At HoxHunt we have a front-row seat to the latest Phishing attacks as they are reported by the HoxHunt network. The best way to deal with these is by being prepared. That’s why we’ve created an in-depth guide on common phishing flags, together with a handy phishing infographic for quick reference.
Cybersecurity attacks come in many different forms and use a variety of attack approaches, known as attack vectors, to achieve their goals. The most dangerous vector is the one exploiting the “human factor,” which is the weakest element in computer security.
Social Engineering (SE), in the context of IT, is an attack using psychological influencing (social tricks) over the phone or a computing device to convince someone to handle sensitive information (e.g. account credentials, bank information, private email address, phone number) about themself or their organization and its computer systems (e.g. type of software/hardware used and the security controls in place). Many attackers use (SE) tactics to silently install malware on victim machines to gain full access to confidential information, and to monitor a victim’s online activities remotely.
Criminals find it is much easier to exploit the human tendency of trust than using hacking tools and related techniques to attack computerized systems. For example, using (SE) tactics to convince the unsuspecting user to handle their login credential is easier than exploiting a software vulnerability to access target corporate network.
Social Engineering (SE) attacks can be broadly classified into two categories:
Email phishing attacks
Phone based or in-person attacks
The existence of two categories of (SE) attacks does not mean that an attacker must use only one type to carry on each attack, actually, many (SE) tricks require using both types to achieve the desired result.
A Phishing Email is the most widely used (SE) attack, so let us start with that.
Email is the greatest gateway used by cyber criminals to spread malware. A research conducted by IBM in 2017 states 59% of ransomware attacks come via phishing emails, and 91% of all malware is delivered via email. In addition, most of the large data breaches in recent years have been due to phishing (According to Verizon 2018 Data Breach Investigations Report). This makes email the number one threat and the preferred route for any intruder wanting to invade enterprise networks.
Email phishing works by sending an email which appears to be from a trusted sender, with the goal to fool the recipient to hand over sensitive information or to install malware on their machine. While the aim of many phishing attacks is to steal confidential data, such as bank account info or personal data for financial gain, phishing can be the initial point of many advanced cyber-attacks like Ransomware and Advanced Persistent Threat (APT). This makes phishing attacks a critical cyber threat that everyone should learn about.
Anatomy of a phishing email
Now, let’s take a look at real-world phishing email examples and investigate the technological and social tricks employed within them to fool the unsuspected user.
First: Investigating the subject field
- Phishing emails often use urgent, scaring or threatening language in the subject line (e.g., threatening about account closure if you do not act promptly). You’re often asked to send your details, fill online forms, or click a link to renew your subscription or to update your personal details on a social media profile. Such emails pretend to be from your email service provider, bank, or any of your social networking accounts. See (Figure 2) for a phishing email with a threatening subject and (Figure 3) for another phishing email with a threatening statement in the body of the email.
- Is there is “RE:” at the start? If the message is pretending to be a reply to an email you had not sent before, this means it could be a phishing email.
Second: Investigating the “From” field
- The “From” field in (Figure 1) show the sender name (display name) as “Protonmail”. However, the sender email address does not originate from the “ProtonMail” domain name as it is from (ccc.org). Please note that the domain name in the “From” field does not need to be genuine, as attackers can easily spoof other -legitimate- domain names and use it in their phishing emails.
- We need to check if we are familiar with the sending address. Ask yourself the following questions:
- Did you receive emails from this address before? Is it normal to receive emails from this address?
- If you are familiar with the sending address, read it carefully and check for any misspelling in the sender name or the domain name associated with the email (e.g. paypal.com can misspell to become paypall.com or paypallae.com).
- Check if the sender domain name is malicious. WARNING: Only attempt this if you understand how to do this safely. There are many free online services to check whether a particular domain name is malicious. The following are the most popular ones:
|Tools to Check Phishing Domains|
|Comodo Web Inspector||https://webinspector.com|
|Norton Safe Web||https://safeweb.norton.com|
- Do you have any business relationship with the sending address? If yes, read the email carefully; Do they ask you to handle any of your account credentials? Or to access an online form to update your personal details of some service? Or simply asking you to download the attached file? Try to communicate directly with the sender, through phone or in-person, and ask them about the legitimacy of this email.
Third: Investigating The “To” field
- In (Figure 1), the “To” field displays “Undisclosed Recipients”. This means the email is sent to one or more recipients without showing their addresses by using the BBC field. This means the email is not directed to you personally and could be a part of a larger SPAM or ransomware campaign.
- If the “CC” field is populated with addresses, check them one by one. Are you familiar with any of them?
Fourth: Investigating the “Email date/time”
- From (Figure 1), email sent at 3:55 AM. If this email is pretending to be from a person inside your organization, ask yourself the following question: What is the sender’s local time zone? Is it ordinary to send emails at this time (outside business hours)? You can check the date/time of any spot on earth by going to https://www.timeanddate.com/time/map/.
