3 steps to identify a potential phishing email

As explained in a previous story, the editorial team at CSO was targeted by a phishing campaign recently. If it had been successful, the person(s) behind it would have tricked us into installing the Zeus Trojan, a nasty bit of financial malware.

Lucky for us however, our user awareness training took hold, and we used some basic logic in order to spot the scam. This article will address some basics when it comes to spotting and dealing with a phishing attack.

Each time an email arrives, for most us anyway, it is quickly scanned. Based on a few key elements within the message, the choice of what to do with it is made.

Check the address fields, subject, and look at the attachment(s)

The first area of focus that will determine what is done with the email is the address section. If the email is from someone you know, or from someone of importance (such as your boss), you’re likely to act on it. At the same time, this is also where the first question about the email should be asked; namely, do I know this person? If you don’t, this is the first red flag.

Subject lines set the tone for an email, and are the attention getters. This is where you learn, in most cases, what the email itself is going to focus on. Criminals know that they need to grab your attention, so they will use subject lines that invoke fear, invoke curiosity, or instill a sense of emotion or authority. When it comes to spotting email scams, remember the saying “never judge a book by its cover,” and ignore intent of the email’s subject -- no matter what it says.

The address fields and subject area are often all someone needs to determine if they will act on a given message. However, even if these areas look good, there may be a problem.

Does the email have attachments? If the email has attachments, you’re likely going to want to open them and address them at some point, but the best advice is to stop and question them first. Were you expecting attachments from the person who allegedly sent the email? If you don’t know the person, then why are they attaching files? Even if you do know the person, why did they send the files if they were not expected? If you’re not expecting file attachments, then you should avoid opening them.

When the Phishing email sent to the CSO staff arrived; we questioned its legitimacy immediately. First, none of us had heard of the person sending the email (Pat Evans) or the company represented (Fiserv); the message itself is addressed to the main editorial team, but it was also addressed to email accounts that none of us had ever seen before.

Add to that the email’s subject, simply telling us that there is some sort of scanned file being forwarded, and you have a suspicious email. The straw that broke the camel’s back though was the attachment. The email had a ZIP attachment, which is a known potentially malicious file type. We’re trained to treat ZIP files at random as suspicious, but we do the same for other formats too, such as DOC, XLS, PPT, and PDF. It’s a good habit to form, as most email-based malware is delivered via common file formats.

Again, when faced with a message from an unknown person, with a questionable subject, and risky file type as an attachment, our awareness training tells us that in most cases, the email is a sham. Delete it and ignore it. At this point, I sent an email to my co-workers and instructed them to delete the message we had received and avoid the attachment. As a precaution, IT was alerted, because the email did make it past the anti-Spam server.

Examine the body of the message

So assume the address area checks out, and there are no email attachments. Does this mean the message is perfectly safe? No, in fact, spammers and criminals will use compromised (i.e. legit) email accounts to do their dirty work. So it is entirely possible that a phishing attack is sourced from a real company email account, and used company servers to propagate.

As mentioned, never judge a book by its cover. Just because the email’s addressing and subject looks good so far, doesn’t mean that all is well. This sounds overly paranoid, but these days, there’s good reason to be. For the staff at CSO, Phishing is a serious risk, and that was before groups of hackers like the Syrian Electronic Army started using phishing as a means to attack media organizations. To other organizations, phishing is just as serious, because once a criminal has access to an employee, there isn’t much they can’t do.

So the body of an email message is the second area of focus when judging the overall legitimacy of an email. It’s always best to read your email in plain text. If you’re not already doing that, or you’re not sure, ask the helpdesk (or someone in IT) how to do this, as it’s an easily obtained additional layer of protection.

One of the odd things about the phishing email delivered to CSO was the opening. It was overly formal. In our case, the opening was “Dear Business Associate,” this raised flags, because no one who normally contacts us would address us like that. Also, the body of the email read like a random news pitch. So such a formal opening was way out of place.

When reading the opening of the email, look at how it addresses you. If you know who sent the message, is this how they normally greet you in an email? Give the entire message a quick glance. Now ask yourself, how is it written?

What is the tone of the message? Does it make you want to do something? Is it asking for information or details that you’d normally hesitate sharing? Is it asking you to take an action of some kind? Is there a sense of urgency in the tone of the email, do you feel pressured or rushed? Does it invoke curiosity? If the answer to any of those is a yes, take a step back.

Criminals, especially when it comes to phishing, want something from you. It can be information, or for you to take an action, such as opening a file attachment or visiting a website. In order to do this, they will set the tone of the message to invoke one of the aforementioned mental / emotional states. More often than not, the message will come from a person of authority or from someone with a role of importance to you personally.

The message will contain instructions, steps you must take immediately in order to resolve some issue, or comply with a demand or request. This is why it is important to take a step back, because often a second guess about the email will defeat many of the tricks criminals use.

