Phishing attacks – Educated users are your best defense!

According to the “IBM X-Force Threat Intelligence Index 2017” report, phishing remains a primary tool in the attacker’s toolkit. In fact, by the end of 2016, a fourfold increase in spam was noted when compared to the previous year. A significant increase of malicious content was also observed within these emails, with ransomware topping the list at 85%.

The unfortunate fact is, Phishing proves time and time again to be an efficient way to steal sensitive information and/or deliver malicious content to internal devices; allowing attackers to encrypt sensitive data to be held for ransom, or create a backdoor into your environment. According to the 2017 Verizon breach report, 51% of all breaches involved malware; of which 66% were delivered via email. With this in mind in this article we are going to identify 6 tips that may help end-users spot malicious email; and potentially save your organization a whole lot of time and money.

6 Tips for Spotting Phishing Emails

We are going to take this opportunity to look at 6 ways in which we can educate end-users in identifying phishing emails, and then a look at the appropriate response when dealing with suspicious email.

1. Don’t trust the display name.
The “display name” is the field used to identify who the email is supposedly from (i.e. the from address). However, we must keep in mind that this is a claim to an identity, rather than proof of one. There is nothing to stop people from making any identity claim they like, which is also true of the sender’s email address as it may have been spoofed or even sent from a legitimate account that has been compromised.

2. Check out the links (Look but don’t touch!)
The purpose of a phishing email is to manipulate the victim into performing some type of action, such as getting them to divulge some form of sensitive information. Phishing campaigns commonly use hyperlinks (e.g. weblinks) embedded within the email to trick the victim into visiting malicious sites in order to steal sensitive information or download malware.

Weblinks actually consist of two parts; first, there is the ‘display text’ which is the visible text or image that the recipient can click on, and secondly, there is the actual ‘link code’ (e.g. http://www.lmqtechnology.com) which controls the true destination of the link (i.e. where the victim will be taken if they click on the link). This separation means that the ‘display text’ and the ‘link code’ can actually be completely different. Figure 1.0 illustrates how the web link (i.e. hyperlink) text can be different from the location of where the link takes the end-user.

Figure 1.0 – Separate display and link code

Quite often when dealing with web links (i.e. hyperlinks) the ‘display text’ and the ‘link code’ will match, as shown in figure 1.1.

Figure 1.1 – Matching display and link code

Phishing campaigns will often leverage this trait, specifying a legitimate website address as the ‘display text’ so that the end-user assumes that that is where the link will take them.

Figure 1.2 – Using a legitimate website link as the display name

So, you may be wondering how you can tell apart the actual website link from the address that is being displayed. Fortunately, this is pretty easy in most email programs, and is achieved by simply hovering the cursor over the link itself (show in figure 1.3), however be careful not to click on the link itself!

Figure 1.3 – Determining the real link code

Link codes that reference obscure domain names, or domains that closely resemble the domain to which the email claims to be from, may be an indicator of foul play.

3. Pay attention to the salutation
Ever been at a party and you bump into someone who’s name you should know? But for the life of you, you can’t remember it? What happens? You end up using generic salutations to get through the awkward encounter; “Hey”, “Hey buddy”, etc. Well, phishing emails often run into the same issue; they are either not sure who they are taking to, or must accommodate a wide number of recipients. In fact, unless you are the target of a “spear phishing” campaign, there is a pretty good chance that the salutation in the email will be pretty generic.

Common examples of generic email salutations include:

“Dear <your bank name> customer”
“Dear valued customer”
“Dear user”
“Attention: <your bank> customer”
“Attention <webmail> user”

4. Personal Information
While there are tools for encrypting emails, by default this is not the case and therefore as a rule of thumb it is never prudent to include personal information within e-mail communication. This rule applies to both legitimate and malicious email. This rule also applies to non-encrypted connections to the internet (e.g. http rather than https), therefore if you are asked to supply personal information (e.g. username, password, address, SSN, etc.) always ensure that you know the party to which the information is being sent, and that it is being sent in a secure fashion.

5. Urgency & Penalty
These two aspects pretty much go hand in hand. The majority of successful phishing campaigns have been found to be those that invoke a sense of urgency, often being sent with a ‘high priority’ and/or containing words such as “Urgent!” or “Please read”. This is an attempt to invoke panic, causing the end-user to act, as end-users are often prone to making rash decisions when they feel under pressure. This brings us to the secondary aspect of this point which is ‘penalty’. To further increase this sense of urgency and pressure, there will normally be some type of penalty for non-compliance with what is being asked.

Phishing attacks are a form of social engineering which involves manipulating human behavior (in an attempt to aid the attacker in reaching their goal). Therefore, you may find that widely advertised or known threats are used as pressure points in order to invoke a response to the email; for example, if the news reports an outbreak of a new computer virus that is causing wide-spread damage to organizations a phishing campaign might leverage this information:

Dear valued customer

Over the past few days you will have undoubtedly heard about a malicious virus called <VirusXYZ> and the damage it has already caused to a number of financial institutions throughout the US. I would like to take this opportunity to reassure you that here are <your bank name> we place the upmost importance on your security and privacy, whilst ensuring superior customer service.

For this reason, we are asking that all online banking customers validate their login credentials by entering them at our website using the link below. If you are unable to comply with this request it will be assumed that your account has been compromised and will be frozen until you are able to come to your local branch and verify your information:

Please validate your information by using the information below:

http://www.yourbankaddress.com

Regards
XYZ Bank Inc.

6. Bad Grammar & misspelling
Malicious emails will often contain spelling errors and/or bad grammar, which hopefully in our recipient’s eyes should affect the credibility of the email. Sometimes the spelling and grammar may be correct, but the tone of the email may not be appropriate. Some of these irregularities may be accounted for if english is not the first language of the attacker. Analysts within Cisco’s security team have found that online language translators may account for some of these issues with grammar. Be careful not to rely on this point though, as professional spear phishing campaigns will not typically make this mistake.

Many organizations treat phishing attacks as a technical problem requiring a technical solution, installing a device such as a spam filter, and/or some form of web security gateway. The truth of the matter is that effective mitigation of this issue isn’t that straight forward (especially in spear phishing campaigns), and typically requires a defensive, in-depth approach, with user education sitting firmly at the center of the solution. For this reason, LMQ Technology offers a comprehensive and multifaceted Security Awareness Training program that can be integrated into an organization’s existing compliance program. Our awareness course, which is built upon the ‘CIS Critical Security Controls,’ is designed to ensure that your end-users are not only educated on the risks and threats facing businesses today, but aids in modifying potentially detrimental end-user behavior, thus allowing them to respond to malicious activity appropriately and keep your business safe.

References:

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
https://www.ibm.com/security/data-breach/threat-intelligence
https://umbrella.cisco.com/blog/2016/02/08/grammar-and-spelling-errors-in-phishing-and-malware/