Phishing for the holidays!
It's the silly time of the year again here in the UK. The shops have removed the plastic skeletons, and the cheap tinsel is back out. And we had the first ice on the fishpond.
This is also the time of year that attempts will be made to dazzle us with holiday special prices and links to dancing elf cards. Our inbox fills with Black Friday special offers, last minute offers, and holiday offers to warmer places.
But what about the mail we don't get in our inbox? Few people today realise what sits behind their Outlook/ Gmail/ (insert mail client of choice here). Mail filtering has become a huge and sophisticated undertaking. For a mail to get to us today, the sender not only has to get the email address correct. Filtering can occur on the sender-recipient relationship, the domain reputation of the sender, and the attributes of the mail header. All that on a simple, plain text "Hi - missed you at the office party last week...". If there's more (like images/ attachments/ URLs), the contents themselves are analysed. Only some of all the sent mail gets through to its intended recipient.
We have become reliant on the technology to protect us. But even the most sophisticated filtering cannot stop all threats. We are all vulnerable from the people side of the iron triangle - our own human nature conditioned by the society in which we live. Social engineering relies on that human nature to manipulate users. It's used all the time - "Hurry - this is a limited offer!" really means the advertiser wants to instil a sense of urgency. Buy now or miss out!
Phishing relies on those parts in the iron triangle to be vulnerable. If the mail filter (technology) blocks mail with malicious URLs, the attacker needs to change their approach.
So, now they send a mail to attack the people (once again), with the malicious attachment stored in a cloud drive (OneDrive/ Google Drive/ Dropbox). This beats the mail filter, as these drives all have legitimate URLs.
Another tell-tale sign a mail could be bad is when the URLs within the mail have different domains. Hover over the links within the mail and see if all the links have the same domain. Often, the attacker uses the real links to the company site social media and images, with the malicious code behind another. Mail filtering might pick up on this, but not always.
Another attack that has been used recently is to attack Office365 accounts with weak passwords. Once again, any mail from these accounts is "legitimate". These were used for more targeted spear-phishing attacks, as the built-in security wouldn't allow the spamming used with most phishing attacks.
There are some things we can look for in these mails independent of technology:
Look at the mail address - not the label that your mail displays, but the actual send address. Does this match the label?
Look if it's anonymous - does the mail address you, or is it a "Dear Customer" mail?
Look at the psychology - are they using fear/ greed/ empathy to get you to respond?
Look at the URLs - although mail filtering might pick this bad URLs, some might be missed? (OK, one technology!)
Does it send you to a cloud drive to "download a price list"?
Any mail could have one of these - if it has any four (or all of them!), it could be suspicious.
But what then? If you have any doubts, mail the company who sent it. Send a separate mail (don't reply to the existing mail) to info@ with the subject "Possible phishing attack". Most organisations are happy if you let them know that people are sending out malicious mails damaging their company reputation. Another resource is https://www.actionfraud.police.uk/ - run by the City of London Police and the National Fraud Intelligence Bureau (NFIB). This site has a workflow to let you know the actions to perform if you suspect a mail is malicious.
And finally, a bit of a gimmick at the end - use your "spider-sense" (sorry - I'm a product of 1970's super hero cartoons). If it doesn't feel right, it probably isn't. Don't fall for the greed/ fear/ empathy on display. Stop, and think of the bullet list above. Good luck avoiding the cheap tinsel and the canned Christmas carols!