The most effective attack vector used by hackers to spread malware to compromise systems and gain entrance into networks is through email messages. Although email providers and emails clients have increasingly improved their technical and heuristic approach to determine whether and email is legit or not millions of email messages fall through the crack. The truth is that no technical system will ever be able to stop all malicious messages, even the most security email security policy let suspicious messages through or to the contrary blocks so many legit messages that its implementation is question. Finding the right balance is not easy, we also need to take into account that end users (you and I) have a huge responsibility on determining the veracity of an email. Not that you need to be a network security engineer learning a few things on how identify malicious emails will help you becoming a victim of cyber attacks.
According to the Canadian Cyber Safe Site it is estimated that 156 million phishing emails are
sent every day, 16 million make it through filters, 8 million are opened, and 800,000 links are clicked. Phising.org also reports that as of 2011 over 100 billion spam emails are sent each day and over half of internet users get at least 1 phishing email per day. With such staggering number of emails flooding the systems, high attack sophistication, and the availability of hacking tools is not surprise many people fall prey of such email attacks.
Whether you consider yourself a technical expert or an average user I am sure you have asked yourself the same question: “is this email legit?” when looking at your inbox. As a technical service provider my end users contact me on regular basis about this matter, especially after a virus outbreak has taken place in the company or a high profile cyber security case has been in the news. Understandably so users are usually on high alert after such events have occurred because no one would like to be one who clicks on an email that ends up compromising the company information or let a malicious software into the company.
To address this issue whether an email is legit or not I decided to go over basic steps users can take to determine the authenticity of an email message. As always we’ll start with basics concept definitions and then move the techniques to determine if an email is legit while looking at some examples.
Let’s go over important basic concepts:
- Email Spam: The general consensus is that email spam is simply unsolicited email messages with the intention of promotion something. The messages may be benign in a form of legit advertisement from companies promoting their product and services or it can be malignant in the form of email phishing or scam, the point is that the messages were unsolicited with the intent of selling or promoting something. Email Spam has become such a problem The FTC enacted the CAN-SPAM Act whereby businesses must comply with a set of rules and regulations in their electronic communication, failure to comply can result in financial fines for such companies.
- Email phishing: we can say phishing is the art of impersonating a reliable and legitimate source to have the other party provide information they wouldn’t disclose to any untrusted entity otherwise. Applying the concept to the digital world we can say the email phishing is the impersonation or a legitimate email source to allure the end user to provide private information. The impersonation is carried out by cyber-criminals all over the world and their potential victims are basically anybody who can fall in their trap. A more targeted attack known as “spear phishing” is when the attacker crafts the attack vector for a very specific target, this type of attack is common in corporate and political cyber espionage and many times goes unnoticed due to the high level of sophistication.
- Email Scams: Similar to email phishing but it cover a broader spectrum. Wikipedia refers to email scams as “unsolicited email that claims the prospect of a bargain or something for nothing”. Popular emails scam have been circulating the web for years, among them we can find the Nigerian Scam, Lottery scam, Get rich fast, etc. Another interesting point is that scammers usually follow high profile events such as natural disasters to execute their attack and exploit the good will of people and willingness to assist those in needs by pretending to be victims or helping organizations.
- Private Information: as self-explanatory as it is I want to touch on this concept. Most cyber-criminals are looking for private information they can use for identity theft purposes but in their worst day they also welcome clues that will lead them to private information. This is especially true in spear phishing attacks where they puzzle up a digital profile collecting public records, piece by piece, until they can recreate a digital finger print or the person.
- Social Engineering: a simple definition is that it’s the art use using trickery with the purpose of manipulation, it relies on exploiting human behaviors and interactions to make the potential victim “lower their guard”.
Now that we have covered the basic concepts is important to understand the different basic components that make up an email address:
The basic anatomy of an email message:
In its basic form an email message is composed of a Sender (From), Subject and Message Body fields for the most part, those are the fields most users consider before deciding opening or discarding an email message .
A social engineering example:
One of the most effective ways for cyber-criminals to launch their attacks is by using social engineering techniques, most attacks are not really based on rocket science or highly sophisticated technical processes but rather exploiting the human link to gain access to the technical configuration where they can carry out further attacks.
A proven effective way for them to have the recipient open a message is by manipulating the Sender’s field because there’s a much better chance for an email message to be opened when it comes from a reliable source than from an unknown source. This field is what you enter for first name and last name when creating an email account.
Let’s go over the components of an email address to further illustrate the point, for this I’ll use my own personal email as an example: firstname.lastname@example.org:
Jdiaz: represents the sender’s unique name within the domain.
Jdtechsolutions: registered domain name, unique in within the top level domain.
.net is the top level domain.
When I created the email address for the jdtechsolutions.net domain I just had to select the email name (jdiaz) and my display name (Jorge Diaz).
Why is this information important? Well phishing attacks attempt to impersonate the sender’s identity, in other words the email or at the very least the display name. The registered domain is not an easy target for cyber criminals to hack, or at least it doesn’t prove to be time and cost effective but with simple tools they can easily mimic the registered domain.
In our example, compromising jdtechsolutions’ email servers may be difficult and time consuming but an easier way may be for cyber-criminals to register a domain that resembles my original domain, for example they can register jdtechsolutoins.net.
Let’s take a closer look at it:
Unless you pay close attention it’d be difficult to spot the deceptive site, that is exactly what has happened to many large companies, especially banking and financial institutions like Bank of America where attackers create fake websites, spoofed email address, and twitter handles with the original corporate marketing logos to lure people to follow their hyperlinks. In cases like these hackers did not have the need to take over the company’s website but tricked users into following their links and provide their banking information.
