Some of you may know that I serve as a reviewer for the SANS OUCH newsletter. The next issue will deal with the subject of phishing. I thought it might be appropriate to also add a little information in my weblog about this topic. Perhaps you will enjoy reading this as you digest your Thanksgiving left overs…
First, I have an issue with cute words like phishing. Such euphemisms tend to hide the fact that this is another word for fraud (pure and simple – fraud or attempted fraud). For those who use email (and who doesn’t these days), who monitor websites, or use social media, you will encounter this drivel. As the holidays approach, I suspect the amount of attempted junk will only increase. So, why do people send out this junk?
Essentially, they are trying to get you to click on a link so you will download malicious software which will infect your computer. Once infected, your passwords may be stolen and used, your accounts compromised (and no longer available for you to access), and your computer may become the victim of ransomware. The latter term refers to the fact that once a computer is compromised, the malicious individual can change the access or encrypt the data (and then charge you for the key to unlock your own data and photos on your computer). None of these are good things. Some in law enforcement have even gone on record saying that it may be cheaper to pay the malicious individual than try to decrypt your own data. Sigh.
First, let’s take a look at some examples. First of all, I have no idea who Rosalba Price actually is, nor why she would be contacting me. That is a clue there is something not right about this message.
You may also note there is a sense of urgency in the message (even starting with the word urgent). The subject line is a bit obtuse – RE: Staff Only would imply that I sent her a message (which I obviously didn’t). There is a link (if you were to hover over the original, it would take you to a site identified only as an IP address). That is a clear sign that it is not a good idea to visit that page. There is also a copyright notice (which I am clearly violating by posting this). C’mon Web Police – give it your best shot. Really, Web Police? Hey, when you show up, remember I am heavily armed (with a keen intellect, a curmudgeonly attitude and a desire to publicly shame you). There isn’t anything like web police in reality. You knew that, didn’t you. However, the message clearly wants me to take immediate action and click on the link to confirm. Of course, I didn’t. I do grade these attempts and this one gets the grade of “F.”
Let’s look at another (also from New Mexico – perhaps their server was hacked). Ok, Mary Patterson, why the subject line of IT Administrator – too bland. For some reason, Mary is too lazy to upgrade my account for me using Exchange Server so I must click on the link to upgrade it myself. The problem with many of these messages is that for the uninformed person, the request seems legitimate or reasonable. For those who understand technology, they come across as stupid. Clearly, I did not click on the link. However, I did view the source code.
And here is what the source code from Mary looks like. What the heck is stinge.com? Actually, it is one of those “do it yourself” make a website sites (like the better known Wix and Weebly). I can only suspect that this particular site had some malware waiting for me to drop by.
With most of these messages, you receive a number of clues that they are a bogus as a $3 bill. Often, there is a mis-match on addresses. Sorry to pick on you again Mary. Why would I receive an email form one domain which points me to take immediate action by visiting a different domain? Typically, because those doing this are lazy and just want me to visit a site that already has malware installed.
So, you get email spam. Here are some of the clues that it is spam.
- There is a sense of urgency conveyed. Do this, do it now. Don’t stop to think, just do it. Yep, that always works out well, doesn’t it?
- The message is typically general in nature. You are never mentioned by name. Your organization is not mentioned. There are just some generic words directed to “you” in general.
- There may be a malicious attachment (no, I rarely open attachments – never from people I don’t know).
- The person sending this is someone you have never heard of.
All these are clues that the message should be deleted. For some reason, it made it past spam filters but should just be ignored. Of course, not everyone ignores these. That is why they continue. Just enough suckers click on the links and infect their computers to make this continue.
You may also receive messages like the following:
The only reason I can think that Christine would send this to me is to confirm that this is a valid email address. Ok, Christine, waiting for more spam – back to you. As I was wirting this post, what do you know, another email from Christine. What a surprise. Guess what Christine – I deleted that one as well.
Of course, one may also get really odd messages. Here is one telling me it is time to upgrade parts of cPanel on my personal computer (forgot to copy the subject before deleting this junk). Of course, cPanel runs on web servers, never on your personal computer. Please, spam administrator, help me lose emails and files (especially the junk you are sending to me).
Sadly, if you administer a website, you will also get a host of email comments. Most can be blocked with anti spam filters, but a few always make it through. Here is a recent example.
Why do they bother? If a comment is approved, then often, they are cleared to post more comments automatically. So they can tell all readers of a given weblog that there are cheap handbags available – just follow the link (to Russia or where ever).
Obviously, this is a problem and continues to be a problem as 2015 draws to a close.
The best defense – delete the junk.
If you receive a message asking you to take urgent action (or a message from someone you don’t know)…
- delete the message. Really, just delete it. If the “web police” do show up on your porch, send them to me.
- never click on a link (if you are really curious, you can hover over the link to see where it leads, but never click on it).
- never open attachments (unless you are expecting that specifically from an individual).
- if there is a link to one of your commonly used sites (eBay, Amazon, Facebook or what ever), type the link in your browser. If there really is something going on with the site, it is likely there will be some sort of message on the main page of the site.
I hope you found this post useful. What nuggets of information have I forgotten? As always, I look forward to your comments.