- March 19, 2018
You may be an InfoSec n00b but not all is lost. You are far from alone. Now more than ever, security is everyone’s problem but it’s difficult. So much is taken out of our control in the name of making our life easier that in the end, it can be harder to protect ourselves and, by extension, the companies we may be working for.
As a starting point, let’s talk about something that everyone is probably familiar with. You likely have either received them or at least you have one or two sitting in your Junk folder that your mail provider kindly put there for you because they recognized what it was. They don’t always catch them, though, so how would you identify a phishing attempt from a legitimate e-mail message? This ends up hitting on two important tenets of information security – confidentiality and integrity. By way of illustrating the point, we will use an e-mail message I recently received that had been identified as Junk for me. You can see the message below.
Of course, the line that says this message appears to be junk mail is a dead giveaway but let’s pretend that doesn’t exist. What makes this a phishing message and why is it a security problem? First, if you look at the line that has the sender’s information, you can see that where a name would normally be, there is an e-mail address saying firstname.lastname@example.org. Except that where the e-mail address is, there is a different e-mail address entirely. The fact that the real e-mail address has nothing to do with PayPal is a giant red flag that should say, “stay as far away from this message as you can.” This is a failure of integrity. The message didn’t come from who it purports to come from.
However, your e-mail client may only present the name of the sender, so it would look like it was from email@example.com. This is a common problem with modern e-mail clients. They hide what can be important information in order to not distract you. You can see this in the To: line where it’s just my name. I have several e-mail addresses that all go into the same mailbox, so knowing what e-mail address it was actually sent to may be helpful to me in determining whether this is something I should be taking seriously. If you can, make sure to look closely at the From: and To: field.
Another indicator to me for this particular message is I haven’t had any dealings with PayPal in a long time. I certainly haven’t done anything out of the country. If you see addresses out of the country, that may be a warning to stay clear of the message as well. You will notice, though, as you look closely at the e-mail message, that it looks completely legitimate. It has PayPal’s logo, after all. This is another failure of integrity because it’s easy to copy the look of PayPal e-mails and also copy their logo. Creating a message that says it’s from PayPal when it, in fact, isn’t, means the message lacks integrity. It’s not what it claims to be.
Finally, and here is where we get away from integrity a little, is the Cancel link in the message. I hovered my mouse over the link to reveal the URL the link will take me to. You will notice this is also not PayPal. If PayPal was going to send you a link to cancel a transaction, you can be sure that the URL would be to a PayPal site that was at paypal.com and not at mysp.ac. When you go to that site, you can be pretty sure they will ask information of you like, perhaps, your PayPal user ID and maybe your password. This would be a breach of confidentiality because you are exposing information to someone who shouldn’t have it.
The mysp.ac URL highlights an interesting point, though. Phishing attacks and other, similar, attacks are collectively called social engineering. You are using social cues to get someone to do something they shouldn’t be doing – especially revealing information that shouldn’t be exposed. There will be a lot of tricks done to fool you. This URL is another one. You will notice that it bears a little resemblance to myspace (myspace.com). This is likely not a coincidence. You will regularly find URLs and e-mail addresses that include portions of a legitimate domain name. As an example, I was asked to look at something recently where the URL was something along the lines of Microsoft.com.f4587.bogushosting.com. It included Microsoft.com in hopes that people will see that and be fooled into thinking that it is actually Microsoft.com.
Take a look through your own e-mail folder and your junk folder. See if you can find instances of phishing attacks. Compare the important pieces of a legitimate message (sender, receiver, any links, etc.) to one that is not legitimate. See if you can spot the differences on your own. Being more aware of phishing scams is everyone’s responsibility.