Anatomy of a Phishing Attempt

is a common exploit where malicious individuals use email, or more recently, compromised Web sites to misrepresent themselves as legitimate sources, often in order to gain confidential, personally identifiable information such as credit card numbers, bank account details, etc. 

Phishing relies largely on social engineering and, to a great extent, the gullibility of the recipient.

A Real-life Example
While many people have heard the term "phishing," perhaps just a small number have actually examined a phishing attempt up close and personal.  Phishing attacks come in many different shapes and sizes, but ultimately, the goal is the same: to trick an unsuspecting individual into revealing personal and confidential information, or into visiting a website that has been compromised with malware.

The purpose of this article is to take a close-up examination of a real-life phishing attempt in order to better understand what they look like, so they can be more easily recognized.

The Message
A phishing attempt typically arrives in the form of an unsolicited email.  In this example, the message claims to be from the Canada Revenue Agency.

This message seems harmless enough at first glance.  The copyright notice at the bottom of the email lends an aura of "legitimacy" to the message. 

The content is meant to pique one's curiosity with the offer of an attractive refund.  This is the "lure" that is intended to grab the recipient's interest and ulitmately get them "hooked."  How can we tell?  Let's examine the clues that reveal this offer is not what it claims to be.

Clue #1:  The Email Address
This message was sent to a UFV mail address.  Since the recipient had never conducted any business or correspondence with the Canada Revenue Agency using a UFV mail account, there was no reason for the CRA to send the message to this address in the first place.

Clue #2:  The Refund
The recipient had already received a tax refund, along with most people, several months previously in the spring.  There was no apparent reason for an additional refund to be given.  Hmmm.

Clue #3:  The Email Format
While the message may appear legitimate, the format of the email itself seems too plain to be coming from an agency of the Canadian government.  An assumption could be made that the message was sent as text-only in case the recipient's mail client was not set up to display HTML messages.  However, there is something about the format that doesn't seem right.  What other clues can we find?

Clue #4:  The Message Header
Most email clients will allow you to view the source information of a message.  In particular, the header information associated with the message can be very revealing.  Let's take a closer look at the header information in our example. . .

IP address information has been blurred intentionally

Although the message purports to be from, the Canada Revenue Agency's web address, notice that the message, itself, is being directed from a totally different address.  This mismatch in source address information is another indicator that the message is not what it claims to be.

Clue #5:  Spam Filter Status Details
In situations where email is screened by a spam filtering program, this message would probably have been flagged as possible spam.  In this example, the university's spam filtering application identified the email as suspicious.  Further examination of the mail header reveals the following. . .

Even a cursory look at the spam filter information in the mail header should give the reader cause for concern.

Clue #6:  The Embedded Link
Another important clue that should set off "alarm bells" concerning this message is the embedded link which the recipient is encouraged to click on in order to complete the refund request. . .

One of the primary goals of a phishing attempt is to lure the unsuspecting recipient to an alternate and usually malicious website.  As with this example, the link provides no indication as to where it leads.

Clue #7:  The Link's Destination
Again, an examination of the message source reveals some very interesting details concerning the destination address of the embedded link.

The URL for the refund form does not appear to be associated with the Canada Revenue Agency's Web site at all.  Following is the actual URL for CRA's refund page:

Clue #8:  The Link's Actual Destination
Using one of the networking tools provided in Windows, it is possible to discover some revealing information concerning the IP address of the link

DNS (Domain Name Server) information related to the IP address reveals that it has its source somewhere in New Zealand. Clearly, the link to the refund form is not associated the CRA or any other Canadian governement website.

What's at the Other End?
So now the big question: Where, exactly, would the embedded link lead to?  When asked about this phishing example,  security vendor, Sophos, advised that although they had not investigated this particular exploit, they were very much aware of it.  According to one Sophos researcher, this campaign has been around since the beginning of 2008.

So what is at the other end of the link?  In all probability, nothing good.  These types of messages are best left unopened and deposited into the electronic trash bin.

The lesson we can learn from this phishing expedition: Stay away from the lure of these kinds of messages to keep from getting "hooked."


Malware on the Rise

Are you hoping malware is going away?  Unfortunately, nothing could be further from the truth.

In fact, the volume of malware is increasing at an alarming rate.

SC Magazine writer Ashley Carmen cites the recent Check Point “2015 Security Report,” which shows that malware strains increased 71% in 2014 over the previous year.

In 2013, 83 million malware strains were detected, but that number grew to 142 million in 2014.

The 2016 Check Point report states that in 2015, malware downloads increased over 900%.

Malware authors are continually discovering new ways to circumvent anti-malware systems, including adding a few lines of code to existing malware in an effort to sidestep current signatures.

Malware is definitely not going away.  The best thing to do is to ensure that your computer has proper anti-malware protection and that it is up to date.






Twitter Facebook Linkedin Flikr UFV on Google+ YouTube goUFV