With the final ITGS exams just around the corner, it is time to revise some basic computer security topics. Today: spam and phishing. Below are four spam and phishing example emails which I have received recently. You can click on the images to see a larger version, and I have written some brief notes about each one. You should be able to:
- Explain the potential (negative) impacts of spam and phishing emails
- Describe features of spam and phishing emails which help you identify them as such
- Describe security precautions that users can take to avoid the negative consequences of these emails.
Note: For several of these emails I downloaded attachments. This is generally a bad idea, so don’t do it.
The first email is a class phishing example – I have (of course) won the lottery (although disappointingly the amount is not specified) and the winnings have, for some reason, been deposited into the Reserve Bank of India (RBI). The email includes a few features designed to convince me of the email’s authenticity: the ‘official stamp’ of the RBI at the top and a mention of the bank’s governor, Mr Raghuram Rajan, and the United Nations Secretary General. Of course, the bank logo is just a simple image that anybody could include in their email, and while Mr Rahuram is indeed the governor of RBI according to Wikipedia, that means precisely nothing.
Aside from the rather fantastic story, there are several stand-out warning signs in this email: the English is, at best, difficult to comprehend and – most tellingly – I am asked to send my personal details to a Gmail account and an Outlook email account. Quite a disappointing end really – they couldn’t even disguise the email links so they look like they would compose a message to somebody at RBI.
PayPal is another common target for phishing attacks. This next phishing example uses an old trick – “confirming” that a large transaction (240 Euros in this case) has been made from my account, in the hope that I will panic and in my rush to reject a transaction which I never made, follow the phisher’s links. The email goes some way to imitate PayPal’s style, including using the company’s logo and their colours in the text. The email addresses have also been faked to look at though they came from EA (Electronic Arts – to whom the payment has supposedly been made).
However, despite this supposedly personal email there is a generic greeting (“Hello”), rather than my name. Hovering over the “Dispute Transaction” link at the bottom of the email reveals the link’s true destination in the status bar – a website in Russia. Not something I will be clicking on soon…
The third email here also targets PayPal and uses a different attack strategy. The email itself looks rather unconvincing – poorly formatted and, while it does include a little footer with a PayPal copyright notice, there is no use of the company’s logos or colours. The story is very concerning – PayPal have detected login attempts from a “foreign” IP address. Rather than lock my account, “all” I need to do is download the attached file (sure…) and fill in all of my personal details. So I did. Well, I downloaded the file anyway. This is generally not a good idea, but the attachment was HTML so I downloaded it and opened it in a text editor (not a web browser – I don’t want to run any code inside it).
As it turns out, the HTML attachment contained markup for the following form which requests all of my personal details including my password and my credit card number. The form looks quite authentic – but of course is a total scam. No organisation is ever going to ask for your password, and you should never, ever send your credit card details in response to an email, or indeed over any unencrypted channel. I can’t help thinking this phishing attempt would have been more convincing if the form had been part of the original email rather than a separate download.
The final phishin example here is something I seem to be receiving more of – notices that couriers are unable to deliver packages. I guess everybody likes receiving packages and nobody wants to believe that they have missed a delivery, which should entice people to click on the email’s links or (in this case) download the attachments. This email has a fairly bad attempt at writing a personalised greeting, using the username from my email address (author@….).
The email says the delivery label for my missed package has been attached. This particular attachment is a zip file, inside of which is a file ending in .js (JavaScript). Interestingly GMail marked the email as spam but its filters did not detect any threats when I downloaded the zip file (which is something you should not normally do, of course). However, my antivirus software (Avast) detected the threat, saying the zip file contained the JS:Decode-CAP[Tr] trojan, and wouldn’t let me extract it (probably quite sensible). JS:Decode-CAP turns out to be a generic spyware trojan that would have secreted itself on my system monitoring key presses and file access. Attachments are a classic way for criminals to try to deliver malware to users, so this is not surprising at all.
After reviewing the above examples, a reminder that you should be able to do the following for your upcoming ITGS exams:
- Explain the potential (negative) impacts of spam and phishing emails
- Describe features of spam and phishing emails which help you identify them as such
- Describe security precautions that users can take to avoid the negative consequences of these emails.
Leave a Reply