Another interesting point that is exploited using social engineering is the fact that email clients are “user friendly”, by default email clients show the sender’s display name on the main view pane. Meaning that when an email message arrives the From and Subject field will show the information about the sender, not really the sever or source it originated from.
Continuing using my account as an example, when I send an email it shows as coming from Jorge Diaz and the email is email@example.com. The default view on most email clients, especially MS Outlook, is to show the display name of the sender, cyber criminals can in turn send email from Jorge Diaz with the counterfeit domain (jdtechsoluoins.net) to my contacts and associates and most likely the email messages will be open without investigation or suspicion.
This type of attacks of forging a website is short in nature, it doesn’t take long for someone to realize they’re connected to a fake website and alert authorities. That’s not say it’s not effective as the cyber criminals may have accomplished their mission before the site is taken down.
As you can use social engineering plays a big factor in email attacks. In cases like this, how can you tell if the message is legit?
Let’s go over another example and break it down even further. The following shows an email I received from what seems to be known source: Nilsa Vielma but a closer look at the message reveals it’s not a legit email.
Again, Microsoft outlook’s default view is to show the senders name, date, and subject. It does not display the sender’s real email address but rather the Display name. In the following example I identify the sender’s name as a trusted source and may be tempted to follow the link but further investigate reveals something else.
When I opened the message to do further investigation I noticed that the email address does not really reflect the one from sender I know, thus raising a red flag.
Not only does the email not reflect the name of the person I know but also the domain name is from what seems to be a suspicious source. To briefly touch on this topic it’s completely normal for an email to be different from the display name. The t-online domain is the subdomain of .de top level domain, it is the top level domain assigned to Denmark. Using a little bit of logic I can determine that it is not a legitimate email because the legit source has a Hotmail account.
It is a best practice for businesses to block emails originating from top level domain if they have no business relation with the country or origin, for instance, companies in the US may choose to block emails from .rs, .de, .ch, .ng, etc. if they don’t have any relation with businesses under those domain. To see a list of top level domain check IANA’s database here.
The previous example is what I consider an easy catch, after all it just takes a few seconds a trained eye to spot a spam email. There are, however, more crafty email spams that require more than simply a trained eyed to identify them.
Let’s look at the following example:
The next email shows an unlikely email from the president of the United States. He personally wrote to me to let me know that my company has been awarded the IT Support contract for the house white. Obviously that didn’t happen but the email looks legit indeed.
Let’s take a closer look by opening the email and checking the domain it was originated from:
To the naked eye it may seem as if the email really originated from the whitehouse.gov, after all it shows the mail as firstname.lastname@example.org, but did it? Obviously it didn’t but how can one tell? After all it’s very easy for me to rule it out as a spam because of the nature of the email but what about if you receive an email from what seems to be a coworker, your boss, or business client? Well in this case you have to dig dipper, the same way packets don’t lie in a network analysis an email header does not lie when analyzing an email.
An email header doesn’t lie:
A more technically advanced method of looking at the source of an email address is by analyzing the email header. The email header contains all technical information about the email message including sender’s email, email servers, IP address, time, etc. that can be used to track the email source. Analyzing an email headers was a daunting task a few years ago but nowadays there are many free online tools available that make the life of IT administrators easier. In the following examples I’ll be using Microsoft’s Message Analyzer, it is a tool part of Microsoft Connectivity Analyzer tool set.
Let’s start by getting the email header (also known as Internet header) from your email client, in my case I have Outlook 2013 so I open up the message, go to File and select Properties. The email header is listed as Internet headers.
As stated earlier the Internet header will provide and “X” ray view of the email message, the basic header output does not provide user friendly information so we’re going to copy the header and paste it on the Microsoft Message Analyzer.
Once the message is analyzed you’ll notice a few interesting points that will help you verify authenticity. First of all notice on the Summary section that the message id is:
Also the Originator IP is 184.108.40.206 and the sender domain is orbit.eternalimpact.info, not really whitehouse.gov. The IP address is extremely important because it can be tracked to the server sending the message.
In this example Microsoft Email Header Analyzer did not classified the message as a Spam, each analyzer uses different criteria to determine when something can be classified as a spam that is why it’s a good idea to run the same test against other analyzers. We’ll continue using MX Lookup, which is a tool found in the mxtoolbox.com website. It reveals a complete different story and flags the sender as a spammer, it is very common for some senders to be listed on some black lists and omitted in others as they each use their own criteria.
In this example Mxtoolbox.com identifies the 220.127.116.11 IP as black listed IP address:
When compared to major IP address blacklists the sender’s IP address comes up on Barracuda’s list:
So as excited as I would’ve been had the message been legit the email headers revealed it’s simply a scam, as I mentioned earlier, email header does not lie.
Though we will not able to completely stop phishing attacks or email scams from arriving to our inbox we can take the necessary measures to ensure we don’t fall victims of the attacks. There are other type of attacks that stem from compromising one’s computer, in those cases the attacker can send a message from a reliable source email address that will never be flagged as a spam by any analyzer but the content of the message may include malicious code. It simply proves that we should implement a holistic information security culture to make sure we cover all different layers of communication.
As a final recap:
A combination of technical implementations plus user awareness can greatly mitigate the likelihood of successful attacks.
Always remember to cover the basics:
- Does the message makes any sense to you?
- Check the email address, especially the domain it came from.
- Analyze the email header to ensure legitimacy.
- Have an up-to date antivirus software with email engine enabled.
- Block untrusted top level domains.
- Implement browser protection to scan for hidden malicious hyperlink in messages.
- Turn on your host firewall.
- For businesses: Implement email filter solutions.
Lastly, if still doubtful contact your IT support.
We provide IT Support Services for small businesses and organizations in Northern NJ and NYC. Our experience and strategical technical vision allow us to develop highly efficient and cost effective solutions.
email@example.com | 888-580-4450