How To: Phishing attacks – spotting and defending against themby Steve Ragan - Mar 29 2010, 01:47
In this article, The Tech Herald looks at Email-based Phishing attacks and we’ll discuss how to use some easy methods to avoid being caught by them. As an example, we will use a recent IRS Phishing attack making rounds online.
Some Phishing attacks are easy to spot, while others are crafty and take some effort to detect. However, Phishing attacks all have something in common; they want you to do something. Perhaps they want you to download and execute files. Maybe they want you to give them information. The point is, they want something from you.
The things Phishing attacks seek from victims can range from usernames and passwords to your complete personal profile that includes name, address, phone number, Social Security Number, bank information (account number, PIN), and more. As for the files, they can be anything from a file that is said to display a tax refund or statement, to a sales invoice that suddenly charged you an exuberant amount of money.
Just remember, the criminals launching Phishing attacks can only get this information however, if you give it to them.
[Note: If you are familiar with Phishing attacks, and how to avoid them, then this article might not be for you. We’re taking a simple approach for defense and explanation here, so the level of technical insight and coverage will be aimed at those less familiar with the topic.]
Part I - Communication
Phishing starts with a single act of communication. This can come from Email, or a message addressed to you on a social site like Facebook. For this article we will look at Email-based Phishing.
The image below is an IRS related Phishing attack received by The Tech Herald this past weekend. This Email is a classic example of Phishing, and as tax time is coming soon for those of us in the United States, it takes advantage of the date and stress most Americans have when it comes to the IRS.
Phishing gets its name because the criminals blast the same message to thousands of people with the hope that one of them will take the bait. Think of it as tossing a wide net into a body of water where fish swim. Cast the net enough times, and eventually you’ll get some fish. When it comes to Phishing online, the Emails are the net being cast by the criminals, and you’re the food they’re after. Your information is worth money, so is your computer if the criminals control it.
Phishing attacks work, because they can either frighten most people, or at the very least make them curious enough to click on the links embedded in the Email. In this example, you’re supposed to be curious about why the IRS is sending you a tax statement if you haven’t filed your taxes yet, or worried that there was a mistake if you have filed early.
There are some elements which we want to examine in this Email. The first element is the FROM field. In this example it says the Email came from [spaces added intentionally] “mails @ irs.gov”.
This FROM field, and every other FROM field used in Phishing attacks, is spoofed or fake. Never trust these fields when reporting Phishing, or attempting to determine if an Email is part of a Phishing attempt. Criminals know you will look here first, and will go out of their way to make it look as legit as possible.
The second element is the BODY of the Email, where the actual Phishing takes place.
In a normal HTML-based Email, which most readers see, you’ll notice a link and the body text, that’s it. So by looking at this message, you see part of your Email address, a warning that you have unreported income to the IRS, and a link to review a tax statement for more information.
The expected result is that you will do something. Here, that something is clicking the link. Why would the criminals launching this Phishing attack expect this to work though? Again, this particular Phishing attack is designed to either make you curious or to frighten you.
The Email looks like it came from the IRS, based on the FROM field. There is a link, which if you hover over it and give it a quick glance, starts with http://www.irs.gov, and there is a lot of official sounding information in the BODY of the message, so this is legit right? Not so fast.
Let’s tear the Email apart and prove it is a fake.
Part II – Investigation and Protection
By now, if the Phishing attack has worked, some people are either paranoid or curious, and have a strong urge to click the link in the IRS Email. In fact, most know it is a fake but cannot help but to click on it. The thought is that they can click the link and prove that this is all a sham.
However, some sites in a Phishing attack do more than harvest information and offer malicious files for download. They also rig the website to exploit software flaws on a person’s computer, installing Malware (Trojans, rootkits, and other harmful software), without anyone being the wiser.
We know the Email supposedly from the IRS is a fake, but you have to train yourself to prove that it is. Here’s how. First, as mentioned, ignore the FROM field. It’s useless in this mini investigation; let’s focus instead on that link in the Email.
