info than it’s visible? We can see all the details if we check the raw version of the email. I will show how to do this for Yahoo and Gmail but the steps should be similar for the others.
Yahoo - after opening the email, just press the “3 horizontal dots” button and then click on “View raw message”.
Gmail - after opening the email, just press the “3 vertical dots button” and then click on “Show original”.
Below is a partial screenshot from the raw version of an email received from Duolingo, which I know is legit.
● How headers could help us
One thing we can check is if there’s a match between From and Reply-To headers. Sometimes, you don’t even need to see the raw version of the email because the discrepancy between the name and the email address of the sender is very big and obvious. But, in case this isn’t visible at a first glance, you can notice it when you take a look at these 2 headers.
There might be situations when the email is legit and both headers have different addresses, but, even though this happens, the domain is the same. In the above screenshot, we can see that From and Reply-To match. As an extra step, you can verify Return-Path header. In our example, there is a domain related to our sender.
X-Originating-IP should also help. By checking this IP, you could get info that might confirm the received email is phishing related. One website where you can verify an IP is IPInfo . X-Relaying-Domain could also give you a similar hint.
You can use different tools to analyze headers of received emails. I tested several, the one I liked the most is MailHeader . I recommend it in case you ever need to investigate such things.
● Revealing signs for phishing related emails
There are a couple of elements that point out an email is not legit and it’s actually phishing. Let’s see some of these:
▪ poor grammar
You might often encounter bad grammar in phishing emails. Also, many times, spelling is an issue. For instance, you receive an email saying your Netflix account has expired. Don’t be surprised in case you see that the sender wrote Netflx. Another aspect that exposes phishing are sentences that don’t make sense. I think this can be mostly observed when the text’s language is not English. Those errors probably come from incorrect automatic translations. In the end, let’s not forget the typos.
▪ urgency
Most of the times when you receive a phishing email, you can spot this element. Your “Apple” account has been blocked? You must access this link NOW! Your bank account details must be updated? You have to do it at that moment! You won a prize at lottery? You need to claim it now by clicking that link, otherwise you will lose it! Whenever you see urgency involved, you should start being suspicious.
▪ usage of generic formulas only
Your bank sent you an email where it stated your account has been blocked and you need to click on the link they provided to unlock it (of course, you need to do it now :) ) but the first line of the message is “Dear customer”? Well, if it’s really your bank the one who sent it, it should already know your first/last name. After all, it has these details in its systems.
▪ your email address is not in To but in BCC
The email you received was supposed to be for you, right? I mean, it’s you the one who has to urgently update the details of the account, right? Why are you in BCC and not in To? There’s no logic and it should be immediately seen as a red flag.
● Malicious “actors”
When we receive phishing emails, their purpose is to make us perform an action, either downloading something, running some files or clicking on specific links. Let’s examine some:
▪ attachments
Many phishing emails come with attachments. It can be an archive that has malicious executables inside, there are situations when you get a PDF file and it contains links which redirect you to nasty websites or, maybe, the file in the email is an Excel with dangerous macros. As an example that I personally encountered, there was a file that seemed a PDF. However, the sender had an interesting idea that might trick some people if they are not careful enough. Obviously, it wasn’t a legit invoice but the name of the file was something like this:
"Invoice_20210312172833.pdf .exe"Well, honestly, I found this really creative, because, when receiving the email, you might not pay attention and “open” the PDF. Instead, you will run an executable which, doubtless, will execute malicious commands. Also, if you download it locally, since there are a lot of spaces between the fake extension and the real one, there is a chance to not actually see the real extension.
