Phishing is a type of social engineering attack where the attacker sends malicious links or attachments, usually via email, in the hopes of getting an unsuspecting victim to click on the intended payload.
These attacks can be purely at random, where the attacker sends out thousands or millions of malicious emails. But, these emails can also be sent to a specific target or targets, with more detailed and personalized content. These types of attacks are called Spear-Phishing, and, due to their custom nature, tend to be even harder to spot than standard phishing attempts.
“People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.”
– Secrets and Lies: Digital Security in a Networked World, by Bruce Schneier
One technique I have adopted is to treat every email I receive as suspicious. I try not to take for granted any services, correspondences, or newsletters that I frequently receive, and I am always on-guard when it comes to the following types of emails:
This is just a sample of what has aroused my suspicions in the past, and the bolded email type at the top is always a prime indicator that shenanigans may be afoot. Attachments such as PDFs or spreadsheets can have malicious, executable code embedded within them, so it’s always best to be sure you know for certain the attached file is safe before opening.
One way an attacker may successfully phish a target is by changing their email metadata to appear as though it is coming from a valid source. This is a spoofing technique used in many phishing attacks, but it can usually be thwarted with a simple trick. Hackers hate this!
There are many different ways to verify the email sender is actually who they say they are, but it depends on which email platform you are using. For most platforms, you can either click on the message details at the top to view more information or you can view the raw message, or source of the message, to see the complete picture.
For web platforms such as Yahoo Mail, the easiest way to view the sender’s true information would be to open the message, and scrutinize the sender’s details at the top of the email message. Here is an example phishing email I received yesterday:
For all intents and purposes, this appears to be a valid email from Apple’s support system. But if I click on the email message and view the sender’s details, I can see that the sender is actually some long, nonsense email address, and it doesn’t even route to apple.com as I would expect.
Notice, the attacker didn’t send the email directly to me; I was probably just one of many BCC targets. Additionally, the sender’s true address appears as a nonsensical email that I wouldn’t even forward a chain letter.
It’s not always this easy to spot a fake email address. The attackers in this email could have easily decided to use something more subtle, like “[email protected]”, or possibly along the lines of “[email protected]”, where the ‘as’ TLD is actually the country code for American Samoa. Neither of those emails would route to apple.com, they just appear like they might at first glance (and that’s the point).
Ok, there’s no need to resuscitate an email message, but CPR can be a handy acronym to remember whenever you are about to click on an embedded hyperlink from an email.
Instead of blindly clicking on a web link, which can be extremely dangerous, the better option would be to always copy the link, paste it into your favorite web browser, review the hostname of the URL, then, only if everything checks out, continue on to the website as intended.
When reviewing and verifying the hostname, you will need to understand a few of the parts of a given URL. Specifically, the subdomain, domain, and top-level domain (TLD). Let’s look at ‘www.example.com’ for further clarification.
The subdomain most people are familiar with is ‘www’, which stands for world-wide-web, but there are essentially no restrictions on what a subdomain can or can’t be called. So, if we were attackers trying to get victims to click on a fake support portal, we might want to use various subdomains like ‘support’ or ‘help’ instead of ‘www’. It’s important to note, a hostname can have more than one subdomain, so even something like ‘www.test.help.support.example.com’ could still be a valid hostname you could navigate to.
The domain is considered to be the name of the website. In this case, ‘example’ is our domain, and a sub-section of that domain is the ‘www’ segment. This is the core of any URL, and immediately precedes the TLD.
When we add ‘.com’ to our domain, we now have a valid domain/TLD combo, as these two items are required to navigate to any website on the internet. Immediately following the TLD would be a forward-slash character (‘/’), which indicates that the hostname definition has been terminated, and the file path has begun.
To clear up the above, let’s look at two sample URLs:
The first URL points to the ‘help’ subdomain of the host called ‘example.com’. The second URL, though, points to a different host called ‘help.com’, to the subdomain titled ‘example’. The trailing string of ‘support/help/home’ is considered to be the file path.
Another way to review a website URL without worrying about domains and TLDs would be to type out the URL by hand, and navigate manually to the desired portion of the website. This ensures that a malicious URL cannot get the better of you, but there is still the possibility of a typo. Typing out the full URL and navigating to the page in question is generally more safe than clicking on a link.
Phishing techniques have evolved over the years, but email-based phishing attacks are still prevalent today and require attention to detail to ensure safe browsing. Train your brain to suspect every email that populates your inbox, always make sure the sender is actually who they say they are, perform hyperlink C-P-R instead of blindly opening a web link from an email, and NEVER open an attachment from an unsafe or unknown source.