If you hover over the link with your mouse, as we have done in the image below using Microsoft Outlook, you will see the entire address to where it is linking appear. At first glance, you see http://www.irs.gov. Exactly what the criminal wants you to see, as you are expecting an IRS related URL (web address) in the message by this point. Yet, look closer at this address.
On closer inspection, do you see it? Look at the address, just after the http:// and just before the first forward slash ( / ). Notice something odd? You should see www.irs.gov and nothing else, instead you see a much larger URL, and one that actually points not to a .GOV domain, where the legit IRS website lives online, but a .COM.PL (that’s dot COM dot PL) address.
Everything that comes after the forward slash in this address, immediately following the .COM.PL, you can ignore. What we are looking for here is getting used to spotting fake URLs. Knowing that the proper IRS related URL is www.irs.gov, and how domains work, is a key to the forming the proper levels of skepticism when dealing with Phishing attacks.
The URL used in the example Email has irs.gov as a SUBDOMAIN of foodot, which is the domain using the .COM.PL extension. A SUBDOMAIN, to keep things simple, is a site within a site.
For example, mail.steveswebsite.com has a SUBDOMAIN titled mail, linked to the main address stevesdomain.com As URLs can sometimes get long and confusing, criminals play on this fact to give your eyes what they expect to see. You wanted to see www.irs.gov, and you did, as long as you didn’t look at the rest of the address.
Knowing the subject, in this case the IRS, will help guard against curiosity and keep you from clicking random links. It’s one thing to say never trust links in random Emails, and that’s true, but seeing the fake link with your own eyes adds to that advice on a more personal level. After seeing the address above, it is clear this is not an Email from the IRS.
Another way to spot these fake links is to view your Email as plain text. Reading your Email like this will allow you to spot shady links and other abnormalities in an Email. The image below is the same IRS Email, but only this time it is in text format and not HTML.
As you can see, within the brackets is the entire URL. While confusing, the same elements we looked at before to prove this wasn’t related to the IRS are still present. Only now, they stick out like a sore thumb.
We use Microsoft Outlook 2003 for Email, and configuring it to display Email in plain text by default only takes a few steps. Likewise, if you use Microsoft Outlook 2007, there are only a few steps needed to alter how mail is displayed.
Users of Microsoft Outlook should head to the official Microsoft Support Center for instructions on switching Email to plain text. You can view them here. If you use Thunderbird, Mozilla has instructions for plain text formatting here, and most other email clients can be set to plain text view in their settings or will have instructions on how to do so in their help sections.
When it comes to protection from Phishing attacks, the best way is to spot them from the start by picking apart the Email message. You never want to visit the website that is linked in the message, as it’s just too risky. While you can spot fake websites with some observational training, that takes time away from other things, and if you spot it from the message itself you never need to see the site.
Simply use your head and remember that if it looks too good to be true, then it is. Likewise, if an Email uses a lot of urgent wording, overly urgent wording designed to cause a measure of panic; you’re better off ignoring it. In this case, a call to the local IRS office would tell you if you had any tax problems. Though if there were an issue with a tax statement, an Email would be the last method used to make you aware of it.
However, if you have to know, and curiosity is killing you, then call the source of the Email. If it comes from the IRS, call them. Did you get an Email that says your credit card was just charged $6,000.00 USD for something you ordered, but you’ve ordered nothing? Call the issuer of the card directly, assuming you even have such a card to begin with.
Also, many Phishing attacks love to use banks as the bait. Thousands of Emails look as if they come from Bank of America for example. While the same tricks explained previously will let you determine if the Email is legit, you can still enter the address you know yourself and visit Bank of America on your own. Again, operators are standing by, so you can call Bank of America as well. The key is to never click the link in the Email, and never enter the address that the Email displays.
Using what we've talked about here will help you avoid being a victim of Phishing. However, as mentioned this is just a basic view of the problem.
If you are interested in this topic, we can expand the Phishing conversation to account for impact, methods (Social Networking), and other scams. We can even look at Phishing websites and how they are constructed by the criminals.
Leave us a comment and let us know.