While scanning the email’s body, it’s also important to look for red flags such as typos, grammatical errors (missing verbs or adjectives), and overly neutral phrasing. Many criminals are not native English speakers, and their scams can be spotted because of it. Another item to look for is the use of universal time (0600 instead of 6:00 a.m.). Many criminals from Europe or Asia will use universal time as a habit, forgetting that most of the U.S. (military excluded) don’t use (or know in some cases) the 24-hour clock.

The phishing email to CSO requested that we open the attachment, in addition to offering a Website for “additional information.” This is a major red flag, and a key reason the email was treated as a scam by the CSO team. Again, it’s our professional knowledge, and our awareness training in action. We’re trained to be suspicious of email attachments in general, especially common formats, and we never follow links within a message that comes to us randomly.

Email Headers

Even though the common areas of the phishing email sent to CSO was enough for us to correctly see it as a scam and avoid it, when determining the authenticity of an email, the headers are a great source of information and worth discussing some.

(In Outlook 2010, the headers are part of the options area of the message ribbon (Tags). In other clients, you can usually right click on the email and select the options menu, and find the headers there.)

Pro Tip: It needs to be said that you shouldn’t need to get to this stage if you are just looking to avoid scams and phishing. In fact, if the attack hasn’t been flagged at this point, contact IT or let the security people deal with it. If you feel the email is suspicious, simply delete it and report the incident.

There’s a lot of information in headers. Some of it is confusing, and some of it self-explanatory. Below, we’ll use the headers from the Phishing email sent to CSO, to explain some of the various bits of data they contain.

Received: from c-xxx-xxx-xxx-xxx.hsd1.in.comcast.net ([xxx.xxx.xxx.xxx]) by exprod6mx237.postini.com ([xxx.xxx.xxx.xxx]) with SMTP; Fri, 06 Sep 2013 12:05:31 EDT

The fist line is the sender’s IP address and ISP information. In this case, we can see that a Comcast user in Indiana (in.comcast.net) is the origin of the message. The company that was used in the phishing email was Fiserv. Fiserv is a company in Wisconsin, so an Indiana ISP wouldn’t be something they’d use.

The xxx.xxx.xxx.xxx in this line represents the IP address that sent the email. CSO has redacted the IP address, as it’s assigned to a compromised computer acting as a bot. Spamhaus, as well as other IP Reputation systems are flagging this IP as malicious due to high-volumes of spam. However, that wasn’t the case on Friday when the email first appeared in our inboxes. If you plan on reporting, or blocking spamming IP addresses, this is the line to check.

The second line (what follows after the word ‘by’) is where the email was delivered from. In most cases, this will be your ISPs SMTP server, in our case; it is one of the anti-Spam servers used by CSO. This is how we know that the email slipped past the normal filters, because this stamp means that during delivery, Postini cleared the message.

But why was this message able to clear the anti-Spam server? The first answer to that question is the Comcast IP. This IP address was, until last week, clean when it came to its overall reputation (most anti-Spam services filter email if the IP has a bad reputation). However, it was also able to bypass the filter because it spoofed a whitelisted domain.

Received: from xxx.xxx.xxx.xxx (account welcome@aexp.com HELO tilhankuqupi.stlzgkmdqvkg.tv) by c-xxx-xxx-xxx-xxx.hsd1.in.comcast.net (CommuniGate Pro SMTP 5.2.3) with ESMTPA id 272604897 for csmith@cxo.com; Fri, 6 Sep 2013 11:05:30 -0500

The top line shows where the Comcast IP address claimed to be welcome@aexp.com when communicating with the ISP’s email servers. AEXP.com is American Express, and this domain has been spoofed by criminals many times in the last year, including several noted phishing attacks.

The AEXP.com address is also listed in the Return-Path (the address to which bounced email messages are to be delivered) part of the header and the ESMTPA (Authenticated SMTP session, meaning the sender needs to authenticate to the mail server) header line. The financial domain has a positive reputation and is often whitelisted on corporate networks.

Taken together, the lines cited here can be used to confirm suspicions that an email was spoofed, and that the sender isn’t who they claim to be. It’s also a helpful tool in locating spammers in some cases, as the IP addresses contain location data. This is how you can tell the Comcast IP is assigned to a system in Indiana. However, it’s likely a bot, so while the host is compromised, its owner is probably clueless to this fact.

Again, you shouldn’t need to get to the point where looking at headers is the only way to prove an email isn’t legit. If it comes to this point, alert IT / Security and let them help. The best protection against phishing is a combination of user awareness (including education), and a solid anti-Spam layer of network defense. The phishing attack on CSO proved that just one or the other isn’t enough.

At the same time, that same attack also proved that awareness training and a little extra thought into a given situation can mean the difference between a passive story and a costly malware outbreak.