24

Given the recent spate of intrusions into various networks which have included compromise of subscriber identity and contact information, I figured it would be good for us to have a thread on how to spot and react to a "phishing" attempt.

While the most common and prominent avenue for phishing is by e-mail, these social engineering attempts can really take on any form. If Oscar has all of Alice's contact information (as may be the case in recent high-profile attacks) he may try to manipulate her via e-mail, phone call, SMS, or even by postal letter.

Oscar's attacks can be further augmented by intimate knowledge of Alice's more personal details. (Again, these may have been gained in some recent incidents.) Such details may include credit card numbers, purchase histories, birth date, dependents, "security questions and answers", etc.

Still, regardless of the attack vector and complexity, there are a number of features that often set phishing attempts apart from legitimate vendor correspondence. Additionally, there's a number of preventative and reactive measures which can be taken to protect oneself from falling victim to these attacks.

  • What are some "red flags" that are commonly found in phishing attempts?

  • What are some ways Alice can verify the identity of a suspected phisher, if she believes the contact may be legitimate?

  • If a suspect message includes a request for actions to be taken by Alice, and she believes the message may be legitimate, how should she follow up?

Again, answers are welcome for all attack vectors which may be used by someone with complete contact information for the target, possibly including:

  • E-mail
  • Phone number
    • Voice call - "vishing"
    • SMS messaging - "smishing"
  • Physical address
    • Postal mail
    • Door-to-door solicitation

Note to moderators - This thread might be a good fit for Community Wiki.

Iszi
  • 26,997
  • 18
  • 98
  • 163
  • Good question. Do you mean at a syntactical level, like so tools can deal with it? Do you mean, what tools should Alice be using to flag these attempts? Or factors Alice should consider in her risk-analysis decision? Or, all of the above... – AviD Apr 27 '11 at 09:00
  • Btw phishing over SMS is called "smishing", and over voice call "vishing". True story. – AviD Apr 27 '11 at 09:00
  • @AviD - If there's good tools out there, feel free to recommend them, and explain how they are effective. However, this is more to help Alice know what things to keep in mind when looking through her e-mail. – Iszi Apr 27 '11 at 12:32
  • @AviD - Thanks for the terminology lesson. Updating question now. – Iszi Apr 27 '11 at 12:33

4 Answers4

24

Phishing "red flags":

  • Any un-solicited communication regarding any account you have. Certainly, this criteria is the easiest one to have a false-positive hit on, and probably shouldn't be the only clue you act on, but it's also your first clue.
  • Any un-solicited communication regarding any account you don't have. There's definitely something wrong, if it appears that an organization with whom you have no business relationship is contacting you. These require careful consideration, and may necessitate additional defensive actions. Generally, a communication of this type is one of three things:
    1. Spam
    2. Phishing
    3. Evidence of identity theft
  • Un-solicited, or unexpected e-mail attachments. Anymore, I actually get a little irritated by anyone who sends me an attachment in e-mail without advance notice or request. There's so many other ways to share data over the Internet and across intranets these days, that e-mailing it as an attachment is rarely an actual necessity. If there's a form that you must fill out, or document you really need to read, most legitimate organizations will post it on their official website somewhere that you can access it with an appropriate level of security.
  • Requests for you to send your username and/or password, or other personal details. No legitimate organization should be requesting any of this from you, via a contact that they initiated. Also, no legitimate organization will ever ask you for your password via any person-to-person contact. Common phrases used here are "verify your account" or "confirm billing information".
  • Proliferate spelling, grammar, or factual errors. Some phishers are getting better about avoiding this, but it is still a common hallmark of cheap phishing attacks.
  • An overwhelming emphasis on urgency. Phishers often want you to think you must rush to action, so that you might not take enough time to realize their scam.
  • Overly formal, yet very generalized salutations. Stuff like "Mr/Mrs" or "Dear Sir or Madam" or "To Whom It May Concern". Unless this is a message you're expecting, and the tone is appropriate for the context, the unnecessary cordiality is probably just being used to warm you up to buy snake oil. Most legitimate organizations know their audience, and will customize their greeting to either identify you by your first and/or last name or username, or will have a greeting that specifically identifies you as their customer.
  • Anything "too good to be true". You know the old saying. This is also another very general indicator that should set off anyone's alarms, regardless of how the "deal" is conveyed.
  • FROM addresses that don't match the REPLY address. This is another criteria that may be prone to false positives, but should still raise your level of suspicion. Many legitimate organizations that send mass e-mails will more than likely be doing so from an address dedicated for that purpose. So, a legitimate e-mail will probably include either non-e-mail-based follow-up instructions, separate follow-up e-mail addresses, specific instructions for replying to the e-mail (keywords for subject and/or body), and/or a specific notice stating that direct replies to the e-mail will neither be received nor answered.
  • Hyperlinked URLs whose targets do not match the link text. Before you even think about actually clicking on any hyperlink in an e-mail, hover your mouse over it for a second to see where it really sends you. If the link text is http://google.com/ but the link actually points you to somewhere else like http://lmgtfy.com/*, you probably don't want to go there. Such link may appear like this: http://google.com/ (Mouseover to see actual target.)
  • Hyperlinks that use shortened URLs. This criteria may have a lot of false-positive hits, but still warrants some cautionary measures and perhaps a raised level of suspicion.
  • Hyperlinks with very long and complex targets, even to "legitimate" websites. These may possibly be cross-site scripting attacks.