▪ misleading domain names
You have an email from Facebook in which you are informed about receiving a prize in a popular game people play on this site (maybe even you). In order to claim it, you need to login and collect it. Of course, you are provided a link for login. Let’s say you accessed it and a web page that looks like the official login from Facebook opened. Nothing wrong, right? But when you examine better, you notice it’s not facebook.com but faceb00k.com. Attackers use this trick to steal credentials for different platforms by cloning the login page and using a domain name that is slightly different, replacing a letter with a similar character (m with n, o with 0, i with l and so on). Usually, these pages will just show an error message, no matter what you insert. I think there’s even a nastier maneuver the attackers can do. In our case, by introducing the email and password and pressing the login button, an error message with invalid credentials may show up, sometimes nothing happens (well, nothing that you will see :) ). But, when the attacker clones the official login page, he could alter the code for Login button in this way: show an error message to the user and, immediately after, quickly redirect the fake page to the official login page. You try again and now you logged in successfully. You will think that maybe you just misspelled a character of your password and everything is fine. Well, in a such situation, the attacker already has your credentials and the bad part is you don’t even know it.
▪ shortened URLs
You are the lucky winner of a shopping voucher at a well-known supermarket. Well, at least that’s what the email says. In order to claim it, you just have to press a button. You hover your mouse cursor on that button and you see in the bottom left of the page a link like bit.ly/d87hBB3m. You might have already clicked on similar ones before and they opened some YouTube videos you wanted to watch, so there’s nothing to worry about. After all, the link is not http://hexorveetlol.xyz/steal-password , right? That one would make you think twice before accessing it. Well, unfortunately, behind that shortened link might be exactly something equivalent to the above one. The reason why an attacker would use a shortened link is to hide a strange URL you wouldn’t ever click on.
▪ MS Word/Excel/Powerpoint attachments with macros
Some files associated with programs from MS Office package can contain macros. When you receive an email (especially unwanted or unexpected) with such an attachment, you need to be very carefully. You got an email at work with an excel file that contains a list of expenses and the prices are shown in $. On the first line you see a message saying you need to enable macros in order to convert the values to the local currency. Well, you want to see those values, and not in $, right? I would think twice before enabling those.
You can find out more about macros from the video below, in which I speak about this and solve a challenge related to phishing which involves macros. Have a look!
● I want to protect myself, what do I do?
▪ use logic, avoid emotions
You won that lottery prize and you are very happy? Hold on a second, have you ever played the lottery? No? Then, how did they find you to give the reward?
You got a shopping voucher of 1000$ from that supermarket? Let’s think a bit, have you ever bought something from it? You never do your shopping there? Then how does it have your email address?
Your Netflix account has been locked and you need to press that big button to unlock it, otherwise it will be disabled? Do you even have a Netflix account? You don’t? Then why would you receive such an email?
Your “bank” asks you to update the account number? Mhm, isn’t that account provided by the bank itself? Why would it ask you to update something their staff takes care of?
▪ contact the official entities
Using the above examples, if you receive that email from Netflix, go on their website and look for contact section (email address, phone number or any other means) and ask if your account is really locked. Also, considering the email from the “bank”, do the same thing and call to ask if their team really sent it. They might even ask to forward them the message for analysis. This could also help other people, not only you.
▪ pay attention to the domain name
A small difference in a character can make you get your account compromised, so take a good look at the websites your are accessing.
▪ expand the shortened URLs
Since the attackers use this type of technique to hide the malicious links, why wouldn’t you do the opposite thing and see what they are actually trying to cover? There are plenty of sites which can help you do this, one of them is ExpandURL.
▪ verify the attachment
You should check if the file attached to the email you received is legit or not. You can use different websites for this, there are pages that provide reports about specific things if it has been discovered that they are malicious. There are several methods, from uploading the file, to providing the URL where this is found or the corresponding hash value. An example of such page is VirusTotal.
▪ keep the macros disabled by default for MS Office documents
Another thing we can do is to block the automatic execution of macros. In this way, we make sure malicious commands are not executed directly when opening a document or an excel sheet. If the file contains macros but we have disabled them, at least we can have a look on what it’s inside.
That’s all for now. I hope you enjoyed it. Thank you for the time you took to read this and I am waiting you for my next article!
