The Security Skeptic

Recognizing and Responding to a Phishing Attack

05/24/2014 12:25:14 PM

Even the best of antispam measures may not be enough to protect you from spoof email messages. By spoof email, I mean a message that appears to be from a party you know – most commonly, an ecommerce site, financial institution, even your IT department – but in fact, is a bogus message, with a malicious intent.

A spoof email message is an all too common example of social engineering, and one frequently used in identity theft. The attacker composes an email that claims to come from a server or user the user normally trusts: for example, you may receive a message from

  • your bank, requesting that you update your personal information;
  • your IT department, requesting that you change your password before it expires.
  • an online retailer, requesting that you verify your credit card information;
  • an online auction site, claiming that someone has used your account to make fake bids
  • a delivery service, informing you of a delayed shipment
  • the Internal Revenue Service, notifying you that you are delinquent with your tax payments

Such attacks, also known as phishing, carding, and brand spoofing, fool users into visiting a URL that looks like a legitimate site, but is actually the attacker’s machine, where the attacker continues the spoof, possibly using web pages and forms to gather user accounts, passwords, credit card and other personal and sensitive information.

To the hasty and uninformed, spoof email or phish email looks sufficiently “legit”, so the attack succeeds frequently enough to be worth the phisher’s while.

Here’s a short list of things you can do to prevent falling victim to phishing:

  1. Don’t be hasty. Even when email comes from a source you trust, think as you read and before you click on a hyperlink (URL) in an email message.
  2. Examine a URL before you visit it. read How to Tell if a Link is Safe Before You Visit It
  3. Don’t play Crime Scene Investigator on your personal or company machine. If you suspect malice, report it. Reputable site operators publish specific guidelines for reporting spoofing: eBay, for example, asks you to send the entire email message, including headers, to spoof@ebay.com They’ll confirm receipt with an email like this one. Notice there’s an embedded link in eBay’s confirm email. Examine this one, and you’ll see the host name pages.ebay.com in both the text and embedded link. Resolve the name (practice makes perfect).
  4. Look for clues that the message is bogus. You can play coroner if not CSI: the (message) body always reveals the truth. If you suspect something’s amiss, chances are, you are right. Re-read the message. If it’s really an emerchant or bank, or your IT department, chances are (1) they will often include a telephone number; (2) the grammar and punctuation will be proofed and correct; (3) the department that claims to author the email will exist; (4) a return email address will be provided.
  5. Always be suspicious of emails that ask you to take an action like change a password or update your personal information, and always check the link carefully. For example, you usually access a bank or emerchant account using SSL, right? If the URL is not https:// you’re probably being spoofed. But even if it is, you should be cautious and enter the secure (SSL) URL you normally use.
  6. Are the mail headers phishy?If you know a bit about email headers, you can look to see that the email originated from the purported sender’s domain and mailbox. In the legitimate email from ebay.com, you’ll see “Received: from outbound1.smf.ebay.com (HELO smf-klm-01.corp.ebay.com) (66.135.215.134)”, whereas in the spoof email, you see, ” Received: from nameservices.net (HELO garniernutrice.com) (216.117.142.207)…”. My partner, Lisa Phifer, adds, “sender addresses can be forged, and mail can be relayed through insufficiently protected SMTP servers, so don’t assumed ‘Received from:’ is always accurate. It might tell you something is phishy, but not necessarily tell you who really sent the email.”