*http://lmgtfy.com is actually a benign website, and was only used to provide an example of URL link-text not pointing to where it says it's pointing.

Phishing countermeasures:

  • Stop, breathe, and think. No matter what they tell you, don't let yourself get into any rush. If someone is initiating a contact with you, taking time out of your day, they can stand to wait a few minutes (or even hours) while you sort things out for yourself, and decide what you're going to do.
  • Do not offer any information. This is what phishers want. Even if you're not giving them the specific information they're asking for, you may still be giving them something else they can use against you later.
  • Do not open any e-mail attachments. Just. Don't. Do. It.
  • Do not follow any hyperlinks or URLs. Again, just don't.
  • Do your own research. Google. Wiki. Snopes. Repeat.
  • Do not do anything they ask, in the way they want you to do it. If it's a legitimate communication, you'll be able to find your own way of doing what's asked of you without them. For e-mails wanting you to go to a specific URL, instead go to the known-good-and-trusted HTTPS website of the organization and find your way to the requested function from there. For phone, mail, or other interactions, end the conversation and go use Google or the organization's known-good-and-trusted homepage to find (or verify) the correct contact information for follow-up.
  • Do not reply. This goes along with not doing what they ask, how they ask it. Again, if the contact is legitimate, you should be able to follow up without actually answering back to the solicitor themselves. Even if the e-mail appears to come from an address referenced on a legitimate website, do not use the reply function. Instead, use a link or form on the known-good-and-trusted site, or manually fill in the e-mail address on a new message.
  • Just say no. To drugs, and solicitors of every kind. Whatever service they are offering is not one that you need them in order to acquire. If the offer is legitimate, you will be able to find a comparable level of service via your own research, and likely through safer and more secure mechanisms. If they really insist that they need to get credit for the service, take their information and do your own research and validation before doing any business directly with them.
  • Ask a pro. When in doubt, ask someone you trust who's "in the know" about these things. This may even just be part of the "Don't do what they ask." step - the purported organization's help desk (which you'll look up yourself) should definitely be able to tell you if the contact was legitimate.
Iszi
  • 26,997
  • 18
  • 98
  • 163
  • 2
    Lots of good tips here - thanks. But I think it is also important to warn folks that even mail that appears to come from their regular correspondents can usually be easily spoofed, and those correspondents can often be guessed at by looking for Facebook friends, etc. If a friend asks for something odd, or asks it in an odd way, that too should be suspect. As @getahobby notes, we should be spreading DKIM and perhaps SPF more widely, and start actually signing emails (S/MIME). – nealmcb Apr 29 '11 at 15:40
  • 1
    @nealmcb - You bring up good points. My query is to address things that are fully within the recipient's control, so DKIM and SPF don't quite fit the bill. The issue of mail from "regular correspondents" is one that should be addressed though. I've flagged the answer as CW, so feel free to contribute. – Iszi Apr 29 '11 at 19:21
  • You get annoyed at attachments? :( Any other method of sharing would not give them a permanent copy of the file that they can refer back to; the link can go stale. Attachment is the only way to actually attach a copy... – user541686 Sep 19 '17 at 21:41
5

As for email-based phishing:

The number one red flag is anything or anybody asking for the user password. There is never any valid reason for a valid maintenance message to ask for the user password: those who may need the password already have it, by construction.

The second flag is URL which points to the bad site name or is obfuscated in some way. In particular if the displayed URL is not identical to the one which you can get by "hovering" on the link.

If you instruct your users to check for those two conditions (should not ask for any password; hover before clicking and see if the URL begins with a genuine http(s)://the.good.site.name/whatever), then you will not have 100% protection against phishing, but your sysadmin teams will have much more free time for dealing with the nastier attempts.

It really boils down to educating the users. The main concept that they should understand is that if it is by email then it is not urgent. It can wait for a few minutes -- enough time to ask a sysadmin to apply his divination skills on the offending email (technology is and will remain magic to most users, so the goal is to make them refer to the appropriate shaman for the non-trivial cases, instead of trying to handle them themselves). For some reason, people tend to lose a bit of common sense when technology is involved; otherwise, phishing is no different than classical cons. Therefore, much can be achieved by studying the classics. I recommend movies such as The Sting, Ocean's Eleven or The Spanish Prisoner.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 1
    It isn't a well written book, but even Kevin Mitnick's book - The Art of Deception - does a reasonable job of breaking down the technology con back to those basic classics. Worth a read. – Rory Alsop Apr 28 '11 at 13:33
1

As far as detecting a phishing attack is this not an example where SPF and/or DKIM might actually be useful if implemented correctly? More of an avenue for somebody with a technical background to use rather than an end user.

getahobby
  • 175
  • 3
0

The from fields and the reply-to field don't match up. This can definitely false positive but it something to keep an eye out for. This one can't really be determined programatically (well, maybe Watson can do it) but the grammar and mannerisms are generally not very good when compared to native speakers. For some good examples check out the Targeted E-mail Attacks blog.

As far as things the end user can do, this is going to be vague because I think the topic is subjective. But, they just have to be vigilant. Basic things like switching to less targeted products may help (FoxIt Pro or Google's online viewing tools to view documents or maybe OpenOffice to name a few). Using NoScript with Firefox might help make the user more vigilant/aware (but honestly, probably just more frustrated). Maybe try to find some examples of real world attacks and the impact they had on an organization to help train people of the effects.

harley
  • 391
  • 2
  • 4