What is a phishing attack and how to identify it - the definite guide
We know everyone has heard of them, but not everyone can easily detect that they are under phishing cyber attack. In this article, we will lay out the basics that will help you spot the malicious email in your Inbox. We will also explain the difference between phishing and spear phishing attacks and how to identify them.
February 08, 20216 min
Email remains widely used in both business and private matters as one of the leading communication methods. Because of that, email is commonly used as a marketing platform, and we are all familiar with all kinds of promotional newsletters ending up in our mailboxes.
That led to the inevitable production of malicious acts, frauds, spam emails, and some more sophisticated ways of malicious intents.
Let’s talk about spam for a moment. Spam can be anything unwanted, but it’s mostly used as a term for unwanted emails, direct messages (IM), or mobile (SMS) messages. Spam emails are mainly based on (Sosa, 2010):
- Money loan frauds
- “Make money fast” frauds
- Pharmaceutical marketing
- Chain mail
- Illegal pirated software etc.
About 40% of emails are considered spam, and some sources say that the number has increased up to 70%. (Awad, Elsuofi, 2011).
What is not considered spam?
- Your friend emailing you with funny cat videos multiple times a day (your friend is a known entity to you)
- Your boss sending you an unexpected employee termination letter (certainly unwanted, but not spam)
- Emails containing malicious software like viruses (they have some common points, but they are not considered spam)
How to identify spam email?
Except for the topics mentioned above, spam emails often have the following characteristics:
- The sender is unknown or suspicious
- It has spelling errors, often seemingly unintentional, with the goal of tricking your spam filter
- The author is claiming that the email isn't spam
- Offers are on a large discount, but just for you or for a short and limited period (asking to perform some urgent action)
- You are gifted with an award, mostly financial
Phishing is an attack vector where the attacker is sending a malicious email (because of which that email can be classified as spam) where he is falsely identifying himself as someone reliable and known (e.g., your bank, your boss, Google, Facebook, etc.) with the intention of stealing sensitive data like passwords, credit card numbers, PINs, etc. Phishing emails evolved and became more sophisticated and persuasive, thus more dangerous. (Basnet, Mukkamala, Sung, 2008).
There are multiple features that can be string indicators by which we can recognize phishing attempts in emails:
- Email is sent over a new domain - the domain is activated a few hours or days ago
- Multiple domains in the URL - phishing emails often ask you to visit an attached URL. Sometimes that particular URL can have multiple domains, which is a case of a URL Redirection Attack. (e.g., http://www.example.com/login.php?redirect=http://www.bla.com/home.php)
- The occurrence of an IP address in a URL - legitimate websites usually have their own domain.
- The occurrence of shortened URLs (Bitly, TinyURL)
- Mismatch of email from the email header and the email body
Phishing emails often claim that:
- There are problems with your account
- You must confirm some personal info
- You must perform some kind of urgent action
- You should check the attachment
Recently, we had a nicely realized phishing attempt. It can be seen in Figure 1. The body of the email contains a persuasive message about some security concerns related to the used software. The email is sent from a domain that includes the real name of the product (ledgersupport.io), but in fact, isn’t sent by the real source, meaning the attacker is falsely identifying themselves to the victim.
Ledger phishing attempt
What is a spear phishing attack?
Spear phishing is an advanced and more sophisticated attack vector because the attacker is targeting a specific individual, organization, or company. The attacker presents himself as a trustworthy source or a specific individual well known to the victim. Spear phishing attacks that are targeting high-level executives like CEOs are called whaling attacks. Executives in companies and organizations are often targeted because they are usually under pressure and doing time-critical tasks. Those attacks are often asking to abuse processes, deliver some sensitive information, or perform urgent payments. (Northcutt)
How do spear phishing attacks work?
- Attacker researches his victims and all info about them (email, full name, native language, job position)
- Once the data is collected, the attacker works out a strategy. Usually, this includes duplicating web pages that the victim is familiar with and creating a fake email address
- The attacker sends a fake email message that looks like it came from the trusted person/institution. More sophisticated attacks are happening over several emails, where attackers gradually build trust, story, and context
- Attack usually ends with the victim sending valuable information
In some even more sophisticated scenarios, the attacker can go a step further and spoof the email address to make it look more trustworthy to the reader. Email spoofing is the act of sending emails with false sender addresses (Malwarebytes, 2020).
A great example of email spoofing can be seen in Figure 2, where the attacker pretends to be the USA president.
An example of email spoofing
By checking the headers of that particular email, it can be seen that the sender is obviously not the real president, as shown in Figure 3. Long story short, the “From” and “Return-Path” fields don’t match, which is a solid indication that this email is spoofed.
Email headers of phishing attempt examples
Let’s go back to Spear Phishing. A few days ago, we had a “textbook example” of a spear phishing attempt that can be seen in Figure 4. The attacker presented himself as someone known to the victim, and the victim can easily overlook the email address he has created. The content of the email asks for a big payment that is due today. It has almost every characteristic of a classic spear phishing attempt.
Translation of the text in Figure 4:
Body: Good morning, can we pay 26.650 Euros today? I need advice. Thank you. Best regards
We can conclude that the difference between spam and phishing is in the malicious intent of the attacker. The main goal of the spammer is to sell something, often-low quality products. Spammers just have an item to sell and choose spam as their preferred technique for contacting potential buyers. It is important to emphasize that their items and products can also be fraudulent. Phishing attempts have a malicious nature, and their goal is mostly stealing information, data, credentials, or money. (Belcic, 2020)
In the "phishing vs. spear phishing" case, we can say that the difference between phishing and spear fishing is the approach and the target. Spear phishing attacks target specifically chosen individuals, organizations, or companies, whereas phishing attacks have a wider spread vector and are sent to multiple (hundreds, thousands) of potential victims. Because of that, spear phishing attacks are way more dangerous because they seem personal, and attackers present themselves as a known or trusted individual or party.
Be wary and careful when dealing with any email you receive, expected or not. Do not hesitate; ask someone to help and analyze a particular email for you. Always take your time to double-check when asked to perform something that might be unusual or suspicious in any way. If you suspect that a particular email is malicious, approach it with caution, and never attempt to:
- Click on any URLs
- Click on any form buttons
- Open any attachments, no matter the extension
- Provide personal, confidential, or credit card information
- Provide passwords
- Report suspicious emails to the security team
- Keep your anti-virus, anti-spam, etc., up to date
- Check the headers of an email for mismatches of the sender email
- Outlook how-to: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_outlook-msoffice_custom-mso_2010/view-source-of-an-email/1d5029bd-9401-4342-8409-fa396b8959fb
- Thunderbird how-to: CTRL+U
- Gmail how-to: https://support.google.com/mail/answer/29436?hl=en
If you think that you’ve opened a malicious URL or attachment:
- Disconnect your device from the internet and any networks to reduce the potential spread of the malware
- Perform a complete scan of your system
- Contact your financial institution or bank in case your financial information is at risk
Keep in mind that:
- Phishing and spear phishing attacks are very easy to perform
- No technical/hacking knowledge is needed to perform these types of attacks
- It is easy to obtain tools and scripts to perform phishing attempts
The best way to avoid phishing and other email related scams is to raise security awareness and educate yourself and learn about the phishers' tactics. There is a lot of great literature online about the topics mentioned above. Feel free to contact us anytime if you wish to learn something more about the following topic.