Fifth: Investigating hyperlinks
- Check hyperlinks within the body of the email by hovering your mouse over the link in the email to display the real address. Check if this address matches the link that was typed in the message (see Figure 4) or the sender’s domain name.
- Some attackers may use short URL services to mask the real phishing URL sent to the user. Services like Bitly (https://bitly.com), TinyURL (https://tinyurl.com), Tinycc (https://tiny.cc) allow users to shorten any URL. In (Figure 1), the “Verify Your TWO-FACTOR AUTHENTICATION” is linked to the following URL: https://tinyurl.com/********, If you suspect that a short URL could be a scam, you can expand it using a free online service like the one at http://checkshorturl.com or Expand URL (https://www.expandurl.net) to see the true destination (See Figure 5).
- Sometimes a phishing email can only contain a hyperlink without any additional contents. In this case, avoid clicking on the link and use the techniques already mentioned to find out the real destination of the links.
- Hyperlinks can be misspelled intentionally to mislead the recipient. A phishing website may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (.com becomes .org or .info).
Always THINK before you click any link!
Sixth: Investigating Email body & attachments
- Does the sender ask you in urgent words to respond promptly? Be very careful with ‘scary’ and threatening emails. This is likely to be a phishing attempt.
- Email coming from legitimate sources, especially the one coming from your bank or social media website, will use your personal salutation -with your first and last name- not a generic one as appearing in (Figure 1) (e.g. Dear “Esteemed User”, “Valued Customer”). Still, a proper salutation does not warrant that an email is legit, as the attacker may have gathered your details from OSINT.
- Emails from legitimate organizations will rarely contain poor spelling, grammatical errors, and text translated using machine translators (such as Google Translate). The content of these mails is usually written by professional writers and native speakers, and proofread by automated software to fix any errors.
- Does the sender ask you to click on a link to update your info online or to renew your subscription? Make sure to investigate all hyperlinks within the email, including any social media links included in the sender email signature, as we already did.
- Senders should include their full name in the email signature, in addition to a phone number and address (if the email originated from a company). Legitimate businesses always provide a full contact address. Make sure you verify these details from other sources than those provided in the email.
- Does the sender ask you to open the attached PDF/MS Office document such as Word or Excel? Be very careful from opening these types of files because it may contain malware. Compressed files (Zip & RAR) also pose a big red flag when sent via email messages.
- And finally, were you expecting an email attachment from the sender? Is it ordinary for the sender to send you this type of attachment?
Which file extensions are more likely to contain malicious code?
.DOC, .XLS, .PPT, .DOCM, .DOTM, .XLSM, .XLTM, .XLAM, .PPTM, .POTM, .PPAM, .PPSM, .SLDM, .PDF, .RAR, .ZIP, .7z , .JS, .JSE, .VB, .VBE, .VBS, .DLL, .DMG, .DRV, .GRP, .OCX, .OVL, .SYS, .VDL, .VXD, .EXE
Only .TXT files are safe to open.
Countermeasures against phishing attacks
There’s no magic bullet to help protect you against all phishing attacks. But a combination of software, skepticism and common sense will go a long way. Here are a few things to consider:
- Do not reveal any sensitive information. Some phishers may have partial information and ask you to confirm it in order to gain your trust and extract more information. Keep this in mind and simply do not give or confirm any information or details.
- Pay attention to the URLs included in emails sent to you, and do not click hyperlinks or links attached in the suspected phishing email, especially when you want to check your bank account.
- If you suspect that an email could be illegitimate verify it by contacting the company by phone. Look up their contact information from their website, rather than using the information listed in email signatures.
- Do not install programs or download files sent as attachments in emails from unknown senders. If you want to test software sent through email messages, you can run them using a virtual machine (e.g. VirtualBox offers free virtualization software and supports all major operating systems).
- Always discard pop-up screens and never enter information using them.
- Make sure the web site you deal with to enter any information is protected by an SSL certificate (HTTPS) (See Figure 6). Do keep in mind that this does not guarantee a site’s legitimacy. Over 20% (and rising) of phishing sites actually utilize HTTPS.
- Most virus scanners nowadays have some form of protection which prevents you from accessing known phishing domains. Make sure you keep your antivirus software up-to-date and activated.
- Do not publish your primary email address online. Create and use another account for public use.
- Enterprises should invest in continuously educating their employees about cyber-security threats and countermeasures (Cybersecurity awareness training).
Advanced Forms of Phishing
There are more advanced forms of phishing attacks that utilize a wider range of techniques. These attacks often focus on a specific entity, whether they are individuals or business entities. These targeted attacks rely on personalized phishing emails to gain sensitive information from high-value targets such as CEOs, CFOs, and other executives. These types of phishing campaigns require a large amount of preparation and research, with well-planned attack vectors to gradually gain entry to more sensitive information.
Mitigating these types of attacks require individuals to constantly be aware of the fact that they might be the target of a phishing attack. And while cybersecurity training may temporarily raise awareness, it doesn’t create a cybersecurity culture.